TRE Satellite Event notes - Standardisation of information governance, certification & regulation#


  • How we do standardise sticky issues around ethics?

  • What definitely can/can’t be standardised?

  • Can certifications and governance reviews be done once for each TRE code-base?

  • Can information governance reviews be shared across TREs?


  • Standardisation is made difficult due to a large variety in data:

    • Types of data

    • Sensitivity

  • Does this diversity make creating effective standards difficult

  • M: Standards:

    • ISO27001

    • DSPT

    • Cyber Essentials (+)

    • from M’s notes earlier!

      • What existing standards do builders of TREs attempt to adhere to?

      • What existing standards do data owners expect builders of TREs to adhere to

      • Is this likely/close to a complete set or are there gaps? What are those gaps?

  • R: Experience approaching ISO27001 certification. More ‘free form process’ rather than a prescriptive set of requirements

  • A: Lack of definition for ‘TRE’ also makes standardisation difficult from the perspective of data providers

    • Feedback from working on Goldacre report. Preference for a small number of TRE implementations

    • Alternatives could be many implementations of one (or small number of) specification, federated set of similar/compatible TREs

  • Small number of large TREs will likely made data access/sharing/linkage easier as it will be easier to develop trust between the TREs and between all TREs and data providers

  • NHSx (?) report on the future of TREs (SDEs) proposes ‘soft’ accreditation to make multiple projects on one TRE involve less friction

  • H: ‘Data lakes’ for storing very large amounts of data - accredited TREs could get ‘easy’ access to this data

  • How to get towards these ideas?

    • A single implementation which demonstrates the use of a data lake/passport

  • S: How flexible can a passport be? Researchers may be told where they will work and not be able to choose. The benefit of a passport will depend on who/what (people/organisation/TRE) the passport applies to

    • R: Easier to apply some kind of accreditation to a TRE rather than people. TRE can ‘guarantee’ some level of security through technical controls and processes. This can be aligned with the expectations/requirements of data providers

    • A: For health data, there also needs to be a consideration of protecting the interests and rights of data subjects

    • A: Observation from work with HRA, governance is difficult to enforce with code alone

  • R,A: Section 251 objection for a research project allows bypassing some GDPR requirement. Unclear if this kind of exception could apply to a whole TRE/secure data store.

Actions/next steps#

  • Survey and take inspiration from what already works and is ‘acceptable’ in the UK. E.g. UK BioBank

  • Create a clear definition of what a TRE is (and is not). This is important for data providers.

  • Survey the ‘hard requirements’ for difficult organisations/types of data. E.g. Cyber Essentials + for MOD.