Topic: TRE accreditation#

Session 2, Room 1


  • Who has experience gaining accreditation for a TRE?


  • Accreditation is awarded at the organisation level

  • Existing standards (ISO27001, cyber essentials) are not specific for TREs, they’re required by almost everyone

  • Have people joined this session to look for guidance?

    • Turing have NHS DSPT, looking at others, and working through SATRE to develop something like an accreditation for TREs

    • UCl is building a new TRE and are interested in which accreditations to target (and which exist)

  • Is there any scenario where accreditation could be awarded to a TRE deployment software that is independent of the TRE operator/ institution?

    • Maybe, sounds like a long-shot, would need serious discussion with the data providers

    • Would still require operator/institution to be accredited, but process should be easier by using accredited software

  • Why do some orgs favour certain standards?

    • Example: ONS DEA is very useful for people to build on top of but larger orgs have their own staff to develop and adopt standards

    • Needs regulation

  • As a data provider, what should I look for in a TRE and their accreditation?

    • Look at assurances and what other data providers have used the TRE

  • RSE Community could have high level discussions with orgs like HDR UK / DARE on what TRE regulation could look like?

    • What could we achieve?

      • If ONS can’t convince NHS to accept their data standard then needs to go even higher, e.g. brokered by DARE/HDR-UK?

    • How much time to people have?

      • Some people already spend a lot of time on these issues anyway

  • UK Data Service (?) is not a crown body, TRE not accepted by some Government bodies

    • UK Government has internal security standards, based on internal government services. Currently impossible for external bodies to be compliant.

  • UK quite advanced in building TREs and accreditation, but US has strong accreditation for clinical trials data