Considerations in establishing Trusted Research Environments
Author: Hadley E. Sheppard, PhD
In the last twenty years, there has been an explosion in the production of patient-derived biomedical data. This includes datasets derived from clinical-genomic, Electronic Health Records (EHRs), and real-world data (RWD) sources, which, when utilised together, can hold the answers to the underlying causes of disease. Unfortunately, the transformative potential of this health data has yet to be realised. To preserve patient privacy, much of the world’s health data is stored within institutional siloed environments that are unavailable to researchers or are difficult to access. To support research and innovation through the power of data, solutions are needed to enable data access and linkage while maintaining security.
Trusted Research Environments (TREs) are highly secure and controlled computing environments that solve this problem. Also known as “Data Safe Havens” or “Secure Data Environments”, TREs allow approved researchers from authorised organisations a safe way to access, store, and analyse sensitive data remotely. Here, we focus on how TREs are being utilised within the biobanking, research and health sectors of the United Kingdom as a means to achieve both data accessibility and security. We also highlight the guidance and regulation in establishing these critical data access and compute spaces.
To support research and innovation through the power of data, solutions are needed to enable data access and linkage while maintaining security
Trusted research environments are being widely adopted across the UK
Across biobanking, government and health providers, TREs are being increasingly adopted as a means to achieve both data accessibility and security. As a global leader in genomic research that has actively and significantly invested in health data science, several TREs have been implemented across the UK. This article highlights several use cases of TREs within the UK health research sector:
The UK government’s public sector research endeavour, Genomics England currently hosts the data from over 135,000 NHS patients within a TRE for approved research use. The TRE is a cloud-based tool (powered by AWS and Lifebit) that approved researchers can use to access the clinical and genomic data from participants with cancer, rare disease, and COVID-19. With separate data access processes distinguishing public from the private sector, researchers that want to access data must apply to become a member of either the Genomics England Clinical Interpretation Partnership (academics, students, and clinicians) or the Discovery Forum (industry partners).
Research enabled: Approved research use of Genomics England’s data has resulted in over 200 publications and 560 collaborative research projects. These research studies span a variety of topics, including COVID-19, rare disease and cancer genetics and more. With the recent implementation of Genomics England’s TRE, the collaborative potential for research using this data will continue to grow.
National Health Service England (NHS England)
Recently, NHS Digital, in partnership with Health Data Research UK, developed a TRE that provides academic researchers access to cardiovascular and cancer data for COVID-19 research. Published in the British Medical Journal, the partnership with national health data custodians provides linked, nationally collated electronic health records for approved research within secure, privacy-protecting environments.
Research enabled: By combining individual-level data across national healthcare settings, data on age, sex, and ethnicity are complete for around 95% of the population in England. This resource has already proven essential for accurate recording and research on cardiovascular disease and COVID-19, providing researchers across the UK with rapid access to data.
Moving forward, the NHS has committed to establishing a Federated Data Platform and a network of sub-national SDEs for NHS data sources across England - this will allow hospital trusts to safely link the secure environments that house NHS data for more efficient access, without having to physically move the data.
Honest Broker Service (Nothern Ireland)
The Honest Broker Service is the TRE for health data within Northern Ireland. Here, a variety of health data sources including general medical, dental, maternity, cancer, COVID-19 and other data types can all be accessed by the Department of Health, approved Health and Social Care (HSC - Northern Ireland’s public health care system) affiliates, and approved researchers. The TRE provides access to linked, de-identified data for approved research projects. Users can also collaborate on projects and access a range of analytical tools to support their work.
Research enabled: Access to this rich health data source has led to numerous studies focused on the Northern Irish population covering a variety of areas - from mental health, dementia, to maternity studies. In particular, a policy report on the routes to cancer diagnoses within Northern Ireland offers several recommendations to promote earlier cancer detection in order to help benefit patients.
Secure Anonymised Information Linkage (SAIL) Databank (Wales)
SAIL is a rich population databank, whose TRE provides global researchers secure remote access to datasets with anonymised health and social care data records for the population of Wales. In operation since 2007, the SAIL Databank operates on the UK Secure Research Platform, a private research cloud with customisable technology.
Research enabled: Research publications resulting from the databank are in the hundreds - a recent example, in the largest study of its kind, found that COVID-19 vaccines offer effective protection against infection for high-risk healthcare workers.
The Scottish National Safe Haven was established in 2013 by what is now Public Health Scotland. The Scottish National Safe Haven is the single point of entry for access to nationally-held health data held by NHS Scotland, and can be accessed on computers physically located in safe settings across the country. Numerous data types are available including hospitalisations, prescribing data, COVID-19 vaccinations, census and medical imaging data - all which are listed on the HDR UK Innovation Gateway.
Research enabled: Access to this data directly powers the outputs of Public Health Scotland, with a wide range of research, guidance and statistical analyses available on cancer diagnoses, immunizations, and more. Further, this TRE has been linked to the Outbreak Data Analysis Platform to help power research efforts in the studying of COVID-19. From this, hundreds of researchers have been able to securely access this data, resulting in 101 research publications.
Establishing TREs within the UK
When establishing a TRE within the UK, there are a number of key considerations to ensure that data is safely stored and utilised:
- Key Principles of TREs
With the increasing adoption of TREs across the UK, there are emerging data governance standards that outline how TREs should be operated. At a UK-national level, the UK Health Data Research Alliance, convened by HDR UK, has adopted a set of principles to ensure that data services, including TRE owners, provide safe research access to data. These are based upon the Five Safes Framework, initially established by the Office of National Statistics, and now broadly adopted across the international research community. Similarly, the NHS has also published a clear public guide to Secure Data Environments and their policy guidelines, which are also based on the 5 SAFEs.
- The UK Data Protection Act and UK GDPR
The Data Protection Act (DPA) of 2018s is the UK-equivalent and implementation of the General Data Protection Regulation (GDPR) - each laying out how personal information must be used by organisations, business and the government. When establishing a TRE that will house health data within the UK, an organisation must comply with the DPA/GDPR. This will ensure that data is used fairly, in a way that is relevant and limited to what is necessary, with the appropriate security measures in place. Given the increasing use of genomic data in research, the PHG Foundation, a non-profit policy think tank based out of the University of Cambridge, has recently published a policy report about how genomic research in healthcare is impacted by the GDPR.
- Relevant certifications
When establishing a TRE within the UK, certain industry-recognised regulatory frameworks require certification. This means that a TRE owner may have to undergo an external audit to confirm compliance with the requirements. These certifications include the following:
- ISO 27001 is a world-recognised industry standard and represents the foundation of numerous countries' compliance programs for information security management systems, including TREs.
- Cyber Essentials Plus is a UK-specific certification that covers the basics of cybersecurity within an organisation’s corporate IT system, including rigorous vulnerability testing to ensure that an organisation is protected against hacking attacks.
- If the data within the TRE includes NHS patient data, they must comply with the standards of the NHS Security and Protection Toolkit to provide assurances to confirm the data will remain secure.
- TREs that house sensitive health data for approved research must ensure that the data is anonymised to maintain patient security. The UK Statistics Authority has developed an accreditation scheme for data processors to anonymise the patient data. Once the de-identified data is within the TRE, the accredited processor will also ensure that all data is safeguarded to minimise the risk of data subjects being re-identified. Should a TRE owner be unable to become an accredited data processor, they may work with an accredited external partner.
- Finally, if the TRE includes a cloud-based component, there are specific certifications including ISO 27017/27018, and if using NHS data a cloud security good practice guide, to ensure best practices for cloud services.
In summary, working with TRE providers can significantly simplify the process in establishing a TRE - providers already comply with national and regional data governance frameworks, including having the required certifications.
- TRE Accreditation
Within the UK, there is an increasing prevalence of accreditation schemes to audit and certify TREs - thus further defining a clear set of standards that align with national data protection laws and frameworks to regulate how TREs operate. Examples include the NHS Secure Data Environment and the Our Future Health TRE accreditation processes.
These rigorous processes will review TRE owners and providers to ensure TREs meet the necessary standards across information governance, cyber security, operational, privacy, and technical requirements. In the case of Our Future Health TRE Accreditation, this includes an audit and review of internal policies and documentation of the Data Custodian and TRE provider against over 200 specific requirements. With TRE accreditation granted by such organisations, TRE owners and providers can then host and utilise expanded data sources in a controlled manner - furthering the potential for research progress whilst minimising security risks.
TREs are emerging as essential entities across the UK that can scale with increasing volumes of patient data and ensure its protection, all while enabling secure access for approved research. While guidance exists highlighting their key principles, implementing accreditation frameworks and bodies that regulate the use of data will ultimately support a safer TRE ecosystem, help foster trust from the broader public, and ensure the best interests of the public and patients are protected.
Moving forward, if an organisation is endeavouring to establish a TRE for efficient and secure data access, they will need a well-defined security-by-design and governance framework in place to ensure compliance, in addition to wide-ranging technology capabilities.
Lifebit works proactively with clients, including Genomics England, the Danish National Genome Centre, Boehringer Ingelheim, NIHR Cambridge Biomedical Research Centre, and others to comply with sensitive data requirements. We ensure that organisations can meet and exceed industry standards amidst the changing regulatory and regional landscape - enabling valuable research at scale to improve patients’ lives.
To find out more:
- Read Lifebit’s whitepaper on best practices for building a Trusted Research Environment
- Read Lifebit’s whitepaper on security and data governance
- Read Lifebit’s whitepaper on data standardisation
Book a demo Contact us