Blogs & News

Home Blogs & News

Certification of TREs and SDEs – What Comes Next?

We recently published a series of blogs looking at the Standardised Architecture for Trusted Research Environments (SATRE), a UK-based open specification for how Trusted Research Environments (TREs) should be built and operated. SATRE has four main categories: Information Governance, Computing Technology, Data Management, and Supporting Capabilities, with a set of recommendations for each. Each week we picked one of the categories and scored the Aridhia DRE against those specifications. You could call this marking your own homework, but we’d prefer to think about it in terms of openness and transparency, something that is fundamentally important given emerging use case cases for TRE’s/SDE’s.

In the UK, certification of Trusted Research Environments/Secure Data Environments has been discussed by various bodies, such as the NHS, for several years. It is recognised that a formal certification would help with the adoption of these environments, reassuring organisations (as well as funders, collaboration partners, and patients) that their TRE reaches an acceptable level of functionality and security, both in how it has been built and how it is being operated. However, as yet, there is no nationally accepted mechanism to approve a TRE/SDE for use in healthcare, academic, and other research settings allowing a bit of a ‘Wild West’ scenario to develop where anyone can buy some cloud space and declare their TRE to the wider world (or their internal organisation).

Questions and use cases around the use and efficacy of AI, the extent to which clinical research is reproducible, the role of regulation by MHRA (and other regulators) are increasing all the time (there is a worrying amount of fraud in medical research). So it seems essential that the data management and data science framework being used for these use cases is accredited openly and transparently.

Guidelines and Accreditations

Guidelines have been developed, such as the 5 Safes framework or the NHS Secure Data Environment Guidelines. Taking 5 Safes as an example, this framework allows us to consider the various risks that exist, which in turn allows us to think about mitigations. It does not, however, provide guidance on implementation or detailed specifications as to what you should actually do at a practical level; nor can it be assessed objectively for compliance. Similarly, what the NHS has published is at a policy level, not at a detailed implementation level.

SATRE is a welcome development as for the first-time, organisations can now benchmark their implementation against a detailed specification. While it has been developed in a UK context, we believe it can also be applied internationally. Completing SATRE is currently a self-assessment process without independent 3rd party validation (unlike standards such as ISO 27001).

The Future of TRE Certification

The open question however, is what happens next? DARE UK, which funds the SATRE work, has a remit to design and deliver a national UK-wide data research infrastructure and establish the next generation of TREs. It is currently completing its “Design and Dialogue” Phase 1 of work, which has been running since July 2021. Phase 2 is “Build, Test and Establish” with a timeline that is to be confirmed. Is part of that phase to take the SATRE specification and develop it into a standard that can be applied UK-wide? If so, will organisations be certified by an independent assessor (as opposed to marking their own homework)?

Meanwhile the NHS has published a Data Access Policy update in October 2023 which states that, for SDEs, “by Spring 2025, we will have put in place a long-term model of accreditation.” How does this overlap with what DARE UK is doing? Meanwhile, the Our Future Health (OFH) initiative has established its own accreditation process, whereby TREs that want to host OFH data must first be assessed by an external party.

How all of this comes together is unclear. Hopefully the various bodies are working together to develop a common standard albeit there may be different tiers depending on different use cases. In the meantime, we recommend that research institutions that are investing in a TRE/SDE, use the SATRE specification combined with certifications relevant to your geography (ISO 27001, ISO 27701, Cyber Essentials Plus in the UK, or HiTRUST in the US) as a baseline. This should allow organisations to be confident that they have an environment which is well on the road to being compliant against whatever standard emerges.

Certification and Delivery – not the same thing

The series of blogs we’ve published on SATRE are to highlight the compliance of the Aridhia DRE to the SATRE specifications and to add an industry voice to the need for independent accreditation of TRE’s/SDE’s within the NHS. However, this is only part of the requirement. We need to translate research to routine clinical practice, to collaborate widely and share access to privileged data and allow innovation on data to flourish within the NHS. This requires continuous investment in both platform features and functionality and a service delivery (people) capability that allows some of the most demanding use cases for clinical research, trials and precision medicine to be delivered at scale. We’ll be following up on those themes in the coming weeks.