1. |
TRE providers must implement services to hold data and manage data securely at rest with auditable access logs |
TA |
2. |
TRE providers must implement services to transfer data where required between established trust networks to facilitate consolidated analysis, subject to a DPIA assessment |
TA, DE |
3. |
TRE providers must provide services that enable secure and/or remote analysis of the data |
TA, SI |
4. |
TRE providers must provide a research environment with a set of approved tools/software that allow data to be analysed securely |
TA |
5. |
TRE providers must collect logs of access and activity, and publish their robust system for automated and/or manual review to capture inappropriate use. |
TA, SO |
6. |
TRE providers must implement harmonised processes and systems conformant to or in recognition of secure data processing standards e.g. ISO 27001, ONS / UKSA Accredited Processor, IGToolkit/DSPT |
SO |
7. |
For transparency security design and implementation should be independently audited with reports reviewed by patient/public oversight groups and made public |
SO |