SATRE collaboration cafe 10 June 2025: Accreditation and Governance of SATRE

Posted on June 10, 2025  •  11 minutes  • 2296 words

This collaboration cafe delved straight into the related topics of how SATRE should become a formal accreditation, and how SATRE should be governed.

Accreditation determines how SATRE compliant TREs will gain recognition with the public and TRE stakeholders. It will allow TREs to formally state they are compliant with SATRE, and for the public to understand what it means for a TRE to be compliant.

Governance of SATRE is about who controls SATRE. The long-term sustainability of SATRE requires the support of TRE stakeholders and the public, so the governance of SATRE, and who is involved in it, plays a critical role.

Breakout summaries

Making SATRE into an accreditation

These discussions centred around the practical requirements of making SATRE into a formal accreditation, and the impacts on organisations of having to undergo an accreditation process.

One important aim of accreditation is to promote public trust in TREs, and this is difficult to achieve with self-assessment. External audits could include peer review, though this is perceived as less trustworthy than a regulatory authority that has power to impose sanctions.

The move towards federation means standards like SATRE are important for data controllers and other TREs to trust each other. There are several related standards such as the Digital Economy Act (DEA), Data Security and Protection Toolkit (DSPT), and ISO270001, but SATRE fills a gap. We should make clear the relationships between these (note there is already a working group looking at this).

SATRE requires continuing support from organisations operating TREs or managing data, and we need to take constrained budgets into account when updating SATRE and designing the accreditation process. Every organisation already has their own existing policies, and SATRE must also account for rapid changes in technology.

Governance of SATRE

Trust and transparency are important for the governing body of SATRE. It must include lay and TRE representation, decision making processes must be clear to have legitimacy, and clear communication with the public is required.

The body will decide on the strategic direction of SATRE, which will be influenced by how the Government (perhaps indirectly) sets accreditation requirements for organisations. There should be a terms of reference clearly defining responsibilities and roles of the governing body.

When it comes to setting up the body we need advice from those with expertise, and we could form a task group with technical, academic and public members who can build on the work of collaboration cafes.

Public space

The public space highlighted issues of trust around SATRE and TREs, beginning with what do terms like accreditation, ISO27001, SDEs and federation even mean?

Standardised accreditation and transparency of results, especially if they involved a known trusted body, would build public confidence in TREs and SATRE.

Many members of the public understand that their data is useful of research, but we need to understand why others are concerned about the use of their data, and whether there are solutions or safeguards that would reassure them. This is particularly tricky since they may not engage with existing outreach. SATRE can help by allowing more consistent messaging about TREs.

Raw breakout notes

As always we encouraged all attendees to collaboratively edit the notes from this cafe, and to use their own words to ensure their points were accurately captured.

Breakout room: Making SATRE into an accreditation

Prompts

• Self assessment vs Audit
• Publishing assessments of TREs
• How do we use accreditation to promote public trust and trustworthiness
• Personal experience thereof? Both positive and negative?
• What is the purpose of accreditation?
• Should there be any pre-requisites?
• Should it be self assessed or externally audited?
• Should it be a formal accreditation, and if so should it be awarded by an existing public body or a new one?
• Find people in the community with relevant expertise, regardless of sector/job, to help us: Have you been involved with creating or awarding formal standards or accreditations?

Notes

• Tech moves quick e.g containers, software processes, a lot sits outside of TREs e.g. tools and data?

• How will SATRE accreditation be different from UK ASA? Will it align or supercede

• Everyone has their own policies, will that be part of SATRE, how can specific organisations fit in. Important for future of SATRE to ensure standardisation, needs parameters to ensure standardisation.

• Some SDEs/TREs need subscription, thus will SATRE/TREvolution be subscription based? Anything below NHS/GPs would be good.

• SATRE standalone or part of a wider accreditation process?

• Desire for common standard, information governance, tech, and data standards that allow federation between SDEs (aka an EU for TREs?). Federation approaches are limited as technical solutions when regulatory equivalence is not already in place across the participating federation sites.

• What do you foresee the frequency of re-accreditation to be?

• For any accreditation to be credible it must be sponsored by a regulatory authority with powers for granting, reviewing, suspending and enforcing “licenses” for operation. What authority would back SATRE accreditation? A purely voluntary regime would not satisfy many stakeholders and a regulatory body that is associated with any existing TRE operators would not be impartial.

• What existing accreditations would a SATRE accreditation replace? DEA? What is the value proposition of a SATRE licence?

• Mapping/matrix between accreditations might be useful, don’t want to duplicate.

  • Would be nice to have a pathway, whatever that looks like. SATRE is currently an entry point for self-assessment.
  • What is the point of accreditation, who is it for - data provider, is it simply box check exercise (hope not)?
  • Do you think the existing DSPT/DEA/ISO27001 standards suffice?
  • Issue is that no single one standard is recognised, even if you have all 3, that sometimes does not suffice.

• Is there a top-level regulator, every fitness to practice case ends up in the public space. So, what are the sanctions so the public can be reassured?

• How would SATRE build trust with the public?

  • Is very difficult to do with a self-assessment. SATRE is a good baseline, but without additional audited assessments it is difficult.
  • Need to build trust with auditors too.
  • Who is the auditor? Has to be external, not peer review.
  • More support for official / external assessment to build trust.
  • Might prove to be difficult for smaller orgs to achieve
  • Why not open-up all your documentation? Does anyone have any positive experience with this?
    • Can be tricky to open up, but is worth it, pushing for openness is good, but there are challenges e.g. commercial / intellectual property / security.
      • A standard set of high-level documentation templates might help, but might be tricky to be specific enough?
    • A proper accreditation scheme will cost, self-certification lacks teeth - “wild-west”

• Embed SATRE into ISO: Create a set of ISO27001 ISMS (Information Security Management Systems) security controls that are SATRE driven/focussed.

• Money is tight, NHS increasing their data access costs (30% was mentioned).

• Sharing worst practices / disasters and their fixes would be useful too. Other organisations will learn a lot from that.

• Data controllers/providers need to input into SATRE requirements for accreditation to help inform the more formal standards (perhaps keep SATRE informal).

• Gaining genuine public opinion and trust is a real challenge.

• Actual SATRE criteria can work well as-is for an assessment design (plus v2 Federation please!) using existing Must/Should/Could levels and some splitting into responsibility areas (Information Governance, Tech, People and Processes etc)

• SATRE fills the gaps in other standards for healthcare-specific TREs. There should be an immediate “pass” on certain SATRE criteria if mapped to your existing eg ISO27001 accreditation. But after such mapping is complete, I think we will find SATRE fills some gaps.

• SATRE fills the gaps in normal standards for TREs.

• So back to the mapping doc - some bits covered by ISO27001 some by DEA, gaps by SATRE v2?

• We have codes of practice through FedIP and Aph

• With a such a complex standards environment are we really building public trust

• Accreditation (including to SATRE) is a key measure for federation. If you’re going to let someone access your data, you need to ensure that they have met an agreed level of assurance, or you would be unwise to allow them access.

• If every TRE is ISO 27001 accredited then a SATRE specific set of ISMS security controls embedded in the security policy may be a way forward.

• It’s not just public trust, it’s peer (TRE/SDE) trust that is important.

Breakout room: Governance of SATRE

Prompts and notes

Are there existing governance models we can use?

• What has been done before that has been effective that can be applied here.
• Determine if it’s a self assessment or accreditation model. That will determine the governance of SATRE
• Look at the arms length governance bodies: NHRA, HTA, University models

Who controls what is added/changed in SATRE?

Should there be a formal governing body/council with articles of association, or an informal body, and what is the process for choosing members of that body?

• Important to have lay representation
• Need to have all TRE representation also
• Define Terms of Reference that are clear on roles, responsibilities and power to make decisions
  • Role would include deciding on federated data analysis to be included in SATRE
  • Not deciding on data access
  • Deciding on strategic direction of SATRE
• What are current Government plans for accreditation and use of SATRE? For health you have 4 Devolved authorities that can all choose to use SATRE or not. Health is not currently in DEA and pursuing own accreditation
• How are decisions made within the governing body? How to decide on the legitimacy of decisions.
• Is transparency important? Yes, showing how decisions are reached is really important and public feeding into decision making is key.
• The interview process and panel voting is part of determining the governance body.
• Trust is very important for governance. Need to translate governance for the public. Can the public understand what is being done and can they trust it?
• How does the SATRE governance body work within their “host” organisation governance frameworks?
• Terminology and technical aspects are where confusion happens with the public. - Transparency with creating communication that is understandable needs to happen in parallel.
• Accountability of roles and responsibilities for building trust.
• Does SATRE want to be part of the system, part of government, or separated out? That will determine the SATRE governance of it.
• How to get started with a governing body?
  • No continuous guaranteed funding
  • Public task group with technical, academia and public. Build on what has already been started with Collaboration Cafes

What funding is needed for this governing body to do its work, and is this sustainable in the long term?

Find people in the community with relevant expertise, regardless of sector/job, to help us: Have you been involved with the governance of open standards or community-driven organisations?

Examples

• UK Government requirements for open-standards https://www.gov.uk/government/publications/open-standards-principles/open-standards-principles
• W3C process https://www.w3.org/policies/process/
• Python governance https://peps.python.org/topic/governance/
• Cloud Native Compute Foundation (CNCF) https://contribute.cncf.io/maintainers/governance/
• Apache Software Foundation https://www.apache.org/foundation/how-it-works/
• https://understandingpatientdata.org.uk/ - public friendly messaging around health data

Breakout room: Public space

Notes

• Accreditations not always clear - not everyone knows what e.g. ISO is - lay summaries are important.
  • Managing the messaging of the very technical idea of SDEs to the public.
• “Federated?” - meaningless on its own, needs to be “unpicked”.
• Concerns around sufficient information for algorithms etc. to be trustworthy if people withdraw consent.
• What can we learn from the leading TREs - how do we use it as a blueprint? The UK has islands of TREs which don’t necessarily speak to each other.
• Getting a dataset off the ground has a direct positive impact on us and future generations - but some members of the public need to be won over with regards to problems and proposed solutions, standards, safeguards etc.
• Accreditation - what are we judging? Framework needs to be visible and presented to then give members of the public something to work from - what needs to be checked off? Can then see if there’s more of a need for internal or external assessment
• Most research uses pseudonymised data - patients must give explicit permission to be part of any research project using identifiable data.
• Issue of consent - need to speak to people who have chosen not to give their consent, but that’s tricky
• What are the baseline commonalities across TREs?
• Are there opportunities for the public to get involved in testing?
• Privacy and confidentiality always at the heart of concerns - there’s a lack of trust
• Need communication tools that explain the general concepts to be able to contribute
• Need to align with GDPR
• Need for other stakeholders like GPs to be included in awareness raising - what does it say that GPs are withdrawing their consent for data to be used - leads to more public mistrust
• Let people know more about the 5 Safes - build accreditation from there
• Having accreditation governed by a known and trusted body would be good
• Has there been a case where consent has been refused but someone’s data still been used in the UK?
• Understand that my data would be helpful for research, but questions remain:
  • What are the issues?
  • What are the problems?
  • What are the possible solutions, safeguards?
• Standardised accreditation for all TREs gives a stronger more consistent message about TREs, would give clarity and confidence
• Co-produced standards - should be simple and process not too expensive
• Would improve public confidence
• Transparency - standards should be available online and on each TRE site - what are the boxes that have been ticked?
• Who is responsible for cleaning up the data and who is responsible for its security?
• Clear rules, different for each step of the process - need to communicate that chain
• Not convinced data is secure - always hearing about breaches - shouldn’t pretend that doesn’t happen
• Currently there’s a sliding scale of security and mixed approaches - that’s what SATRE is trying to address