Data Security

UK LLC’s Trusted Research Environment (TRE) adheres to the highest national and international standards of information security to ensure the safest possible use of data. UK LLC is ISO 27001 certified and is accredited by the UK Statistics Authority as a processing environment under the Digital Economy Act (DEA) 2017. 

Protecting the confidentiality and security of participants’ data is important to us.

For that reason, we have invested heavily in developing a comprehensive and robust information security management system (ISMS). Our ISMS is regularly tested by external independent experts in information security from the UK Statistics Authority and Alcumus ISOQAR. These audits ensure that our security and safeguards are robust. 

ISO 27001

Certification of an ISMS to the ISO 27001 standard is recognised worldwide to indicate that an organisation’s ISMS is aligned with international information security best practices.


ISO 27001 is seen as the ‘gold standard’ and demonstrates that information security – the confidentiality, integrity and availability of data – is considered and built into everything an organisation does. 

Our TRE contains de-identified data about people enrolled in partner Longitudinal Population Studies (LPS). Protecting the confidentiality and security of LPS participants’ data and maintaining the integrity and availability of data accessed by approved researchers, are of critical importance to us. 

NHS England

All organisations that have access to NHS England patient data must complete the NHS England Data Security and Protection Toolkit (DSPT) every year. Our organisation code is: EE133799-LLC.

This is to provide assurance that they are practising good data security and that personal information is handled correctly. The DSPT is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

Digital Economy Act 2017

We are an accredited processor under the Digital Economy Act 2017.

This exacting standard ensures that UK organisations have a sufficiently robust ISMS to include in their TRE de-identified data from government departments, e.g. Department for Work and Pensions. 

The UK Statistics Authority’s Research Accreditation Panel oversees the independent accreditation of processors. This is measured against a framework of security controls (based on ISO 27001) and data capability controls. Experts in information security from the UK Statistics Authority audit us on an at least annual basis. 

UK GDPR and the Data Protection Act 2018  

Our legal basis under UK GDPR and the Data Protection Act 2018  
  1. Performance of a task carried out in the public interest (Article 6(1)(e) in the GDPR); and, where sensitive personal information is involved;
  2.  Scientific or historical research purposes or statistical purposes (Article 9(2)(j) in accordance with Article 89(1)). The GDPR defines ‘sensitive personal information’ as information that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; and the processing of genetic data or biometric data for the purpose of uniquely identifying a person; data concerning health or data concerning sex life or sexual orientation. 

This legal basis within UK GDPR and the Data Protection Act 2018 is separate to, and in addition to, the actions and legal basis of the collaborating studies which establishes the basis for participants’ data to be collected, processed and shared for research purposes.  

We use the research provisions of the Digital Economy Act 2017 to link to administrative records (such as those held by HM Revenue and Customs, the Department for Work and Pensions, and the Department for Education and its devolved equivalents). We will access existing de-identified data from these sources from the UK’s statistical authorities and agencies.

The Digital Economy Act provides a legal basis for the transfer of confidential information by public authorities for research purposes in a way that does not breach any duty of confidentiality owed to the individual by the public authority.