Skip to content

Interoperable Standards & Specifications

SAFE People

This section is a work in progress

Please suggest edits and modifications to this section by clicking on the edit link

A key requirement set out for SAFE People in our green paper was around user accreditation, our recommendation is to support the use existing accreditation frameworks such as the Digital Economy Act 2017 Accredited Researchers (provided by the UK Statistical Service Authority) to enable Individuals to undertake appropriate training and obtain an accreditation status.

Further to obtaining an accreditation status, individuals need to be able to authenticate and obtain authorisation to access services provided by data custodians. Our recommendation is to use existing industry standards such as OpenID Connect (OIDC) and OAUTH2 as a mechanism to transmit user identity information safely and securely leveraging existing institutional Single Sign On and Identity brokerage solutions such as UK Federation and NHS Identity.

We also suggest to extend the existing OIDC and OAUTH2 standards using the established GA4GH Passports and AAI standards REF to allow user identities to interoperate within a federated ecosystem of services and a user can be unique identified by each service participating within the ecosystem.

Suggested Interoperable Standards

SAFE Project

This section is a work in progress

Please suggest edits and modifications to this section by clicking on the edit link

Most data custodians provide some form of Data Access Request process and these vary from using offline Word/PDF forms to fully online access request process. HDR UK has attempted to streamline the data access request process by collating the questions asked by Alliance members to build up a consolidated Data Access Request Form as a standard Five SAFE approach to allow individuals to submit access requests. Our recommendation for new Data Custodians is use the HDR UK designed Five SAFE Form as the baseline to extend and modify for their use. HDR UK will be published the Five SAFE form as a standard to allow reuse and interoperability between the Gateway and data custodians for processing

There currently does not exist a single streamlined data access request management API that allows individuals to submit an access request to one of more data custodians as they are implemented by each data custodian themselves. HDR UK will aim to help consolidate these APIs into single streamlined Data Access Request API to allow interoperability between systems.

There does exist a number of standards for specifying software applications, research code and other research project requirements that are vendor-neutral. Our recommendation for TRE providers is to support the Helm specification for containerised applications and Terraform specifications of more complex deployments. Non-containerised applications should be specified using the Data Access Request form or separately before access it provided. HDR UK will be looking to help coordinate the specification of complex workflow and task execution-oriented specifications such as the GA4GH WES/TES standards that will allow TRE provider to provide orchestrator neutral remote execution functionality.

SAFE Data

This section is a work in progress

Please suggest edits and modifications to this section by clicking on the edit link

SAFE Setting

This section is a work in progress

Please suggest edits and modifications to this section by clicking on the edit link

As far as we are aware there does not exist a comprehensive standard that encapsulates the entire stack of services required build, run and maintain an entire Trusted Research Environment setting. There are individual de-facto industry standards and best-practice around identity management, data management, analytics management, access management and outputs management. It will be an enormous undertaking to develop a standard for each of these services, so HDR UK proposes to develop a reference architecture and implementation that allows TRE vendore to implement services that closely aligns with the reference architecture or extend the reference implementation.

Consultation Question:

As there is a lack of standardisation of processes and implementation of Truster Research Environment settings, do you want HDR UK to develop a consolidated standard that provides a reference architecture for a TRE and the set of configurable capabilities as a refence implementation

SAFE Outputs

This section is a work in progress

Please suggest edits and modifications to this section by clicking on the edit link

Currently there are no established standards around statistical disclosure control policies and output checking process across TRE providers. There are two main approaches to assessing disclosure risk for output data from TRE – rules-based and principles-based.

Rules-based approaches have many implementations as detailed below, and use simple deterministic heuristics (thresholding, rounding, etc) to accept or reject outputs. Some approaches go as far as being able to detect personally identifiable information and obfuscate/reject records. Rule-based approaches tend to be conservative weighing more on preventing disclosure using brute force, rather than considering the utility of the output.

The Statistical Disclosure Control Handbook REF outlines some of the principle-based output checking approaches undertaken by many TRE providers and data custodians. Principle-based output checking evaluations use contextual information about the dataset and project to balance the disclosure risk and utility of the output data. This is a very flexible approach and as such typically undertaken manually and hence takes longer.

Both approaches are not mutually exclusive and as such a hybrid approach is typically what is used by TRE Airlock managers.