Trusted Research Environments (TREs) are highly secure and controlled computing environments that allow approved researchers from authorised organisations a safe way to access, store, and analyse sensitive data remotely.
Also known as “Data Safe Havens” or “Secure Data Environments,” trusted research environments are designed to protect the privacy and security of sensitive data, an area that is becoming increasingly important with the availability of biomedical and health-relevant data at scale. For example, since the Human Genome Project was completed in 2003, more powerful technologies and computational tools have been required to support the scale of data and acceleration of research to improve human health. A single whole genome requires 750MB of storage, requiring biobanks that house these data to quickly scale to housing petabytes in volume. Genomics England, a United Kingdom-based biobank and public sector research endeavour, houses over 135,000 whole genomes.
The available clinical-genomic data housed in biobanks like Genomics England is extremely valuable; coupled with linked patient Electronic Health Records (EHRs), these data hold the answers to the underlying causes of disease. However, the transformative potential of health data is far from being realised. To preserve patient privacy, including personal health information, genetic information, and other identifiable information, much of the world’s health data is stored within institutional siloed environments that are unavailable to researchers or are difficult to access. Agreements to enable data sharing between organisations are complex, and even where researchers are approved for access, it can typically take organisations six months or longer to make these approvals for data access.
Trusted research environments are one part of the solution. They are solving the problem of authorised data sharing by enabling research progress without sacrificing data security - ensuring data are handled in a secure and responsible manner. Below, we summarise how trusted research environments can support research progress, ultimately benefiting the lives of those suffering from disease.
Auditing and monitoring are also important elements of a trusted research environment. Auditing is the process of reviewing and analyzing data access logs to identify any unusual activity, such as attempts to access data without authorization. Monitoring refers to the ongoing monitoring of network traffic, user activity, and other data to detect any potential security incidents in real-time.
Above all, trusted research environments, by design, should protect the privacy of research participants. This includes ensuring that personal information is not shared or accessed without approval, and that data is not used for any purpose other than approved research. Additionally, trusted research environments must also protect the security of the data; data should be stored and transmitted securely so that it is only accessible by authorised researchers.
There are several critical components of a trusted research environments, one of the most important being access control, which refers to the processes and protocols implemented to ensure that only authorised individuals access sensitive patient data. These processes can include using secure login procedures, such as two-factor authentication, and implementing role-based access controls, which limits access to data based on an individual's role or responsibilities. Within the trusted research environment, all data stored should be encrypted, a process that converts data into a coded format that can only be accessed by those with the correct decryption key. These efforts help to protect data from unauthorised access, even if it is intercepted or stolen during transmission or storage.
Despite secure-login procedures, role-based access, and data encryption, there remains a concern regarding malicious or inappropriate use of patient-derived data among members of the public and privacy groups. Auditing and monitoring are critical trusted research environment features that can minimise these risks, as no action within the trusted research environment can be taken without being recorded. Routine auditing can review data access logs to identify any unusual activity, such as attempts to access data without authorisation. Ongoing network traffic, user activity, and other actions can further be monitored to detect any potential security incidents in real-time. Should an unauthorised incident or data breach occur, a trusted research environment should have robust incident response and disaster recovery plans in place. The incident response plans outline the steps that need to be taken to minimise the impact of the event and to restore the integrity of the data.
Public engagement and involvement in the storage, access, and use of patient data is becoming a best practice standard to ensure the risks of data misuse are minimised and to concentrate research studies where there is a demonstrable public benefit. There are countless examples demonstrating how patient and public involvement in decision-making on appropriate data use and access through trusted research environments are leading to improved research output.
Trusted research environments are increasingly recommended as a best practice solution to national and international health research challenges, as set out in recent national policy guidance. For example, the UK government commissioned an independent review by Prof Ben Goldacre in 2022 on the use of health data for research and analysis. This review focused on use of National Health Service (NHS) data in England with one recommendation to build a small number of secure analytics platforms - shared “Trusted Research Environments” - and make these the norm for all analysis of NHS patient records data by academics, NHS analysts, and innovators.
With the increasing adoption of trusted research environments worldwide, there are also emerging data governance standards that outline how trusted research environments should be operated. At a UK-national level, the UK Health Data Research Alliance, convened by Health Data Research UK (HDR UK), has adopted a set of principles to ensure data services, like trusted research environment providers, provide safe research access to data. These include the Five Safes Framework, originally established by the Office of National Statistics, and now broadly adopted across the international research community:
Safe Data - Confidentiality of data is maintained
Safe Projects - Data owners approve the research projects
Safe People - Researchers are trained to use the data safely
Safe Settings - A secure computing environment prevents unauthorised data access
Safe Outputs - All exported results are screened and approved
Below the national level, well-defined governance frameworks should lay out the roles and responsibilities of different stakeholders, including researchers, institutional review boards, and information security teams, to ensure that patient data is handled responsibly.
Between national, regional and institute-specific data governance standards, secure data sharing while adhering to these requirements can become increasingly complex. With its patented federated architecture, Lifebit’s trusted research environment is uniquely placed to adhere to the Five Safes and data governance standards. Lifebit’s trusted research environment is deployed across environments where data is held, which can then be connected to create a federated network for analysis by authorised users. This precludes the need for data replication or movement, increasing speed and security, and organisations retain data within their own environment.
In conclusion, trusted research environments are emerging as essential entities that can scale with increasing volumes of patient data and ensure its protection, all while enabling secure access for approved research. At Lifebit, we are proud to implement the best-practices described above in our work with valued clients including Genomics England, the Danish National Genome Centre, Boehringer Ingelheim, NIHR Cambridge Biomedical Research Centre, and others. Lifebit works proactively with clients to comply with sensitive data requirements, ensuring that organisations can meet and exceed industry standards amidst the changing regulatory and regional landscape - enabling valuable research at scale to improve the lives of patients.
