Secure data environments

Secure data environments provide a safe and controlled way for approved users to access health data. They keep data protected while supporting research, planning and analysis that benefit the health and well-being of patients and communities across NSW.

On this page

  1. What is a secure data environment?
  2. How secure data environments work
  3. When is a secure data environment required?
  4. Requirements for secure data environments
  5. SDE provider review
  6. Frequently asked questions
  7. Need help?

What is a secure data environment?

A secure data environment (SDE) is a protected virtual space where health data can be stored, accessed, and analysed safely. It uses strong security controls to keep the information private and prevent misuse.

SDEs are also known as trusted research environments (TREs), clean rooms or digital research environments (DREs), and have previously been called secure access environments (SAEs).

Diagram explaining secure access environments and roles. Inputs and outputs from Curated Gateway are curated and logged by approved users. Project-approved data, applications and services and analysis and outputs are hosted in a contained environment. End users can securely access the contained environment. Requests for outputs are transmitted from the contained environment via the curated gateway.
Secure data environment.

How secure data environments work

SDEs bring data and analysis tools together in one protected location. Approved users complete their work inside the environment, and the granular data stays there. When ready, users can then bring out their results in a summary form via a door (gateway) that is monitored and requires extraction approvals.

A short video from NHS UK explains the concept:

NSW Health is sharing this video with NHS UK permission to support public understanding of Secure Data Environments.


​​​​​​When is a secure data environment required?

A secure data environment is required when a Five Safes assessment of a request for data held by NSW Health identifies:

  • Safe data: When detailed, highly specific data that represents individual events, transactions or people, rather than high-level aggregated summaries, is shared outside of NSW Health.
  • Safe projects: Data are to be accessed for a purpose secondary to the purpose of the collection, and it is to be used for:
    • ​​​research
    • health service funding, management, planning or evaluation.
  • Safe people: The individuals with access to the data will be:
    • people not employed by NSW Health
    • NSW Health employees accessing data for purposes not directly related to their role, including NSW Health employees accessing data for a project as a part of secondary employment outside of NSW Health
    • NSW Health employees working with data that requires an SDE (e.g., highly sensitive data where the data custodian requires access within an environment to assist in managing risk)

Requirements for secure data environments

NSW Health has established Minimum Requirements for Secure Data Environments. These requirements are technology-agnostic and designed to ensure best-practice data security and governance across five key areas:

  • Input and output gateway (curation) - Checkpoint for data/files moving in and out with approved user review and immutable logging.
  • Contained environment - Project data and tools are kept in isolated spaces, separated by project.
  • Secure platform - Meets best-practice security standards (for e.g., ISO 27001, IRAP, eHealth NSW PSAF, Essential Eight, NIST) with encryption, Australian hosting, and regular testing.
  • Analytics-enabled - Provides tools and resources analysts need.
  • Platform governance - Well governed with clear roles, responsibilities and operational procedures.

SDE provider review

To be listed as meeting NSW Health requirements, an SDE provider completes a review that shows how their environment aligns with NSW Health’s minimum standards. This review considers documentation and evidence to confirm that key privacy, security and governance principles are in place

Secure data environment review process

  1. Prepare your submission - Download the requirements and response template, complete and gather supporting evidence showing how the environment meets relevant NSW Health minimum standards.
  2. Submit for Review- Email your completed template and evidence to moh-datagovernance@health.nsw.gov.au, with the SDE name in the subject line.
  3. NSW Health Review - NSW Health Enterprise Data Governance Enablement (in collaboration with eHealth NSW Cybersecurity) will assess the submission. This typically takes 8-12 weeks and additional detail may be requested during the review.
  4. Agreement and Listing - If the environment meets the minimum requirements, an agreement is established outlining ongoing obligations. This agreement confirms that the provider will maintain ongoing adherence to NSW Health's minimum requirements and promptly notify NSW Health of any material changes or incidents. This confirms that the provider would maintain ongoing adherence to NSW Health's minimum requirements and promptly notify NSW Health of any material changes or incidents. Once in place, the environment would be listed on this page.

SDEs meeting NSW Health minimum requirements

NSW Health is currently in the process of reviewing a number of SDEs to determine whether they meet the NSW Health minimum requirements for an SDE.
This page will be updated as soon as any SDE completes the review process and is confirmed to meet the NSW Health minimum requirements.

For now, organisations and researchers should continue using their existing approved environments.

Frequently asked questions


  • What types of analysis can I perform in an SDE?

    Statistical analysis, machine learning, data visualisation, natural language processing, and other analytical tasks using approved tools.

    How does an SDE help me manage risk?

    SDEs enforce governance rules through technical and procedural controls, provide comprehensive audit trails, and reduce the risk of unauthorised data sharing.

    Who should I contact for guidance?

    Contact moh-datagovernance@health.nsw.gov.au for guidance on SDEs, the assessment process or requirements.

    Can you provide examples of when SDEs are being used to keep NSW Health data safe? 

    While there are many examples of SDEs being used to safely share NSW Health data, and the number is increasing over time, two examples of programs currently enabling projects of public benefit using SDEs are:

    • The Enduring Cancer Data Linkage (CanDLe) program
      • CanDLe enables Cancer Institute NSW to provide trusted researchers with data through SDEs, to improve cancer care.
    • Bureau of Health Information (BHI) NSW Patient Survey Data Asset
      • BHI uses the Secure Unified Research Environment (SURE), managed by the Sax Institute, to enable access to NSW Patient Survey Program data for research. This allows researchers to develop new and original insights to improve patients' experiences and outcomes, while BHI maintains oversight of the outputs to ensure privacy and validity of findings.

  • Does listing mean an SDE is certified or endorsed?

    No. Listing reflects that the provider met minimum requirements based on evidence submitted at the time of review. It is not certification or endorsement by NSW Health.

    What happens if an SDE provider fails to maintain requirements?

    NSW Health will review the SDE and may remove them from the list if requirements are not maintained.

    What are example scenarios where an SDE is required?

    • University Researcher analysing specific health data.

    • A university PhD student is using emergency department data for their thesis.

    • A consultant evaluating health service performance using patient records.

    • A NSW Health clinician conducting personal research outside their role as part of an approved research team.

  • How do I access an SDE as a researcher?

    Access is available to approved users who meet governance and ethical requirements. Typical users, for example, could include researchers, consultants, universities, government agencies, charities/NGOs, students under supervision, etc.

    Approved users can choose their own SDEs and discuss with the provider how their requirements are met, and if costs and governance are appropriate. The environment within which data will be stored and analysed must be defined in the approved study protocol. The SDE included can be chosen from the listed SDEs on this page.

    I'm a NSW Health clinician also conducting research outside of my role. Do I need to use an SDE to access and analyse data for this research project?

    Yes. Research conducted outside your NSW Health role requires the use of an SDE that meets NSW Health requirements, even if you're employed by NSW Health.

    Can a data user export raw data from an SDE?

    No. Individual-level data cannot leave the environment. Only approved, aggregated outputs that have passed disclosure control checks can be exported.

    What training is required before accessing an SDE?

    Before accessing SDE, users must complete mandatory privacy and security training. This training covers key areas such as privacy obligations, security protocols, data handling, output review, and incident reporting. Specific requirements may vary by SDE provider, so check with your chosen provider for details.

    How long does it take to get access to an SDE?

    This varies by SDE provider and depends on the completeness of your application, approvals and training. Contact your chosen provider for their timeline.

    Can a data analyst use their own software or tools in an SDE?

    Most SDEs provide multiple analytics software. Some may allow bring your own licensed software at their discretion if it doesn't compromise security. Check with your provider.​​

    What if the data I need for my project cannot be analysed within an available SDE?

    Projects that are assessed as requiring an SDE, must use an SDE. There are only limited instances when a data disclosure decision maker may consider disclosure to an environment other than an SDE. Examples of projects where the ADO may agree that an exception is warranted following a Five Safes assessment, include:

    • The computing power required to process the data is not available within any listed SDE (e.g. genomic or imaging data analysis).
    • The analysis requires specific software that requires access to the internet to run, and there is no equivalent software that could be run within an SDE. Note: In this case there would be additional assessment of the software required, to ensure data stays within the environment and is not released publicly.

    If an SDE is not feasible, meaning there are no available SDEs within which the data could be analysed, the requestor must provide supporting information to the relevant data disclosure decision maker to consider. The requestor must sufficiently demonstrate that an SDE cannot be used, and that the alternative environment has been reviewed by appropriately qualified persons (e.g. NSW Health Cyber-Security and Enterprise Architects) and is compliant with NSW Health guidance, policies and legislation.

     

  • How do I know if an SDE meets requirements?

    Check the list of assessed providers on this page. If not listed, the provider must complete the assessment process first.

    Can I load data directly to an SDE?

    Yes. SDEs that meet NSW Health requirements support data custodians (or trusted delegates) loading data directly through secure gateways.

    What happens after a project is completed?

    Confirm data disposal per retention policies, request disposal confirmation, review final outputs where appropriate, and update your records.

    How long should data be retained in an SDE?

    Data retention should be determined at the start of the project and documented within the approved study protocol. Retention periods are not fixed for all projects. They depend on multiple factors, including requirements under the State Record Act, national research guidelines (NHMRC), institutional research/data governance policies, Human Research Ethics Committee (HREC) endorsement and any specific legal or funding conditions.

    Retention may be extended if required by legislation, funding arrangements, or other compliance obligations.

  • How long does the assessment process take?

    Typically 12+ weeks depending on submission completeness and complexity.

    What if my SDE uses different technology?

    Our requirements are technology-agnostic. Demonstrate how you meet the principles and standards regardless of specific technology choices.

    Can I submit updates to my SDE review?

    Yes. If your environment changes significantly, notify NSW Health and you may need to submit updated evidence.

    What ongoing obligations do I have after the review process is completed?

    Maintain adherence to requirements, notify NSW Health of material changes or incidents, participate in periodic reviews, and provide required reporting.

    Does the SDE provider need an agreement with NSW Health?

    Yes. An agreement must be signed after a successful review before your SDE can be listed on the NSW Health website.

  • What is input and output checking in SDE?

    Input and output checking are controls used in SDEs to manage what data enters and leaves the environment.

    Input checking ensures that data loaded into an SDE is approved, appropriate for the project, and transferred safely through a secure gateway.

    Output checking ensures that the results leaving the SDE do not contain identifiable or disclosive information. Only approved outputs - such as aggregated tables, statistics or graphs can be released.

    Output checking is typically performed by authorised reviewers(for example, a human reviewer or a designated output checker) following documented rules and approvals. Automated tools may support the process, but human review is required where there is a risk of re-identification.

    The specific approach to input and output checking may vary between SDE providers but all reviewed environments must demonstrate that appropriate checks are in place to protect privacy and reduce disclosure risks.

    What security standards are acceptable?

    Some of the security standards include ISO 27001, IRAP, eHealth NSW PSAF, ASD Essential Eight, NIST SP 800-37, and other recognized standards. See the requirement document for the complete list.

    Why is two-way penetration testing required?

    Break-in testing ensures external threats can't access data. Break-out testing ensures data can't leave unauthorised. Both are critical for SDEs.

    Can SDEs be accessed from outside Australia?

    Infrastructure and data must be hosted in Australia. Remote access from overseas may be permitted under strict controls documented in the Data Disclosure Agreement between the project lead and NSW Health.

    What encryption standards are required?

    Data must be encrypted at rest and in transit using strong encryption (for example, AES 256-bit minimum) with carefully managed encryption keys.

  • I'm concerned about costs. What are my options?

    SDEs are becoming standard across Australian jurisdictions. Costs vary by provider and depend on factors such as the number of users, performance requirements, and software needs. Most providers offer flexible pay-for-what-you-use models, so projects only pay for the resources they need.

    To manage costs:

    • include SDE expenses in grant proposals and project budgets early
    • discuss pricing options with providers, as many offer scalable solutions and discounts for larger projects.

    Are there economies of scale for larger projects?

    Many SDE providers offer volume discounts or negotiated pricing for larger or longer-term projects. Discuss your needs with providers.

Need help?

Whether you're ​a researcher, data custodian, or SDE provider, our team is here to support you. Email moh-datagovernance@health.nsw.gov.au.

Current as at: Monday 2 March 2026
Contact page owner: Enterprise Data Governance Enablement