Topic: TRE accreditation#
Session 2, Room 1
Who has experience gaining accreditation for a TRE?
Accreditation is awarded at the organisation level
Existing standards (ISO27001, cyber essentials) are not specific for TREs, they’re required by almost everyone
Closest is https://www.ons.gov.uk/aboutus/whatwedo/statistics/requestingstatistics/approvedresearcherscheme but even that’s not widely accepted
Have people joined this session to look for guidance?
Turing have NHS DSPT, looking at others, and working through SATRE to develop something like an accreditation for TREs
UCl is building a new TRE and are interested in which accreditations to target (and which exist)
Is there any scenario where accreditation could be awarded to a TRE deployment software that is independent of the TRE operator/ institution?
Maybe, sounds like a long-shot, would need serious discussion with the data providers
Would still require operator/institution to be accredited, but process should be easier by using accredited software
Why do some orgs favour certain standards?
Example: ONS DEA is very useful for people to build on top of but larger orgs have their own staff to develop and adopt standards
As a data provider, what should I look for in a TRE and their accreditation?
Look at assurances and what other data providers have used the TRE
RSE Community could have high level discussions with orgs like HDR UK / DARE on what TRE regulation could look like?
What could we achieve?
If ONS can’t convince NHS to accept their data standard then needs to go even higher, e.g. brokered by DARE/HDR-UK?
How much time to people have?
Some people already spend a lot of time on these issues anyway
UK Data Service (?) is not a crown body, TRE not accepted by some Government bodies
UK Government has internal security standards, based on internal government services. Currently impossible for external bodies to be compliant.
UK quite advanced in building TREs and accreditation, but US has strong accreditation for clinical trials data