Breakout: Do we need an IG working group?

Leads: Amy Tilbrook (UoE)

Prompts

• Is there a perception of lack of IG knowledge in UK TRE community (“an IG black hole”?)

• What support would benefit the community?

A) Specific IG working group? Thoughts on:

• remit/purpose

• membership

• how it would work

B) Is IG an element in ALL working groups? (as per previous group days: “working groups need a purpose, as creating and maintaining one takes effort, many people are interested in everything/all groups”). How could this be supported?

C) Something else? Previous suggestions for remit of an IG working group:

• “Something around Information Governance and policies” e.g. ISO27001 and also local e.g. University policies

• Advice from contributors for specific issues

• Aligning strategies for dealing with TRE-specific IG challenges - e.g. AI/ML, commercial access, international access

Notes

• What do we mean by IG? Each org uses it in slightly different terms so we don’t have a unified conception of what is meant?

  • Grampian “it covers the whole process from the minute a researcher contacts us, to when the project data is deleted”

• Technical stuff is seen to be easy, IG stuff is hard - would like to know how we are supposed to interact with all the different projects

• Difference between umbrella TRE IG and project related IG

• IG = context and organisation dependent - might depend on risk appetite or data held.

• Looking to adapt existing processes to adapt to a TRE way of working (data access rather than data sharing)

• Definite appetite for support in this area.

• Goes beyond/outside of ethics/regulatory compliance.

• Is there an interest in standardisation? With such context/data related specifics is this even possible?

• For organisations who have been doing this a long time, the differences between controllers/processors and roles for TREs are fairly established.

• Scotland is working towards a federated approach to governance across Scottish TREs to facilitate/streamline data sharing.

• Often issues arise in research governance rather than IG or data protection teams - we can’t change the rules/regulations around health research governance.

• Why does it take 2 years to get access to data?

• Does IG encompass data sharing (contracting?)

• legal base issues within NHS SDEs

• IG Challenges:

  • Consented vs unconsented projects: How does consent unlock data to be used by a project?

  • What advice and guidance can be given when talking to new organisations/other contexts?

  • Consented vs. unconsented studies

  • Research governance a barrier

  • Anonymous vs. identifiable data

  • How would the ‘IG’ world support the consents of a person for the data held by a data controller org to allow their data to be accessed by the project they have consented to.

  • How would the IG world react to technology options to extend control across federated facilities such that it eases the ability to speed up access to the data but maintaining as much control and governance oversight as possible.

  • What are the rules and how can we articulate them across the board?

• Ideas:

  • A group that could give advice on how to negotiate the relationships?

  • Work towards TRE specific research governance to support research governance teams - what?

  • Playbook for open IG (need to be fairly high level) - e.g. survey of high level workflows of IG processes within 5 safes. How to determine safe people, safe settings etc?

  • Have a look at these pages - transparency standards: https://www.abdn.ac.uk/research/digital-research/accessing-data-1688.php and https://www.abdn.ac.uk/research/digital-research/obtaining-permissions-1703.php

  • A community where questions could be posed/answered, discussion forum on IG set up, definition.

Summary

• Technical is easy, IG is hard - because:

  • What is IG? What does it encompass (difference between IG and research governance?)

  • IG is context, data, organisation dependent (risk appetites)

  • Anything created for general use would need to be fairly high level

• Appetite

  • to understand what IG set ups there are across the TRE community

  • to develop something to support TRE specific research governance/open IG

  • to have a forum where IG questions could be asked (both umbrella IG for TREs in general - especially for newer TREs, and project specific IG issues - e.g. consented studies)

  • to understand what is specific TRE IG (data access) rather than data sharing IG

Suggested first things for an IG group to do:

• Find drivers/champions/leads

• See Grampian examples of workflows

• Set up survey of

  • What does IG mean in your context?

  • What workflows/governance processes can be shared?