In secure data environments, research outputs pose high risks of statistical disclosure, while manual review is inefficient and communication-intensive. To address this, we propose a novel human-in-the-loop statistical disclosure control (SDC) paradigm and develop SACRO—an open-source, multilingual toolkit. SACRO embeds SDC directly into analytical workflows, supporting Python, R, and Stata frontends. It employs rule-based and heuristic algorithms to detect disclosure risks in tables, charts, and model outputs in real time, delivering interpretable alerts, configurable mitigation options, and audit-ready reports. A GUI-enabled visualization interface further facilitates interactive review. Crucially, SACRO augments—not replaces—human reviewers, enhancing decision-making quality and collaborative efficiency. Released under the MIT License, SACRO has been deployed and validated across multiple trusted research environments, demonstrably improving review transparency, throughput, and traceability.

This article presents a free and open source toolkit that supports the semi-automated checking of research outputs (SACRO) for privacy disclosure within secure data environments. SACRO is a framework that applies best-practice principles-based statistical disclosure control (SDC) techniques on-the-fly as researchers conduct their analyses. SACRO is designed to assist human checkers rather than seeking to replace them as with current automated rules-based approaches. The toolkit is composed of a lightweight Python package that sits over well-known analysis tools that produce outputs such as tables, plots, and statistical models. This package adds functionality to (i) automatically identify potentially disclosive outputs against a range of commonly used disclosure tests; (ii) apply optional disclosure mitigation strategies as requested; (iii) report reasons for applying SDC; and (iv) produce simple summary documents trusted research environment staff can use to streamline their workflow and maintain auditable records. This creates an explicit change in the dynamics so that SDC is something done with researchers rather than to them, and enables more efficient communication with checkers. A graphical user interface supports human checkers by displaying the requested output and results of the checks in an immediately accessible format, highlighting identified issues, potential mitigation options, and tracking decisions made. The major analytical programming languages used by researchers (Python, R, and Stata) are supported by providing front-end packages that interface with the core Python back-end. Source code, packages, and documentation are available under MIT license at https://github.com/AI-SDC/ACRO