Breakout: TRE standardisation & accreditation#

Prompts#

  • Is there a feasible minimum standard that can be achieved agnostic to the research/data domain?

  • Who should be responsible for developing, maintaining, & accrediting such a standard? Who needs to provide input to this standard?

Notes#

Already standardisation efforts in Health, but NERC are looking to setup TRE for open environmental data

Lots of commonalities across TREs, Turing has mostly been handling non-health data (e.g. finance, Government). Having a framework for categorising data was very helpful.

  • Common core requirements across all projects/TREs such as standardised logins, ingress/egress systems

  • Currently in people’s heads, not yet written down

Two main aspects:

  • Communication to potential researchers (what do tiers mean, what should they expect, what applications are required)

  • Maintenance of standard, e.g. Docker/docker-compose can be used on laptops but also deployed on cloud

Who’s responsible for maintaining standard over time, who checks you’re still compliant?

  • Community standards body, modelled after IEEE web groups/RFCs, or industry bodies like CNCF Validation more difficult, not as simple as an automated test suite.

  • For NHS data NHS probably wants to be the final arbiter

  • Can the DARE working groups (or RSE TRE WGs) take ownership?

Maybe rather than a standard what we need are a minimum set of features that define what it is to be a TRE (of a certain tier)

Turing deliberately spent a lot of effort on defining data tiers because potentially couldn’t rely on 5 safes as much as other TREs, so technical controls were more important

  • Reproducible deployment and tear-down built-in from beginning, each project has a disposable environment

What can we do so that a TRE operator using a standard TRE codebase or architecture can shortcut the accreditation process instead of having the full tech stack being audited from scratch

  • DEA accreditation? Pathway for accrediting a processing environment

  • Arguably too much focus on infrastructure as code, e.g. should also need focus on governance