Collab Cafe Write Up: Information Governance

[arronlacey]

Summary of issue

Write up a blog post to be posted on the SATRE Medium Page that summarises ideas and GH Issues that came from the Collab Cafe on 6th June.

What needs to be done?

• Review Collab Cafe HackMD
• Review GH Issues raised from Collab Cafe at https://github.com/sa-tre/satre-specification/issues
• Write Up Medium Blog Post summarizing the outcomes of the Collab Cafe using this template

Who can help?

• @arronlacey
• @harisood
• @manics

Issue checklist

• I have assigned the appropriate work package label to this issue, and added any other relevant labels
• I have added this to the SATRE backlog (public) project board
• I have assigned this issue to at least one person on the SATRE team

[arronlacey]

First attempt at this. Source Hackmd here

SATRE Collaboration Café 6th June: Information Governance of Trusted Research Environments

On Tuesday 6th June the SATRE Project held it's second Collaboration Café. Over 40 attendees across the UK TRE Commmunity contributed to an Information Governance theme. The discussions helped generate Chapter 1 of the SATRE Specification.

Information Governance

Information Governance (IG) has been identified as one of the 3 SATRE Capability Pillars. The Collaboration Cafe invited the SATRE Community to come together and discuss which key areas reccomendations should be made towards IG standards in the SATRE Specification

Information Goverance is one of the 3 SATRE Capability Pillars

Topics Discussed

Participants were asked propose areas of interest and discuss in breakout rooms. Here's a summary of the main points:

Compliance, monitoring and reporting

TRE organisations must be able to monitor compliance with internal and external laws and standards. The discussion concluded that it is mandatory for organizations to put in place processes to demonstrate compliance to accredited standards such as IS0270001, NHS Data Security and Protection Toolkit (DSPT) or Cyber Essentials (CE+). Additionally, organizations should share their complaince reports with regulatory bodies that manage the accreditations

Policy Regulation and Management

The discussion stressed the need for a common understanding of information governance. Topics such as change management, policy/procedural reviews, and organizational structure play a crucial role. It also suggests mapping the information governance parts to an organizational model to track responsibilities and tasks.

Risk management

The focus is on managing risks within a TRE. It was suggested that a risk-based approach be adopted, which involves asset grouping, threat identification, vulnerability assessment, and understanding the impact of a potential breach. Automation and guidance on risk management were also recommended.

Project management

Key considerations here include defining project team roles and handling the entire data lifecycle, which encompasses aspects like data source, consent, ethics approval, and data sharing agreements. The idea of separating technical and policy aspects was discussed but considered risky, emphasizing that technical controls form the basis for compliance with standards/regulations.

Member accreditation

It was agreed that there need to be checks and criteria for identity and verification on anyone accessing the TRE, including affiliation verification, role-based training, and offboarding procedures. It was also emphasized that a clear chain of responsibility is essential to maintain accountability.

Training and competency

Regular, role-specific training was discussed, and it was suggested that it doesn't always need to be annual, particularly if the training burdens are high. Alternative methods for demonstrating competency, such as tests or assessments of skills/knowledge were proposed.

Policy regulation and management

This should involve processes and policies responsive to requirements. A risk-based approach to access, data classification, and a process to assess legal and regulatory implications of handling data throughout its lifecycle were recommended.

Summary

The Collaboration Café on Information Governance allowed for many interesting discussions from SATRE members who think about and implement Information Governance in their roles. The discussions held were used to directly contribute to the SATRE Specification Document. The SATRE Community members created GitHub Issues and Pull Requests to collaboratively update the document. You can find the Information Governance section created from this Collaboration Café here. For more information about SATRE Collaboration Cafés and how they are run, please see our blog post.

The SATRE project is extremely grateful for ongoing support and input from community members to collaboratively build the SATRE Specification.