SATRE working Group meeting 27 February 2024

Posted on February 27, 2024  •  8 minutes  • 1695 words

Common topics arising from breakouts

1. Ownership vs fragmentation
2. Evaluation and tension between open evaluation vs commercial sensitivities in sharing details openly
3. Overhead / commercial cost of becoming a formal standard, setting up and running an accreditation regime
4. Decision making process for change to specification

1. Ownership vs fragmentation

• Does this WG need to be owned by a single organisation (e.g. DARE)?
• How does this group interact with groups working on using SATRE for more specific communities (e.g. SNSDE network)
  • Having pathways to feed work done in more specific communities back into core model
  • Ensuring core model doesn’t evolve to be incompatible with more specific community requirements
  • SNSDE community recognises value in keeping a single core standard but informal community effort rather than guarantee (have NHS structureal governance)
    • e.g. federation has been added to fill “the hole”
  • Steering group idea with a board of relevant institutions could be a compromise to single entity/ loose academic consortium

2. Evaluation and tension between open evaluation vs commercial sensitivities in sharing details openly

• DARE UK / HDR UK would feel like a potential “trusted” organisation that commercial organisations may potentially be comfortable sharing information with, e.g. evaluation details. Could imagine setting up an NDA with these organisations. Doesn’t necessarily need to require DARE / HDR UK to “own” the standard. Innovate UK played a similar “trusted partner” role for industry in a previous collaboration, pooling information across industry partners and sharing common pain points.
• Clearly a desire for TRE implementations that fit with SATRE. How to work with industry to achieve?
  • How to solve the researcher, data controller, (TRE) vendor/provider needs Venn diagram?
  • Considering tension between sharing evaluations openly and commercial, security or other concerns / discomfort in sharing this detail, what level of sharing strikes the right balance in achieving the goals of the standard? e.g. more information / detail could help with data provider and public trust. NHS DSPT collects more detailed responses than a SATRE evaluation just including the compliance level but publishes only a single “standard met” statement publicly
• If evaluation on each criteria was binary Compliant / Not compliant, industry might find it easier to publish a more detailed open assessment
• If you have an evaluation and you’re happy for it to be public please email it to satre-contact@dundee.ac.uk
• Some more support or guidance on completing the self-evaluation and what the criteria for the different compliance levels would be useful. e.g. this is a 1, but with this in addition would be a 2.
  • Potentially Turing and HIC could annotate their evaluations with this. Turing may already have some of this in their evaluation
• Extending the current two-level compliance score to a more nuanced capability maturity model as being discussed in the SNSDE community might help

3. Overhead/cost of becoming a standard

• How can you achieve it?
• How does SATRE differ from NHS DSPT? Name of NHS & can’t get NHS data without it.
• DSPT and ISO27001 (and the current SATRE spec to a lesser extent) are quite high level. Could potentially have a community accepted / approved design / implementation choices layer to SATRE that some would find helpful.
• A pathway to a “more formal” evaluation?
• Organisations that already have DSPT and ISO27001 see value in SATRE
  • There is a space for a TRE standard in addition to the other, more specific/IT requirements - “This is how you do the Five Safes”
  • The others are more general IT security requirements. This is a TRE standard. Can shortcut discussions with data providers.
  • This is what doing the 5 safes looks like
• Maybe there is an intermediate step where organisations endorse/recommend SATRE as the standard to meet? We need to be the standard people want to meet first?
  • organisations like NHSE…? the Scottish Data Safe Haven network?

Q: Has there been any European uptake or just UK TRE focus?

• A: HIC at Dundee are part of ENTRUST 3-year project involving 14 countries and 35 institutions to build and design a blueprint for using sensitive health data across multi-national organisations. Definitely interest in this across Europe.
• A: Scottish Safe Haven Network (5 Safe Havens, 1 national + 4 regional) are working on using the SATRE specification to bring closer alignment.
• A: Many (all?) of the NHS sub-national SDEs are aware of SATRE and looking to use it.

ACTION

Anyone happy to get involved in the SATRE Working Group, please email satre-contact@dundee.ac.uk

Breakout notes

How do we take SATRE forward, and who’s willing to co-lead?

Prompts

• What are the next concrete steps for SATRE?
• Who is willing to co-lead the effort?
• What skills are we missing?

Notes

• What’s the work to be done?
• Towards a next version based on feedback
• We now need new self-accreditations
• Key questions for the coming year:
  • who “owns” the specification?
  • what’s the change process?
  • what’s the appeals route (if any)?
  • how are final decisions arrived at?
• What happens when this is official accreditation and community owned?
• Hope for funding and support, how do we manage it?
• Risk: multiplicity, how quickly and securely can we adapt a series of standards that is also changing.
  • core Trust seal as an example
• What other processes, forums etc. should we be looking at and copying?
  • Self-assessments: CoreTrustSeal? NHS DSPT?
  • External assessments: DEA 2017, ISO 27k
  • Peer assessments:
  • Something in-between?
• Formal process for change. A phase of change by the community but then much more limited evolution
• Peer assessment
• How to take ultimate decisions? It calls for a steering Group
• Are there any other examples of such a standard that is maintained by a community
  • GA4GH has communities around standards development of relevance: https://www.ga4gh.org/get-involved/join-our-community/join/
  • OHDSI OMOP working group
• Challenge: this is not only a research tool, but goes into regulatory territory
• About who holds the pen, and

Summary

• WG, structure, Processes need for changes, including setting limits to the numbers of changes and flavours
  • Maybe a period of change now, followed by a more stable version
• Steering group or a similar “decision maker” figure
• What other processes, forums etc. should we be looking at and copying?
  • Self-assessments: CoreTrustSeal? NHS DSPT?
  • External assessments: DEA 2017, ISO 27k
  • Peer assessments:
  • Something in-between?
• Are there any other examples of such a standard that is maintained by a community
  • GA4GH has communities around standards development of relevance: https://www.ga4gh.org/get-involved/join-our-community/join/
  • OHDSI OMOP working group
• Pick a starting point rather than start from scratch

Governance of SATRE, and should it be a foundation for a larger TRE network?

Prompts

• How should SATRE be governed?
• Who should be involved and who has the resources to govern SATRE?
• Should SATRE compliant TREs seek to form a formal or informal network?

Notes

• Applicable to more regional Safe Havens, comparing standards and equivalencies. Some sections not applicable, modifying to SSH network or adhere to? Additional controls/variations required?
• Existing standards e.g. ISO, SATRE feels like another set of certifications. Sector specific, e.g. data controllers have different risk appetites
• Needs to be sustainable.
• Caldicott engagement feels positive for equivalencies ~ external oversight, ability to learn from each other.
• Is SATRE v1 different from ISO?
• ISO covers some but not all of SATRE
• need clarity between SATRE that’s missing from ISO? What’s the added value of SATRE?
• sharing evaluation of SATRE enabling federating analyses, but perhaps need the ISO accreditation as minimum expectations. SATRE a good sharing step to help build trust
• SATRE specific community with minimum values
• support local governance people to help understand how others work. How fit in with existing processes

Summary

What is the added value of SATRE? SATRE evaluations could be used to facilitate federated analytics between TRE providers

What do institutions need to evaluate their TREs, and what is missing from SATRE?

Prompts

• What’s stopping TREs from evaluating themselves against SATRE
• Are there aspects of SATRE that are blockers for some TREs?
• Are there changes that could be made to SATRE that would means more TREs will complete an evaluation?

Notes

• Both Turing and Leeds have evaluated themselves against SATRE.
• Not clear what to do after evaluation. Do you just open a pull request?
  • A: If you have an evaluation and you’re happy for it to be public please email it to satre-contact@dundee.ac.uk
• Leeds TRE holds both directly identifiable and de-identified health, finance, police, retail data. Find that the level of technical controls required don’t really differ from one sector to the next. The concerns of all the data owners are broadly the same. Feels like a single standard would make sense.
• Leeds TRE has been evaluated against NHS DSPT, ISO27001, so SATRE was just another standard.
• Turing had done its first DSPT self-evaluation before, but SATRE was its second standards evaluation.
• SATRE still quite high level. Could be helpful to include common / accepted compliant design patterns / approaches to meeting standards.
• Usability of TREs is critical for effective research to be supported. It’s not enough to maximise security if that means the purpose of providing access to the data can’t be achieved.

Summary

How to provide evaluation back?

• create issues on github
• add info on specification docs

Official accreditation

Prompts

• Should SATRE seek official accreditation, and does it require further refinement first?
• Which body or bodies should accredit SATRE?
• Who can contribute to the accreditation effort?

Notes

• NHS SNSDE

  • Will be working with Stats UK to evaluate SATRE for SNSDEs
  • Many trusts struggling to meet DSPT needs

• Accreditation idea needs to be started sooner rather than later

  • Community still finding our feet
  • Importance of shared terminology
  • Link into federation
  • Need to demonstrate equivalence

• Who can provide accreditation? What would accreditation look like? Can this be self-assessed?

  • Standard looks like a tickbox exercise
    • could get a vendor to implement based on existing stds
  • 60% technical, 40% information governance, etc
    • 20 requirements are the minimum (for a software vendor) to check the TRE
  • Commercial interest in accrediting. Is there enough demand (to make commercially viable)?
    • Would be potentially expensive (e.g. Our Future Health)

• Difficulties for taking SATRE to accreditation

  • separating domain unique items from checklist items from other standards
  • Commercial sensitivity when publishing assessment of evaluation

• Value in self-assessment?

  • as long as it’s published (and reviewed)
  • database of responses to “profile” TRE types (e.g. Cyber GRX)

Summary

Ownership by, say DARE, would help for consistency?