Best Practice TRE DT Banner-1 Best Practices of TRE MB Banner

Top 10 Best Practices for Building a Trusted Research Environment

Download White Paper

Best Practise 1: Maintain ownership

Maintain total ownership of your data and TRE to maximise security and research outputs, while minimising cost

- To maintain total security over the data, it must be kept exclusively in the Data Custodian’s own TRE environment. This also reduces costs associated with data transfers and storage, setting the TRE on a sustainable path to fast-track research.


Best Practise 2: Federate to collaborate

Adopt a federated approach to open secure collaboration and commercialisation opportunities

Federation is the future of big data analytics. With a federated approach, Data Custodians retain full security over their datasets, as all data remains securely within the bounds and security firewalls of the TRE, and only analysis and computation are taken to external cohorts. Researchers gain access to larger, more diverse cohorts and organisations open opportunities for data collaboration and commercialisation.


Best Practise 3: Follow the Five Safes for secure data 

Implement the Five Safes to maximise security throughout the data lifecycle

The Five Safes framework lays out a set of principles to ensure safe access to sensitive data, recently applied to TRE management by the UK’s national health data institute, HDR UK. Implement these 5 pillars for secure data management - Safe People, Safe Projects, Safe Settings, Safe Data and Safe Outputs.


Best Practise 4: Industry-standard security and compliance

Establish industry-level compliance standards and transparent security processes to maintain public trust

TREs must be compliant with industry-wide standards that go beyond GDPR and HIPAA, for example, ​​ISO 27001 and UK government-backed scheme, Cyber Essentials Plus. TREs need a systematic approach to managing and protecting health data, including regular external audits, meaningful Patient and Public Involvement and Engagement and transparency on security procedures to ensure the long-term success of population health initiatives.


Best Practise 5: Automate the transformation to research-ready data 

Automation of upstream pipelines and harmonisation processes can guarantee rapid and standardised production of research-ready data

TREs need automated systems within the platform (e.g. ETL pipelines and APIs) to manage the large-scale data flowing into the environment and efficiently convert it to standardised analysis-ready data. Effective harmonisation and standardisation using industry-recognised standards (e.g. HL7 FHIR and OMOP CDM) means data resources can be queried more quickly and efficiently.


Best Practise 6: FAIR data

Create standardised metadata and use FAIR principles to make data findable and reuseable

Aligning with industry standards like FAIR (Findable, Accessible, Interoperable, and Reusable) and HDR UK’s Data Utility Framework brings a number of benefits to Data Custodians - making data more findable and reusable, enabling integration with other datasets or public repositories and aiding efficient data interpretation.


Best Practise 7: Multi-layered security controls

Apply trusted data controls to maximise security at each layer of the platform 

Protecting data confidentiality and security within a TRE takes a multi-layered approach. Key controls that should be implemented within a TRE include: de-identification, encryption, Airlock, role-based access control, tiered access levels and workspace/dataset segregation.


Best Practise 8: Procure an all-in-one solution

Procure an all-in-one TRE solution for smooth operations and mitigation of delivery risk

Deploy an all-in-one solution, where billing, infrastructure and TRE are all centrally managed by your TRE provider. This simplifies configuration and operations, mitigating delivery risks.


Best Practise 9: Future-proof with an infrastructure-agnostic provider 

An infrastructure- and cloud-agnostic TRE provider protects against vendor lock-in and project continuity risks

Selecting a TRE provider that is infrastructure- and cloud-agnostic is essential to future-proof a TRE against vendor lock-in and project continuity risk. The cloud/HPC environment account should also be created in your organisation’s name to mitigate dependency on infrastructure providers.


Best Practise 10: An open ecosystem extends TRE functionality

Build an open ecosystem platform to seamlessly integrate with community innovations and extend platform functionality 

Whether open, closed or DIY, the type of platform heavily influences how open-source software is managed and used. An open platform offers end-users the ability to customise the TRE with additional functionalities by integrating third-party applications, tools and data via APIs. 

Closely evaluate computational and storage costs with each infrastructure provider considered. Any pricing evaluation must be accompanied by the full disclosure of the official underlying costs, as well as any relevant reseller, government or public sector discounts achieved. 


Read The Complete Guide to Trusted Research Environments in 2023

Questions on procuring or building a Trusted Research Environment? Contact us at

Start your journey to connected data