Blogs & News
SATRE: Standardised Architecture for Trusted Research Environments – Information Governance
This is the second in a series of five blogs, assessing the Aridhia DRE, our enterprise TRE, against the SATRE specification. The first blog provided an overview of the SATRE specification, and discussed the importance of open specifications for Trusted Research Environments. This blog evaluates the DRE against the SATRE Information Governance Specification.
Information Governance in the Aridhia DRE
Overall Score 77/80
The Information Governance Section of SATRE is covers a wide range of organisational capabilities needed for the successful operation and maintenance of a trusted research environment, from compliance with recognised international standards, to the provision of comprehensive training material for all users.
We scored the Aridhia DRE at 77 from a possible 80, because:
- • The Aridhia DRE is certified against a number of recognised international standards (ISO27001, ISO27701 and HITRUST).
- • To maintain these certifications the Aridhia DRE is audited annually, and the results made available via our website.
- • We provide our customers with comprehensive training materials for all aspects of the DRE, and our project managers can organise bespoke training as required.
- • Aridhia has mature and robust risk management procedures in place.
- • All data access is controlled by data owners, through a fully configurable data access request process.
See below for more detail on how the DRE scores against each item in the SATRE Information Governance Specification.
(Note on scoring – where a field has been marked as NA, it is not counted as part of the total possible score for that section.)
SATRE 1.1 – Governance Requirements
Score 6/6
The Aridhia DRE is certified under a number of widely recognised standards, including ISO27001, ISO27701 and HITRUST. Our dedicated Information Security Team continually monitor our performance against these standards to ensure ongoing compliance.
| Item | Statement | Importance | Score |
|---|---|---|---|
| 1.1.1 | You must gather and monitor the information governance requirements needed to fulfil any legal, regulatory and ethical standards. | Mandatory | 2 |
| 1.1.2 | You must ensure controls are implemented to ensure the requirements are met. | Mandatory | 2 |
| 1.1.3 | You must ensure there are adequate resources to meet information governance requirements. | Mandatory | 2 |
SATRE 1.2 – Quality Management
Score 20/22
As detailed in section 1.1, the Aridhia DRE is certified against a number of recognised standards. The TRE is audited each year to confirm its compliance with these standards and the results are published to our website. Our Information Security team regularly reviews the security and financial status of all our suppliers.
| Item | Statement | Importance | Score |
|---|---|---|---|
| 1.2.1 | You must ensure that changes to policies and standard operating procedures can only be made by trusted individuals. | Mandatory | 2 |
| 1.2.2 | You must use versioning and a codified change procedure for all policies and standard operating procedures. | Mandatory | 2 |
| 1.2.3 | You should measure the performance of information governance within the TRE with regular reporting available to your TRE organisation’s management team. | Recommended | 2 |
| 1.2.4 | You must audit your TRE organisation against relevant requirements and standards. | Mandatory | 2 |
| 1.2.5 | You must report on and share outcomes of each audit of your TRE organisation with the required bodies. | Mandatory | 2 |
| 1.2.6 | You must ensure that suppliers, contractors and sub-contractors with access to your TRE align with your security requirements. | Mandatory | 2 |
| 1.2.7 | You must monitor compliance of your suppliers with the terms of the contracts. | Mandatory | 2 |
| 1.2.8 | You must track and maintain any physical assets used by your TRE. | Mandatory (where physical assets are in scope) | NA |
| 1.2.9 | You must log, track and resolve any issues resulting from deviations from processes, incidents and audit findings. | Mandatory | 2 |
| 1.2.10 | You must use reported issues to inform changes, such as for process improvement and risk management. | Mandatory | 2 |
| 1.2.11 | You should collect and maintain quality management data for measuring the effectiveness of a TRE. | Recommended | 1 |
| 1.2.12 | You could use a QMS (Quality Management System) to standardise and automate quality management tasks and workflows, and to generate quality data and reports automatically. | Optional | 1 |
SATRE 1.3 – Risk Management
Score 10/10
Arihia has a mature risk management process in place. A risk register is kept and reviewed at regular intervals: all risks have an assigned owner and are assessed for probability and impact. The Aridhia DRE has a DPIA which is reviewed annually, and we can provide assistance to customers with data processing issues where required.
| Item | Statement | Importance | Score |
|---|---|---|---|
| 1.3.1 | You must have a way to score risk to understand the underlying severity. | Mandatory | 2 |
| 1.3.2 | You must carry out a data processing assessment for all projects requiring a TRE. | Mandatory | 2 |
| 1.3.3 | You must have a process for designing, implementing and recording risk mitigations where indicated by a risk assessment. | Mandatory | 2 |
| 1.3.4 | You must have a clear set of roles and responsibilities relating to risk including who owns risks and how they are escalated and delegated. | Mandatory | 2 |
| 1.3.5 | You must understand the risk appetite of your TRE organisation. | Mandatory | 2 |
SATRE 1.4 – Study Management
Score 12/12
Aridhia provides support to the users of its trusted research environment across the whole lifecycle of a project, from ensuring that data is managed in an ethical and legally compliant way, to managing the removal or deletion of data at the end of a project.
| Item | Statement | Importance | Score |
|---|---|---|---|
| 1.4.1 | You must have checks in place to ensure a project has the legal, financial and ethical requirements in place for the duration of the project. | Mandatory | 2 |
| 1.4.2 | You must have checks in place to ensure that any time limited compliance requirements are maintained. | Mandatory | 2 |
| 1.4.3 | You must have checks in place to ensure that changes in regulations are met for a project. | Mandatory | 2 |
| 1.4.4 | You must have standard processes in place for the end of a project, that follow all legal requirements and data security best practice. | Mandatory | 2 |
| 1.4.5 | You could implement a portal that can provide a workflow engine and database which automates the processes within this capability. | Optional | 2 |
| 1.4.6 | You must keep a complete record of all the data assets held within the system. | Mandatory | 2 |
| 1.4.7 | You should keep a complete record of all the research studies and projects within the TRE current and past. | Recommended | NA |
SATRE 1.5 – Member Accreditation
Score 12/12
All Aridhia staff are identified and accredited. The Aridhia DRE has a number of technical controls in place to ensure that all users are authenticated and identifiable, and each user has a unique logon. Access to all datasets is determined by the Data Owner.
| Item | Statement | Importance | Score |
|---|---|---|---|
| 1.5.1 | You must have a robust method for identifying accredited members of your TRE organisation, prior to their accessing of sensitive data. | Mandatory | 2 |
| 1.5.2 | You must have clear onboarding processes in place for all roles within your TRE organisation. | Mandatory | 2 |
| 1.5.3 | You must have a set of services to manage access to resources based on identity. | Mandatory | 2 |
| 1.5.4 | You must not give anyone access to datasets without agreement from the Data Controller. | Mandatory | 2 |
| 1.5.5 | You must have robust and secure applications in place to authenticate users (and services) within the TRE. | Mandatory | 2 |
| 1.5.6 | You must give each user of the TRE a unique logon with changes to any records strictly controlled. | Mandatory | 2 |
SATRE 1.6 – Training Delivery and Management
Score 17/18
All users of the Aridhia DRE have access to our Knowledge Base and online learning platform. These are updated regularly and provide users with a comprehensive overview of the DRE and its capabilities. In addition, every customer has a dedicated project manager who can arrange bespoke training as required.
| Item | Statement | Importance | Score |
|---|---|---|---|
| 1.6.1 | You must ensure that changes to policies and standard operating procedures can only be made by trusted individuals. | Mandatory | 2 |
| 1.6.2 | You must use versioning and a codified change procedure for all policies and standard operating procedures. | Mandatory | 2 |
| 1.6.3 | You should measure the performance of information governance within the TRE with regular reporting available to your TRE organisation’s management team. | Mandatory | 2 |
| 1.6.4 | You must audit your TRE organisation against relevant requirements and standards. | Mandatory | 2 |
| 1.6.5 | You must report on and share outcomes of each audit of your TRE organisation with the required bodies. | Recommended | 2 |
| 1.6.6 | You must ensure that suppliers, contractors and sub-contractors with access to your TRE align with your security requirements. | Optional | 2 |
| 1.6.7 | You must monitor compliance of your suppliers with the terms of the contracts. | Optional | 2 |
| 1.6.8 | You must track and maintain any physical assets used by your TRE. | Optional(where physical assets are in scope) | 1 |
| 1.6.9 | You must log, track and resolve any issues resulting from deviations from processes, incidents and audit findings. | Optional | 2 |
Look out for the next blog in this series, where we will be looking at how the DRE measures up against the Computing Technology and Information Security specifications.