Best Practices for Building a Trusted Research Environment
From federated architecture to pipeline automation and transparent pricing, Data Custodians should consider leveraging these best practices to procure and build a secure and future-proof Trusted Research Environment.
Best Practise 1: Maintain ownership
Maintain total ownership of your data and TRE to maximise security and research outputs, while minimising cost
- To maintain total security over the data, it must be kept exclusively in the Data Custodian’s own TRE environment. This also reduces costs associated with data transfers and storage, setting the TRE on a sustainable path to fast-track research.
Best Practise 2: Federate to collaborate
Adopt a federated approach to open secure collaboration and commercialisation opportunities
Federation is the future of big data analytics. With a federated approach, Data Custodians retain full security over their datasets, as all data remains securely within the bounds and security firewalls of the TRE, and only analysis and computation are taken to external cohorts. Researchers gain access to larger, more diverse cohorts and organisations open opportunities for data collaboration and commercialisation.
Best Practise 3: Follow the Five Safes for secure data
Implement the Five Safes to maximise security throughout the data lifecycle
The Five Safes framework lays out a set of principles to ensure safe access to sensitive data, recently applied to TRE management by the UK’s national health data institute, HDR UK. Implement these 5 pillars for secure data management - Safe People, Safe Projects, Safe Settings, Safe Data and Safe Outputs.
Best Practise 4: Industry-standard security and compliance
Establish industry-level compliance standards and transparent security processes to maintain public trust
TREs must be compliant with industry-wide standards that go beyond GDPR and HIPAA, for example, ISO 27001 and UK government-backed scheme, Cyber Essentials Plus. TREs need a systematic approach to managing and protecting health data, including regular external audits, meaningful Patient and Public Involvement and Engagement and transparency on security procedures to ensure the long-term success of population health initiatives.
Best Practise 5: Automate the transformation to research-ready data
Automation of upstream pipelines and harmonisation processes can guarantee rapid and standardised production of research-ready data
TREs need automated systems within the platform (e.g. ETL pipelines and APIs) to manage the large-scale data flowing into the environment and efficiently convert it to standardised analysis-ready data. Effective harmonisation and standardisation using industry-recognised standards (e.g. HL7 FHIR and OMOP CDM) means data resources can be queried more quickly and efficiently.
Best Practise 6: FAIR data
Create standardised metadata and use FAIR principles to make data findable and reuseable
Aligning with industry standards like FAIR (Findable, Accessible, Interoperable, and Reusable) and HDR UK’s Data Utility Framework brings a number of benefits to Data Custodians - making data more findable and reusable, enabling integration with other datasets or public repositories and aiding efficient data interpretation.
Best Practise 7: Multi-layered security controls
Apply trusted data controls to maximise security at each layer of the platform
Protecting data confidentiality and security within a TRE takes a multi-layered approach. Key controls that should be implemented within a TRE include: de-identification, encryption, Airlock, role-based access control, tiered access levels and workspace/dataset segregation.
Best Practise 8: Procure an all-in-one solution
Procure an all-in-one TRE solution for smooth operations and mitigation of delivery risk
Deploy an all-in-one solution, where billing, infrastructure and TRE are all centrally managed by your TRE provider. This simplifies configuration and operations, mitigating delivery risks.
Best Practise 9: Future-proof with an infrastructure-agnostic provider
An infrastructure- and cloud-agnostic TRE provider protects against vendor lock-in and project continuity risks
Selecting a TRE provider that is infrastructure- and cloud-agnostic is essential to future-proof a TRE against vendor lock-in and project continuity risk. The cloud/HPC environment account should also be created in your organisation’s name to mitigate dependency on infrastructure providers.
Best Practise 10: An open ecosystem extends TRE functionality
Build an open ecosystem platform to seamlessly integrate with community innovations and extend platform functionality
Whether open, closed or DIY, the type of platform heavily influences how open-source software is managed and used. An open platform offers end-users the ability to customise the TRE with additional functionalities by integrating third-party applications, tools and data via APIs.
Best Practise 11: Sustainable infrastructure has transparent pricing
Select infrastructure providers with transparent pricing models to ensure platform sustainability as requirements and users grow.
Closely evaluate computational and storage costs with each infrastructure provider considered. Any pricing evaluation must be accompanied by the full disclosure of the official underlying costs, as well as any relevant reseller, government or public sector discounts achieved.
Questions on procuring or building a Trusted Research Environment? Contact us at email@example.com