Most data sharing initiatives stall for the same reason: nobody can agree on what “trust” actually means in practice. Boards talk about trust as a feeling, legal teams talk about it as a contractual obligation, and engineering teams talk about it as an access control problem. None of these framings, on their own, is wrong, but none of them is sufficient either, and a programme built on only one will eventually run into the limits of the others. The organisations that get data sharing right treat trust as something engineered, not assumed: a specific, auditable combination of legal basis, governance process, and technical control that can be demonstrated to a regulator, a partner, or a sceptical board on demand.
This matters more in the UK right now than it has for some time. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and is being phased in through 2026, introducing new statutory frameworks for cross-sector data sharing, including Smart Data schemes that extend the Open Banking model to other sectors, and a statutory Digital Verification Services trust framework.[1] The government has set out this commencement timetable in stages running through 2026, with the main data protection changes phased in roughly six to twelve months after Royal Assent.[2] For CTOs, CDOs, and Programme Directors weighing up a data sharing initiative, the practical question is no longer whether the legal framework allows responsible sharing, it does, and increasingly explicitly so, but which governance and technical model will hold up to genuine scrutiny once that sharing is live.
Why “We Have a Data Sharing Agreement” Is Not a Trust Model
A written data sharing agreement is necessary, but it is frequently mistaken for sufficient. The agreement establishes roles, purpose, and accountability on paper; it does not, by itself, demonstrate that data is actually being protected, that access is genuinely limited to what was agreed, or that the arrangement would survive scrutiny if something went wrong. Regulators, partners, and increasingly customers themselves now expect organisations to show their working, not merely assert good intentions in a signed document.
This gap between paper compliance and demonstrable practice is precisely where data sharing initiatives lose credibility, and where competitive advantage sits for organisations that close it properly. A genuinely robust data sharing model needs three things operating together: a clear and current legal basis, a governance process that can evidence its own decisions, and technical controls that enforce the agreement rather than simply describing it.
The Five Safes Framework: A Model Built for Scrutiny
One of the most battle-tested approaches to this problem originated not in industry, but in UK government statistics. The Five Safes framework was developed by the Office for National Statistics and has since become the design template for secure data access across UK research, health, and public sector data infrastructure. It frames data sharing risk across five independently assessable dimensions: safe data (is the data itself appropriately treated to manage confidentiality risk), safe projects (has the specific use been approved as legitimate and proportionate), safe people (are those accessing the data trained, vetted, and accountable), safe settings (does the technical environment prevent unauthorised use or extraction), and safe outputs (are results checked before they leave the controlled environment to ensure they cannot re-identify individuals).[3]
What makes the Five Safes durable as a model, rather than just a checklist, is that it does not rely on any single safeguard carrying the entire weight of trust. A weakness in one dimension (say, a slightly broader-than-ideal dataset) can be offset by tightening another (a more restrictive setting or stricter output review). This is precisely the kind of layered, demonstrable reasoning that satisfies scrutiny in a way that a single access control list or a generic non-disclosure agreement never can. It is also why the framework has been adopted well beyond its statistical origins, underpinning NHS Secure Data Environments and Trusted Research Environments used across genomics and health data research, where the requirement to share sensitive data broadly for research while protecting individual privacy is at its most acute.
For enterprise and healthtech organisations outside the public research context, the same underlying logic applies directly: rather than asking “do we trust this partner,” the more useful and answerable question is “across data, project, people, setting, and output, where does our actual risk sit, and what evidence do we have for each.” That reframing alone tends to surface gaps that a single blanket data sharing agreement obscures.
Smart Data and Data Intermediaries: The New Statutory Layer
Where the Five Safes framework addresses sensitive, often one-to-many research-style data sharing, the Data (Use and Access) Act introduces a complementary and increasingly relevant model for commercial, customer-permissioned data sharing: Smart Data schemes. Modelled on the success of Open Banking, these schemes allow the Secretary of State and HM Treasury to designate sectors where “data holders” must make customer data available, on request, to the customer or to an authorised third party acting on their behalf.[1] The Act’s accompanying consultation on data intermediaries describes these as trusted third parties that can act on an individual’s explicit instruction to access, share, or manage their data, addressing one of the most persistent blockers to responsible data sharing at scale: the legal and operational ambiguity around who is accountable when a customer wants their data moved on their behalf.
This matters for any organisation evaluating data partnerships, particularly in financial services, energy, and other sectors likely to see Smart Data designation extend beyond banking. It signals a clear direction of travel: data sharing models built around explicit, revocable, customer-controlled permissioning, rather than broad organisational data sharing agreements, are where UK regulatory expectation is heading. Building toward that model now, ahead of sector-specific designation, is a more defensible long-term position than retrofitting consent architecture once a scheme becomes mandatory.
What “Passing Scrutiny” Actually Requires in Practice
Bringing these elements together, a data sharing model that holds up under genuine scrutiny, from a regulator, an enterprise partner’s due diligence team, or an internal audit, tends to share a consistent structure regardless of sector. It documents the specific legal basis for the sharing, rather than relying on a generic consent clause, and reviews that basis as the relevant law evolves; the new “recognised legitimate interests” basis introduced by the DUAA, for example, removes the need for a full balancing test in specific circumstances, but only where an organisation can clearly evidence it falls within scope. It separates data minimisation decisions (what is actually shared) from access control decisions (who can see what was shared), since conflating the two is a common source of both over-sharing and operational friction. It treats the technical environment as part of the trust model, not an implementation detail, favouring controlled, observable access mechanisms over wholesale data transfer wherever the use case allows it. And critically, it retains an audit trail capable of demonstrating, after the fact, exactly what was shared, with whom, on what legal basis, and what controls were applied, because the organisations that struggle most under scrutiny are rarely the ones that made a defensible decision; they are the ones that cannot evidence the decision they made.
None of this requires choosing between innovation and caution. The Five Safes framework exists precisely because UK statistical and health research has needed to share highly sensitive data at scale for over a decade, while remaining defensible to public and regulatory scrutiny throughout. The same discipline, engineered trust rather than assumed trust, is what allows enterprise data sharing programmes to move from a perpetual stalemate between “the business wants to share this” and “legal won’t sign off” to a model that both sides can actually stand behind.
Building a Model, Not Just an Agreement
Organisations that get this right tend to start by mapping where their data sharing actually sits across the Five Safes-style dimensions, rather than starting with a contract template. They build governance processes that produce evidence as a by-product of normal operation, approval records, access logs, output reviews, rather than evidence that must be reconstructed after the fact when a regulator or partner asks. And they track the Data (Use and Access) Act’s phased commencement closely enough to know which provisions, such as Smart Data scheme designations or the statutory Digital Verification Services framework, will directly affect their sector and on what timeline, rather than reacting once a scheme becomes mandatory.
Done well, this is not primarily a compliance exercise. It is the foundation that allows an organisation to say yes to a genuinely valuable data partnership with confidence, rather than defaulting to caution because nobody can clearly articulate where the actual risk sits.
Flipware Technologies works with FTSE 100 organisations in regulated sectors and funded healthtech platforms to design data sharing and governance models that hold up to genuine regulatory and partner scrutiny, not just paper compliance. If your organisation is evaluating a data sharing initiative, a partner integration, or readiness for the UK’s evolving Smart Data and digital verification landscape, get in touch with Flipware Technologies to discuss an approach suited to your sector and risk profile.
References
- GOV.UK / Department for Science, Innovation and Technology, “Data (Use and Access) Act 2025: data protection and privacy changes”
- GOV.UK / Department for Science, Innovation and Technology, “Data Use and Access Act 2025: plans for commencement”
- GOV.UK, “The Five Safes Framework”, January 2025
