SAFE People¶
The SAFE People principle evaluates Individuals must be able to demonstrate their identity, affiliation, knowledge, skills and incentives to access data. It represents a bi-directional requirement from both researchers and data custodians to demonstrate that individuals handling data are 1) appropriately trained and have the relevant skills to handle potentially sensitive data; and 2) authorised to do within the context of the other SAFEs.
Principles¶
| 0. | SAFE People: Only trained, authorised individuals can access the data | Role |
|---|---|---|
| 1. | Data Custodians must ensure individuals are appropriately trained in data governance and/or have the relevant skills and experience and supported to effectively use the data for the proposed purpose. TRE providers must be able to verify the researchers' status and experience in handling sensitive data | DC |
| 2. | Individuals and organisations party to undertaking the project must disclose all affiliations | RE |
| 3. | Individuals must disclose funding/sponsorship information, commercial interests and any conflicts of interests | RE |
| 4. | Individuals must disclose their history of safe data use | RE |
| 5. | All individuals have signed an agreement or legally binding undertaking which governs that access and use of the data | RE |
| 6. | All organisations acting as data controllers have disclosed their data security and protection process and are able to manage data breach risks effectively | SO |
| 7. | All individuals are authenticated and authorised to access the data | TA |
Requirements¶
| ID | Description | Requirement Type | Role |
|---|---|---|---|
| PEOPLE-01 | Individuals MUST be able to supply user identification information to the data custodian to verify identity | Functional | RE, TA, DC |
| PEOPLE-02 | Individuals or Organisations must be able to supply their Accredited / Approved / Bonafide researcher status or equivalent to the data custodian to verify their status | Functional | RE, TA*, DC |
| PEOPLE-03 | Individuals are afforded opportunities to undertake and renew their Information Governance Training in support of their Accreditation status | Non-Functional | RE, TA, DC |
| PEOPLE-04 | Organisations must be able to provide information on appropriate governance and administrative arrangements, security and privacy arrangements and technical skills and capabilities to protect, manage and use data | Functional | PO |
| PEOPLE-05 | Individuals must be able to use their existing identities from their affiliated organisations to authenticate using 2FA and use services from data custodians, which offers a level of organisation control of individual access to data | Functional | RE, TA |
| PEOPLE-06 | TRE providers must be able to apply authorisation policies to enable access to services and share authorisation decisions to enable system-wide intelligence of an individual’s access rights | Functional | TA |
| PEOPLE-07 | TRE providers should maintain and record of all user access performed by Individuals for audit purposes | Non-Functional | TA |
| PEOPLE-08 | TRE Providers should be able disbar users in breach of service with an appeals process | Non-Functional | TA |
Interoperable Standards & Specifications¶
This section is a work in progress
Please suggest edits and modifications to this section by clicking on the edit link
A key requirement set out for SAFE People in our green paper was around user accreditation, our recommendation is to support the use existing accreditation frameworks such as the Digital Economy Act 2017 Accredited Researchers (provided by the UK Statistical Service Authority) to enable Individuals to undertake appropriate training and obtain an accreditation status.
Further to obtaining an accreditation status, individuals need to be able to authenticate and obtain authorisation to access services provided by data custodians. Our recommendation is to use existing industry standards such as OpenID Connect (OIDC) and OAUTH2 as a mechanism to transmit user identity information safely and securely leveraging existing institutional Single Sign On and Identity brokerage solutions such as UK Federation and NHS Identity.
We also suggest to extend the existing OIDC and OAUTH2 standards using the established GA4GH Passports and AAI standards REF to allow user identities to interoperate within a federated ecosystem of services and a user can be unique identified by each service participating within the ecosystem.
Suggested Interoperable Standards
- Researcher Accreditation:
- DEA 2017 Accredited Researchers
- Authentication/Authorisation Protocol:
- Authorisation Policy:
Modular Software & Services¶
This section is a work in progress
Please suggest edits and modifications to this section by clicking on the edit link
There are a number of open-source and managed identity management software services that is able to provide authentication and authorisation services. Open-source solutions include Keycloak, Gluu and Ory and managed platforms that provide these functionalities include, Auth0, Okta, AAWS Cogito, StormPath, Azure AD, Google IAM.
Existing open-source implementation of the GA4GH Passports and AAI standards also exist to support their integration into existing authN/Z implementations.
Extensible Use Cases¶
This section is a work in progress
Please suggest edits and modifications to this section by clicking on the edit link
The are many more software and service solutions including home-grown software in this space, so the intent is not to provide an extensive list, but provide pointers to existing solutions and alternatives that could be extended and modified for local integration.