--- tags: community-call UK-TRE description: UK-TRE Quarterly Meeting March 2025 Collaborative Notes --- :::info **Live notes on hackmd**: https://hackmd.io/@cassgvp/BJBakXx6yg :::spoiler **Expand for Contents** [TOC] ::: --- <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% --> # UK TRE Quarterly Meeting: March 2025 - Information Governance ## Attendees (Name / Primary affiliation / Pronouns / [Emoji for fun](https://github.com/ikatyang/emoji-cheat-sheet) :wink: ) - Pete Barnsley/ Francis Crick Institute - Cassandra Gould van Praag / Alan Turing Institute / she/her / :dancer: - Amy Tilbrook / DataLoch / she/her / :sheep: - Simon Li / HIC, University of Dundee / he/him / :penguin: - Will Crocombe / RISG Consulting - Andrea Rylands / University of Leeds / she/her / :tired_face: - Balint Stewart / DARE UK - Tim Machin / UCL - Jackie Caldwell / PHS - Cristina Magder / UK Data Service, UK Data Archive / she/her / :smiley_cat: - Georgina Quayle / Our Future Health / she/her :woman-swimming: - Kathy Harrison, DataLoch, Scottish Safe Haven Network - Michael Smith / Manchester University NHS F - Jenny Johnston, Health Informatics Centre, University of Dundee - Nicholas Owen / UCL - Jonathan Pilgrim / Freelancing (formerly NIHR BioR)/ he/him :hotdog: - Ashley-Anne Brown / CRUK/ she/her - Bethany Gilbert / Health Data Research UK / She / her - Hannah Woodward, UK LLC, University of Bristol - Andrew Burnham, University of Leicester - Juliet Underdown, University of Oxford - Debbie Potter, National Records of Scotland - Michael Sibley, Public Health Scotland - Anca Vlad, Cancer Research UK - Kate McBay, Research Data Scotland - Alan Stevenson, University of Glasgow - Susan Krueger, Health Informatics Centre, University of Dundee - Andrew Leedham, NIHR Bioresource, He/Him - Andy Harris / Our Future Health - Thomas King / QMUL - - - - - - - - - - - ## Notes - Pete introduce the vision and mission of UK TRE - Thanks to Balint (DARE UK) and David (Turing) for their support and co-ordination of UK-TRE - wish you all the best in your next endeavours! ### Working Group Quarterly Updates - Community Management Working Group (CMWG) - Annual conference in planning for September 2025 (Leeds, hybrid) - Working with the other 4 DARE UK interest groups to develope a stand-alone event - Preparing for the sunsetting of the Turing direct support - Documentation reivew (ongoing) and website migration (planned) - Newcastle Principles reivew preparing for publication - Skills events in the planning - Technical event on Federation in June - We can support delivery! Get in touch if you would like to discuss a leadership role in this conversation - All invited to join CMWG! - Funding and sustainabiltiy - Event 28th Jan - Talk about subnational SDE R&D programme and survey of difference between NHS and academia - Discussion moved to technical requirements for federation, but complication around funding of federated infrastructure - Call for more discussion => June event - Citizen Agency - Event 3rd December - well received! Lots of timly discssion on the mailing list about - This topic taking a back seat while more focus is put on Federation - SDE/TRE Definitions and Extending control - Glossary - Version 1 publicshed - Working on mechanisms to incorporate suggestions - Cybersecurity - no update as yet! - SATRE - Recently recieved DARE Communities Group funding and TREvolution - This will support the development of version 2 - Looking at long term guidance and accreditation - Collaboration cafe's will be announced shortly! - Q: There seem to be a lot of TRE groups about - be good to get some clarity on activity and priorities... - Lots of agreement on the chat - Cass: A stakeholder and community group map would solve this! - Will: Happy to write a list if people send me the details.... ### Icebreaker  ### Information Governance Interest Group - It's not the technology, but the governance of information which is the hardest thing to get people to approach in a consistent way - Some folks who have formal governance roles or interests got together and decided it was time to form an interst group around this! - Co-Chairs include representation from a member of the public -  - Wanted to have a space and regular forum/mechanism to address best/good practice from the community - Knowledge sharing and gathering - See where we can develop professionally within the TRE space, and also with other public/3rd sector professionals - IG was a breakout topic in the ==last in person meeting - check== - Everyone felt the existance of such a group would be beneficial to their practice - Researchers may feel that decisions are varied/contradictory in different organisations - Attempts to federate across orgs brings increased potential for different responses - Governance challenges come from: - Data silos - Limited resources (within and outside TREs), including IG FTE! - Lack of mechanisms for access of information - Poor data quality (lack of data dictionaries, etc., documentation) - Employee training - Regulators require us to work within frameworks, but the cascade of information is difficult - When a change is required, there is often not a formal change management process or effective communication of the change - There are many groups active, e.g. - Pan UK DG - Health research information goverenace group - But if you don't know how to find these groups, you can be inadvertantly silod - Key aims from these challenges: 1. Consolidate and distill information that particularly impacts TREs. Including translation into SOPs 2. Provide a space with curated initiatives and guidance. To improve clarity and drive efficiancy. Showcaseing best practice of our colleagues 3. Contribute to a wider programme of federated approaches. What does federation actually mean in the context of IG? - Deliverables - Making and maintaining a central list of groups and frameworks - Searchable and indexed! - Open Source, available for anyone to use! - Mechanism for operationalisation of new relevant policies to be crowsourced - Building consistency across orgs - Public engagement - Including specific pieces of work on individual topics - Initial things which the group would like to tackle - Code of practice and risk management framework - Building on AI/ML frameworks - Skills and competancy frameworks / career pathways for IG professionals, with subcriteria for TRE/SDE - Equivalence and harmonisation. e.g. to enable federated quiering and sharing - When funding is in place, we can legitimise and ring-fence activities - Need to apply for working group activities - Poll - what things would you be interested in? -  - Group plans -  - Thank you to folks who encouraged and supported the formation of this group! - First formal IG interest group meeting expected April/May - will be announced across UK TRE and IG mailing lists #### 5 Views - Five views of IG - do these reflect the views of our community? - These will be introduced, followed by a short break and discussion - View 1: IG is about maximalising public benefit from the use of confidential data resources, while managing risks to individuals - View 2: IG is about protection against risks - View 3: IG is about legal and ethical frameworks which govern information, security and access controls - View 4: IG is a balancing act beteween (excessive) legal requirements which might be perceived as a hinderance to operationalisation - View 5: IG is working with external data controllers to bring data into safe settings ##### Discussion - Plenary discussion (not breakouts) so everyone can listen to eachother! - These are familiar concepts and challenges - There is a lot of overlap - It's about balance - Protecting data (legal non-negotiables), but also use it! - Lack of helpful and transparent legal precident is a barrier - Some views easier to engage with than others (simpler language, more concise). Different takes on why IG important (an enabler? a requirement? a way of understanding/managing risks?) - do we have an issue with scale? Does that mean federation? what does federation mean? - consent v unconsented and necessary protections - Default open can feel slightly scary to IG Professionals - What are public expectations of IG - -Probably less risk averse than IG people - -The public have the illness that data could fix - until a data breach happens to create an extreme reaction the other way? - - lose the public trust and you (deserve to) lose access to the data -23andMe bankruptcy a good example of what happens when losing public trust - Doesn’t “IG” have vastly different context and priorities in consented vs un-consented data settings. Add in federation / merging of raw data downstream and you’ve got a right old muddle. - also about common risk understanding between organisations (how can we reach this?) - Legal barriers are important. From an IT/Tech AI/ML perspective, this is being pushed and folks want to get their hands on big data sets - seen as frustrating - managing expectations - facilitating research - If left unchecked people will do whatever they can get away with! -We talk about data but we must not forget that the data we're talking about comes from real people. The IG is meant to enable research but also to protect people and their data. - Emphasising what protections we can have against risk - IG should be an enabler rather than a barrier - Percieved as a hurdle to get over, rather than something to improve the quality of their work - Make sure researchers have a core knowledge - integration beteween IG professionals and researchers - each need to understand the others space - Responsibility for decision making should be collaborative, rather than falling on one person - Public understanding? - 23andMe + Cambridge Analytica events influence the changing views of the public - how are we integrating these into our practice? - As professionals we don't have a common language - How do we scale IG so it is explainable to the public, while also operating effectively across different organisations? - Responsibility should sit on everyone's shoulders - Cass: Incentive system makes researchers focus on just getting the data and getting it out quickly - What is *not* the responsiblity of IG professionals? Where does it end? - Ethics is out of scope? - Governance is about the "doing" - Ethics will drive law, but are we concerned with the ethics of identifiability? - Researchers have to manage their project and which ethics is required for their projects. Data management comes in as part of ethical approvals. We may not have input into ethical legitimacy of the research, but we also have to make sure they are only doing things which are in line with their ethics. - Depends on what kind of service you provide - If you are involved from the the pre-ethics conversations, this might influence how integrated you see ethics - Information Governance is like a puzzle, security, ethics, data protection, contracts, risk assessments, training and more... which all comes together to create the full picture for research to take place safely and securely. However that is a massive scope and as IG lead in a TRE I can't be an expert in all but I need to ensure all are done before allowing research to happen. - What is *not* the responsiblity of IG professionals? Where does it end? - Storage and processing IS IG? - In some roles, this is a responsibility - Security is IG - Decision of who gets access to the data, packages etc. need to be scanned from a security perspective - In our context, every step of a TRE is under information governance - Responsiblity lies in the governance of the configuraiton rules, but not the application - If everyhting is in scope then IG = doing research! - Some parts are the dominion of the thecnical depolyment platform - Control of what configuration is deployed is the IG component - Iterations of environments/configurations means it is not always defined upfront. You have to create capabiltiy which requires IG specialist knowledge and active contribution to the development of the TRE - zoom chat shows great endorsement of this - Funding is out of scope?! - Process is the same whether you can or can't afford it? - You might input into what funding is required - If we were collectively wishing to develope a self-consistent model, what is stopping us form getting there? - IG isn't strictly defined. It is continuously growing field, and the law is catching up/changing regularly. - Good IG encompasses 5 safes, but also broadening relevance (inputter) across all aspects of data sceince research - Need better integration and shared understanding between different professionals in the space - Could we make a harmonised model within a year? - Cass: solving these kinds of issues is possible, if appropriately resourced and incentivised -  - "I answered yes but I think it would require a defined scope of what we mean by IG and some of the pieces of the puzzle such as law, ethics etc we required but are outwith our control so should be out of scope for a framework" +4 - Code of practice / risk management framework - Quantifying risk and apportioning controls - 90% of IG is about working out if data is anonymous or not, and if it's not we need to interact with the law and it gets messy - How do we communicate around IG? - Literature? - Forums? - Dissemination of the framework is as important as the framework itself - Do we need to create or curate? Does the practice already exist? - Seems like we need to have a more collective discussion and build consensus. ### Federated Governance (Kathy Harrison) - DataLoch is one of the 5 safe havens in Scotland - Aim to agree a governnace approval so a single approval can be accepted across the whole space - Safe Haven network has a legacy of 5-15 years -  - Federated govenance project has focused on regional safe havens. Relationships built organically (based on trust) between Health Boards. - Associated processes look different, but all under the charter - Agree governance terms centrally that apply to all safe havesn, but each has scope to apply them locally - Not looking for standards, but *equivalence* - Implement a way of working, but not standards other than where they are absolutly necessary. - Progress would be hindered if tried to explicitly standardise -  - SATRE is used to determine equivalence - Contributed to the development of this specification - Did self assessment then peer assessment against that specification -  - Focused on mandatory standards - Where we had differences in how we worked, we ensured that those differences were not critical requirements to the equivalence - determined with Data Controllers in collaboration cafes - SATRE acted as a framework for having an informed conversation between actors, and raising awareness - Contribtued to building of trust relationships - Demystify how we worked - Engagement has been key to success - Enabled trust and co-creation - Collaboration Cafe's have been a good forum for open discussions - Explored public perceptions in parelle, so they could contibute to health board discussions - Challenging to find the right person to talk to in each org (responsibilites vary) -  #### Discussion - More on the detail of which SATRE aspects varied? - Specific approval processes, e.g. what panels are convened or application forms used - Are we asking the same questions or trying to get the same understanding, even if we are doing it in different ways. - Appriporiate ways of making a decision can vary - Reflects some of the historical work (e.g. all ISO 27001, so don't look too differnt in the technical standards) - Challenges are not technical, but political - Doing it in small steps makes it possible to move forwards - Trust relationships - how can they be built and damaged? - Create an oversite methodology. - All of the Health Baords want oversite and a route for retrospective learning - When decisions are made, they cvan be discussed across all controllers where they don't have the same risk appetite. Activities built on a history of decisions. - When in early stages of SDE, tips around implmentation of SATRE? - Having a spec to talk to worked well. Heat maps were engaging! - Disageement around what the langugge menas, which we've had to make our own assumptions about - Similar expderience at Crick - Might be in relation to data types? - Unknown expectations around compliance monitoring and the roel of SATRE in that - Don't want to be creating another acreditation steps for ourself. - Federated govenance is one aspect of "federation" - SATRE is a good building block for thinking about shared risk - Technical aspects of data sharing are not the problem, agreement is the problem! This requires the trusted relationships. There is a lot of trust between the safe havens and the health boards. - By deligating governace, we are deligating control which increases risk - We need to pin down the language so we can have effective conversations between actors. - testing for "equivalence" as a term/practice is useful in its pragmatism - The IG debate must not be seperated from the technical - Harmonisation of data at local levels is very hard. At a National level there is a greater pre-existing requirement for harmonisation, so there is already infrastructure - Other examples of shared decision making across data controllers? - Crick - setting up a project involving multiple nations - difficulty of soverignity - legal agreement embodies the expectations of the platforms and facilites. - How do we scale the equivalence testing and deligated descision making process? - Challenge to maintain the pace when we do it at a national level - Funding challenge, and provide proofs of concept e.g. feedback loops - Continue to communicate that scaling is the intention, with a route to deliver that - Keep the momentum! - Recognise that SATRE also need ongoing development - What is low risk for now? What are simnple/obvious things which we could start with (may be 500+ projects which would be easier to implment now) - BUT, it's taken 15y to get here. Decided 1y ago that we needed to get on with this. - Scaling also involves looking at opportunities for shared infrastructure, which is also financially approipriate cf. building in silos! - Information Governance as a service framework? - Not considdered this yet ### Close -  -  - Next Steps  - Feedback survey - Please take 2 minute to complete our feedback survey about this event! Let us know what has worked and what hasn't, so we can make these meetings the best use of your time! https://forms.gle/ueVTWz2miojf73Hq9 <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->