SATRE Collaboration Café 6th June: Information Governance of Trusted Research Environments

Introduction

SATRE (Standardised Architecture for Trusted Research Environments) is building a reference architecture for TREs, driven by community input.

In the initial stages of the project, a feature survey was shared with the community, for input on what features were important or not to include in a reference architecture.

Feedback on the survey suggested a lack of consideration in the architecture for information governance — safe and rigorous governance around how to handle sensitive data is at the core of how TREs are built and operated, and is crucial to include in any reference architecture.

As a result of this feedback, On Tuesday 6th June the SATRE Project held its second open Collaboration Café on a theme of Information Governance. Over 40 attendees across the UK TRE Community contributed, and the discussions helped generate the Information Governance pillar of the SATRE specification. If you would like to join a future Collaborations Cafe sign up here.

Setup

The second iteration of the SATRE reference architecture looks very different from the first — it is now based on capabilities, rather than features. This was driven by feedback from the community on our initial approach. You can find out more details about the structure of the architecture here.

Information Governance is one of the SATRE Capability Pillars

The Café created six breakout rooms to cover the initial six components of the information governance pillar. These were:

• Compliance, monitoring and reporting
• Policy Regulation and Management
• Risk management
• Project management
• Member accreditation
• Training and competency

The community was tasked with discussing:

• Whether these components were comprehensive and the correct ones to include within the Information Governance pillar
• Whether the requirements within each component were comprehensive for that component
• Whether the wording within each component was accurate and accessible

Discussion summary

Below is a summary of the main points from each breakout room:

Compliance, monitoring and reporting

Participants agreed that TRE organisations must be able to monitor compliance with internal and external laws and standards. The discussion concluded that it is mandatory for organisations to put in place processes to demonstrate compliance to accredited standards such as IS0270001, NHS Data Security and Protection Toolkit (DSPT) or Cyber Essentials (CE+). Additionally, organisations should share their compliance reports with regulatory bodies that manage the accreditations.

Policy Regulation and Management

The discussion stressed the need for a common understanding of information governance. Topics such as change management, policy/procedural reviews, and organizational structure play a crucial role. It also suggests mapping the information governance parts to an organizational model to track responsibilities and tasks.

Risk management

It was suggested that a risk-based approach be adopted, which involves asset grouping, threat identification, vulnerability assessment, and understanding the impact of a potential breach. Automation and guidance on risk management were also recommended.

Project management

Key considerations discussed included defining project team roles and handling the entire data lifecycle, which encompasses aspects like data source, consent, ethics approval, and data sharing agreements. The idea of separating technical and policy aspects was discussed but considered risky, emphasizing that technical controls form the basis for compliance with standards/regulations.

Member accreditation

It was agreed that there need to be checks and criteria for identity and verification on anyone accessing the TRE, including affiliation verification, role-based training, and offboarding procedures. It was also emphasized that a clear chain of responsibility is essential to maintain accountability.

Training and competency

Regular, role-specific training was discussed, and it was suggested that it doesn’t always need to be annual, particularly if the training burdens are high. Alternative methods for demonstrating competency, such as tests or assessments of skills/knowledge were proposed.

Additional: Policy regulation and management

This should involve processes and policies responsive to requirements. A risk-based approach to access, data classification, and a process to assess legal and regulatory implications of handling data throughout its lifecycle were recommended.

Next Steps

The Collaboration Café on Information Governance surfaced many important considerations for anyone in the community who thinks about and implements Information Governance in their roles, and provided a crucial first iteration of the Information Governance pillar.

The discussions held were used to directly contribute to the SATRE Specification Document — SATRE Community members created GitHub Issues and Pull Requests to collaboratively update the document based on outputs from the session. You can find the Information Governance section created from this Collaboration Café here. For more information about SATRE Collaboration Cafés and how they are run, please see our blog post.

The SATRE project is extremely grateful for ongoing support and input from community members to collaboratively build the SATRE Specification. For any questions about this Café or the SATRE project, please get in contact with us via satre-contact@dundee.ac.uk.