Policy on user and organisation registration

This policy applies specifically to the registration of individual users and organisations. The purpose of registration is to collect information about an applicant in order to perform an assessment of their suitability to conduct research of public benefit using network SDE-owned NHS data. In March 2026, following public feedback on the service it was agreed that the service should be renamed, from SDE Network Validation Service to SDE Network Registration Service.

Assessment and approval of specific research purposes (for example, a project proposal is out of scope), since purpose-specific assessment remains at the discretion of an SDE’s data access committees (DACs). As of January 2026, this service is applicable only to regional SDEs and not applicable to NHS England (NHSE) and the Data Access Request Service (DARS).

Users and organisations with both research and non-research use cases fall within the scope of this policy.

This paper is concerned with overarching policy and strategy. It is not intended to set out detailed implementation plans, procedural steps or work instructions. Nor will it make detailed recommendations on tooling to support implementation, or the organisation(s) to deliver registration services. Details of current implementation can be viewed in the latest project delivery timeline.

Wherever possible, clear and unambiguous standard operating procedures (SOPs) should be produced to support the team carrying out assessment of applicants seeking registration. This approach will minimise the risk of subjectivity when applying the registration criteria.

It is assumed that a central organisation — 'the registration organisation' — will own the registration policy and related procedures. This organisation will operate the policy.

When reviewing a proposal for a new organisation or user, the NHS Research SDE Network will take a risk-based approach, using the dimensions of the Five Safes Framework developed by the Office for National Statistics – focusing on the element of 'Safe People'.

This policy sets out a single national approach. It will be implemented over the course of 2025, initially on a voluntary basis. The policy will be in place from 1 April 2026 for all network SDEs.

The registration service will work within the principles and processes of the wider SDE Network. This includes the principle that access should not be granted solely for commercial purposes such as for commercial insurance, or solely for the purpose of marketing, including promoting or selling products or services, market research or advertising.

The policy applies to the network of regional SDEs, and the registration organisation will work with the national SDE and Health Data Research Service (HDRS) affiliates to closely align processes and policy.

This policy sets out the key considerations for all SDEs when assessing new users and organisations, with the aim of articulating a single approach for the registration of users and organisations, which applies to all SDEs within the national network.

The policy applies to applicants who wish to make data access requests through one or more SDEs to access NHS data within the SDE environment and applicants who wish to access SDE metadata through discovery or feasibility tools.

The registration checks alone do not allow access to data; they form a component of the checks carried out throughout the data access process. Data access only takes place after the submission of a data access request and consideration by the regional DAC.

The registration of organisations and users does not imply that any subsequent data access request will be accepted: each proposal is considered on its merits. However, agreements and assurances regarding a registered organisation may be used in the assessment of more than one proposal.

The registration criteria (the standards which determine whether an organisation can become registered) are set across the Network and approved by the Registration Committee. They are defined with patients and public by the Registration Committee and will be openly available. These will be the minimum standards a SDE within the Network assesses organisations and user against. The current criteria are attached in the appendices.

A registration organisation will be appointed to carry out the registration service on behalf of the Network; additional parties may be contracted as a service delivery partner to deliver elements of the process to the required standards. This approach ensures accountability for delivery and policy adherence remains with an NHS Organisation. Costs incurred are accounted for in the NHS England Data for Research and Development Programme also known as the 'Data for R&D Programme') budget.

A Registration Committee is established with representation from lay people as well as from all SDEs. The committee advise, shape and approve the policy, the criteria within it and consider and make recommendations on applications and appeals.

An organisation will sign an agreement once they have been assessed against the registration criteria. This will outline their obligations when interacting with any SDE within the Network, and vice versa. Similarly, a user will sign terms of use.

Becoming a 'registered' organisation will allow named organisations to vouch for users and submit data access requests to any SDE within the NHS Research SDE Network. A data access request will only be accepted if all organisations and users who require access are already registered.

A central register of registered organisations and users will be held internally by the registration organisation, with details of all registrations, registrations in progress and those rejected or withdrawn. A version of this register will be easily available to all SDEs and agreed delivery partners with appropriate contractual controls. The register will be held on secure infrastructure and will be managed in line with NHS information governance standards. The maintenance of the register will be the responsibility of the registration organisation. The register will not be made publicly available but details of projects and the organisations working on them will be available publicly through local SDE project registers.

There will be a route to appeal if an organisation is not registered via the Registration Committee, and the organisation will be provided with details of the rationale behind the decision.

Not being registered on first application is not a barrier to future re-applications. Users and organisations can re-apply and have their credentials checked again.

User and organisations should be registered once, and able to submit data access requests across any SDEs within the regional Network without duplication of checks – avoiding unnecessary duplication and bureaucracy and increasing transparency and speed of delivery. An organisation will be registered first, and named organisations can then vouch for a user who is associated with them.

When an organisation vouches for a user, it is their responsibility to have in place any necessary assurance or contractual framework between themselves and the user they are vouching for (examples: employment contract, student, affiliate, sub-contract, honorary contract, sponsorship) as if a user they have vouched for behaves contrary to the terms of use, the organisation(s) who vouched for them will be liable.

The relationship between user and organisation can be seen in diagram below.

Process diagram showing how a registered organisation vouches for a user

Organisations and users can be registered before they engage directly with SDEs. Registration can take place at any point, including concurrently with detailed feasibility or access requests for data and data services. Registration is required prior to being granted full access to data or detailed metadata (for example through a discovery tool).

For the avoidance of doubt, users will not need to be registered to view assets on the Health Data Research (HDR) UK Gateway, however users will need to be registered to access the HDR UK cohort discovery tool.

Registration organisation

While aspects of the process are automatable, such as application, there is still a requirement for manual or human checking and judgement to complete registration. There is centralised function acting on behalf of SDEs, operating the registration process and documenting approvals accordingly. In this policy, this organisation is called the 'registration organisation'.

The relationship between SDEs and the registration organisation will be managed through agreements that set out agency/delegated relationship, to assess user and organisation registration requests and sign agreements on behalf of the SDEs – warranting the registration process sufficient to remove any requirement for duplicate registration checks at local SDE level. Through these agreements, the registration organisation shall be empowered to sign registration contracts with users and organisations that provide undertakings on behalf of the Network.

The privacy policy, which will maintain transparency in relation to how the Network collects, shares and uses the personal information collected during registration and beyond, will be set out and operated by the registration organisation.

Registration Committee

A Registration Committee (as described in the policy statements) advises, shapes and approves the policy, related policies and work instructions. The committee is hosted by the registration organisation.

Users and organisations

Users and organisations shall be responsible for complying with the policy and any related processes, procedures and contractual documentation. This includes keeping the Network updated in the event of a change in circumstances, such as change of employment. The responsibilities will be outlined in the registration agreement.

It is expected that registration shall be for a duration of 5 years, for both users and organisations.

Annually, the Network will provide registration details from the register to each organisation, asking them to check for discrepancies, report any changes and to confirm that they are still in a position to vouch for their associated user(s).

If an organisation is asked to confirm information about or relating to its registration status, or the status of its users, and does not respond, they will be reminded. If there is no response within 6 weeks, the user will no longer be considered registered with that organisation. SDEs will be informed of changes to the registration status of previously registered users and organisations and it will then be the responsibility of that SDE to take action in accordance with their local processes.

A process will be required also for handling concerns raised by SDEs about the conduct of registered users or organisations in the live environment. This may include investigation, suspension pending re-registration, and rescinding registration status.

While there are no exceptions to this policy, it is noted that SDEs will be adopting the registration approach over 2025-26, and transitional arrangements should be expected during this time.

SDEs that are providing the service for business purposes will have exempt users (such as their own staff) who will not need to be registered. The registration service will retain a list of these users which will be provided by the SDEs and reviewed regularly in the same manner as other users.

In the first year of operation of this policy (2025-2026), and at regular intervals throughout its implementation, feedback and iteration is to be sought from patients and public, healthcare professionals and representative users and organisations.

The policy shall be reviewed on an annual basis and changed where there is a mandate to do so with advice from the Registration Committee.

The registration organisation, following advice from the Registration Committee, shall devise a process for reporting, audit and registration against this policy. Reports shall be provided at regular intervals to the SDE Network.

The policy shall be formalised in conjunction with Department of Health and Social Care (DHSC) colleagues, and alongside the ongoing work to develop and implement the UK Statistics Authority (UKSA) Accreditation Framework for SDEs. It is expected that successful adoption of the registration policy will be necessary for an SDE to become accredited.

This policy shall be communicated online in line with transparency guidelines and to support users in planning applications for data services.

The management of this policy will be through the Registration Committee in line with Data for R&D Programme governance. This includes communicating the policy, managing changes to it and reviewing regularly to ensure it is current and reflects best practice. Accountability for sign-off on this policy currently sits with SDE Network Board. Any changes to this accountability will be updated here in future.

Regular feedback and iteration will be sought from patients and public, healthcare professionals and representative users and organisations in line with wider Data for R&D Programme processes.

The following documents and links are related to or support the policy:

• Registration agreement (including terms of use) - an example of the registration agreement you will sign in order to be registered 
• The NHS Constitution for England, DHSC -  The NHS constitution for England; NHS principles; NHS values
• Full-length NHS Standard Contract 2024/25, NHS England - Standard NHS contract provisions

You can download the registration agreement template to familiarise yourself with the terms you are agreeing to. You will be sent an editable version of this form once you have passed the initial registration checks.

This policy was approved by SDE Network Board on 5 March 2026.

The required standards for training and awareness for all users accessing data through the SDE Network registration process are set out in the network agreement which all organisations need to sign. Other specified training, such as support to use the research analysis environment, as researchers move to project specific activity will be agreed with the relevant SDE(s) and is out of scope of this document.

These criteria are correct as of the time of publication.