Present
Committee Members
Advisors
In Attendance
UK Statistics Authority
Apologies
1. Minutes and Matters Arising from Previous Meetings
- The Chair welcomed the members to the thirtieth meeting of the Research Accreditation Panel (RAP).
- Members approved the minutes of the meeting held on 15 June 2023.
- Tricia Dodd, Ann Berrington, Alexander Singleton, Martin Bowyer and Michael Chapman gave their apologies.
- Natasha Kong updated the meeting with progress on actions from previous meetings. All actions were complete or otherwise in progress.
Update to DEA Security Control 04
- Keith Nicholson presented the Panel with a proposal to update the wording of Security Control 04, which is “Provide a guarantee that all processing is performed within the UK and evidence that this is the case.” This processing would include the processing of statistical data and service users’ personal data.
- The proposal amends the wording of Security Control 04 to “Confirm and evidence that all processing is performed subject to relevant UK legislation.” in the interim. A further review of all security controls will be presented in December 2023 RAP meeting.
- The Panel supported the proposed changes to Security Control 04 and welcomed the further review of the rest of the Security Controls in a future RAP meeting. The following points were raised in the discussion:
- Suggested that the distinction between statistical data and service users’ personal data may not be as clear cut and that the Panel would need further discussion surrounding this topic. However, the Panel recognised the different levels of risk between the two types of data and that service users effectively agree that their information is shared when applying.
- The Panel confirmed that statistical data held in the cloud will only be held on UK servers.
Action: The Security team to present further revisions to security controls in the December 2023 RAP meeting.
2. DEA Processor Accreditation: Integrated Data Service (IDS)
- Colin Farrell (DEA Processor Accreditation Security Assessor) and Edward Bextor (DEA Processor Accreditation Capability Assessor) presented the Panel with an overview of the accreditation report for the IDS. The accreditation report provides a summary of the assessors’ findings and recommendations regarding the IDS’s compliance against the DEA processor accreditation framework, which was agreed by the RAP and reflects the DEA Research Code of Practice and Accreditation Criteria.
- Alison Pritchard (Deputy National Statistician and Director General for Data Capability), Jason Yaxley (Programme Director of the IDS) and Simon Sandford-Taylor (Chief Digital Information Officer) represented the IDS and responded to any questions RAP members had about the IDS.
- At the June 2023 RAP meeting, the Panel requested the IDS to revisit their accreditation at the September 2023 RAP meeting to demonstrate how it can best make improvements across the controls detailed in the June accreditation report and to resolve security and capability issues identified.
- After reviewing new submissions of evidence from the IDS, the assessors recommended that the IDS be accredited for the provision of data:
- For security, the overall opinion is that the IDS is operating fourteen (14) controls areas as Capable, and five (5) control areas as Mature which is summarised as a Capable level of maturity.
- For capability, the overall maturity opinion for IDS is Capable. The IDS is operating one (1) control area (People Capability) as Maturing and four (4) control areas (Research Governance, Data Governance, Service Provision and Processor Accreditation obligations) as Capable.
- The Panel was supportive of the findings and recommendation provided in the report. These following points were raised by the RAP:
- Commented that the Panel was pleased that the IDS have made improvements suggested in the June 2023 RAP meeting and that this was an example of how the DEA accreditation processor review process promotes organisational maturity and drives up standards.
- Requested confirmation that IDS have accepted the improvement actions outlined in the accreditation report and have built them into their future work programme.
- Commented that the Panel should give further thought to how cloud services can be reflected in DEA accreditation. Keith Nicholson, Security Advisor, also commented that ONS’s Security and Information Management will reflect on this issue and come back to a future RAP meeting with some thoughts.
- The Panel agreed to accredit IDS for the provision of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report.
Action: The Secretariat to write to IDS to inform them of their accreditation under the Digital Economy Act 2017.
Action: The Panel to give further thought to how cloud services can be reflected in DEA accreditation.
Action: ONS’s Security and Information Management to reflect on how cloud services can be reflected in DEA accreditation and report back in a future RAP meeting with their reflections.
3. Integrated Data Service (IDS): Engagement with Data-Owning Government Departments
- Julian McCrae (Head of Strategy, IDS) and Roland Potts (Head of Data Growth and Operations, IDS) presented this item.
- This item provided the RAP with a summary of IDS’s engagement with data owners and users over the last 6 months, results from the engagement and future plans for engagement. The engagement conducted over the last 6 months include:
- Engagement with senior stakeholders such as Chief Data Officers (CDOs), Chief Technology Officers (CTOs) across government departments.
- Presentations about the IDS to Ministry of Justice, HM Revenue and Customs, Home Office, Department for Education, Department for Levelling Up, Housing and Communities, Department for Work and Pensions and Central Digital and Data Office.
- Engagement with analysts from Wales and Scotland.
- Investigating interoperability with NISRA and Scotland regarding the Reference Data Management Framework (RDMF), which underpins IDS’ approach to data linkage.
- Seeking endorsement from cross-government Digital, Data and Technology (DDaT) boards for IDS’ architectural design.
- Engagement with government analyst and SRS (Secure Research Service) users.
- The Panel emphasised the importance of these engagement efforts as the Digital Economy Act is permissive legislation, and the IDS needs to maintain the confidence of data owners for the IDS to be successful. The Panel was supportive of these engagement efforts and raised the following points in the discussion:
- Requested clarification on whether there was engagement with data owners who held health data. It was clarified that there are currently conversations ongoing with the NHS.
- Emphasised the importance of the IDS working with the devolved administrations to investigate options around interoperability with the Reference Data Management Framework (RDMF).
- Advised that ADR UK flagship datasets would be the hardest to transition into the IDS as these are datasets with multiple data owners which need to be engaged with. The Panel requested information on which ADR UK flagship datasets would be prioritised and a timetable on engagement with the data owners of these datasets.
- Requested updates on engagement efforts with data owners and the analytical community, and the planned engagement with the public about the IDS.
Action: The IDS to provide information on which ADR UK flagship datasets would be prioritised and a timetable on engagement with the data owners for these datasets.
Action: The IDS to present updates on engagement efforts with data owners and the analytical community, and the planned engagement with the public about the IDS at a future RAP meeting.
4. DEA Processor Accreditation Annual Reviews
SAIL (Secure Anonymised Information Linkage) Databank Annual Review
- Colin Farrell (DEA Processor Accreditation Security Assessor, ONS) and Edward Bextor (DEA Processor Accreditation Capability Assessor, UKSA) presented the Panel with an overview of SAIL’s accreditation review report. The accreditation review reports provide a summary of the assessors’ findings and recommendations regarding SAIL’s compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
- Professor Paul Boyle and Stephanie Howarth declared their interest arising from their role as Vice-Chancellor of Swansea University and Chief Statistician at the Welsh Government respectively.
- Overall, the maturity opinion for SAIL is Capable.
- For security, SAIL is operating twelve (12) controls at a Mature level, and three (3) controls at a Capable level.
- For capability, SAIL is operating Processor Accreditation Obligations (1) control area as Capable, Research Governance and Data Governance (2) control area as Maturing, which is summarised as a Capable level of maturity.
- The assessors recommended that the Panel should allow the continuation of SAIL’s accreditation under the DEA.
- The Panel was supportive of the findings and recommendations provided in the report.
- The Panel agreed to continue SAIL’s accreditation for the preparation and provision of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. This accreditation is set to expire on 31 January 2025.
Action: The Secretariat to write to SAIL to confirm the continuation of accreditation under the Digital Economy Act 2017, following the successful completion of this annual review.
Digital Health and Care Wales (DHCW) Annual Review
- Colin Farrell (DEA Processor Accreditation Security Assessor, ONS) and Edward Bextor (DEA Processor Accreditation Capability Assessor, UKSA) presented the Panel with an overview of DHCW’s accreditation review report. The accreditation review reports provide a summary of the assessors’ findings and recommendations regarding DHCW’s compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
- Overall, the maturity opinion for DHCW is Capable.
- For security, DHCW is operating four (4) controls at a Mature level, and thirteen (13) controls at a Capable level.
- For capability, DHCW is operating Data Governance and Processor Accreditation Obligations (2) control areas as Capable, which is summarised as a Capable level of maturity.
- The assessors recommended that the Panel should allow the continuation of DHCW’s accreditation under the DEA.
- The Panel was supportive of the findings and recommendations provided in the report. The following comments were raised in the discussion:
- Noted that while the DEA-accreditation framework is applied consistently to all processors, there may be some variation in practice when processors apply the framework. The Panel advised that the Secretariat should investigate this further to understand the variation in practice and come to a common set of expectations.
- The Panel agreed to continue DHCW’s accreditation for the preparation of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. This accreditation is set to expire on 31 February 2027.
Action: The Secretariat to write to DHCW to confirm the continuation of accreditation under the Digital Economy Act 2017, following the successful completion of this annual review.
Action: The Secretariat to liaise with DEA-accredited processors to understand the extent of variation in practice when applying the DEA accreditation framework.
5. Research Project Accreditation Services Metrics
- Lewis Hopcroft (UKSA) presented the Panel with the Research Project Accreditation Services Metrics. This presentation was a follow up from an action in the June 2022 RAP meeting, where the Secretariat was asked to review the reports on accreditation activities provided to the RAP for information purposes to ensure that these reports are providing the RAP with the required information.
- The presentation provided the Panel with key metrics regarding the research accreditation service, including:
- Number of projects received between January-June 2022 and January-June 2023
- Breakdown of projects that are accredited via the Project Accreditation Tool and projects that are sent to RAP
- Metrics regarding accreditation outcomes and average turnaround times for 2023
- The Panel welcomed this work and noted that it showed good improvements in the RAP’s efficiency.
- The panel suggested that future metrics reports should include a yearly comparison of average turnaround times.
- The Panel noted these metrics do not depict the overall data access journey. The Panel recommended that it would be useful to obtain further metrics from DEA-accredited processors on the end-to-end data access journey, which will be helpful in identifying bottlenecks within the broader data access process.
- The Panel advised that it would be important to establish clear definitions of the start and end of each stage of the data access journey when establishing the full picture of the end-to-end data access journey.
Action: The Secretariat to include a yearly comparison of average turnaround times in future metrics of the research accreditation service.
Action: The Secretariat to engage with DEA accredited Trusted Research Environments to obtain necessary metrics on the end-to-end process of the researchers’ data access journey.
6. Update on DARE UK’s work on a coordinated national infrastructure for sensitive data research
- Fergus McDonald and Hans-Erik Aronson presented this item.
- DARE-UK (Data and Analytics Research Environments UK) is a programme funded by UK Research and Innovation (UKRI) to design and deliver a more coordinated national data research infrastructure for the UK.
- The presentation is a follow up on a previous action from the September 2022 RAP meeting, which is to update the Panel on DARE UK’s future work that will impact the DEA research strand and the work of the RAP. This presentation included:
- An update on DARE UK’s work to deliver a coordinated national infrastructure for sensitive data research.
- An Executive Summary of the ‘interim’ version of the blueprint for a federated architecture for sensitive data research.
- The Committee welcomed the informative presentation and were supportive of DARE UK’s work. The following comments were raised in the discussion that followed:
- Emphasised the importance of embedding the public good in the governance of the federated architecture for sensitive data research.
- Commented that it would be useful for the Panel to have more time to reflect and discuss DARE UK’s work and its relationship with the DEA and RAP, and for the Secretariat to facilitate this discussion.
- Requested to be kept updated with DARE’s progress on delivering a more coordinated national data research infrastructure for the UK.
Action: The Secretariat to follow up with DARE UK and facilitate a discussion on how the RAP can feed into DARE UK’s work.
Action: DARE UK to update the Panel on DARE UK’s future work on delivering a coordinated national infrastructure for sensitive data research and on any of their work that will impact the DEA research strand and the work of the RAP.
7. Any other business
- The Chair noted the ‘for information’ reports provided and welcomed any comments. This included:
- The usual report of accreditation processes undertaken by the UKSA and overseen by the Panel in the interim period between meetings.
- The Panel were content with the ‘for information’ reports with no further points raised.
- The Chair suggested that it would be useful to hold a workshop for members to discuss strategic questions raised in this meeting that the Panel has identified as particularly pertinent. This could include:
- The impact of cloud services on DEA accreditation.
- The distinction between statistical data and service users’ personal data in relation to DEA-accreditation.
- How the Research Accreditation Panel can work with Trusted Research Environments to help improve end-to-end times for access to data.
- The Chair informed the Panel that as part of the Cabinet Office’s Public Bodies Review Programme, the government has appointed Professor Denise Lievesley to lead an independent review of the UK Statistics Authority.
- The Chair requested that members keep the Chair informed of their engagement with this review.
- The Research Accreditation Panel will meet next on 7 December 2023.
Action: Panel members to keep the Chair informed of any engagement with the ongoing independent review of the UK Statistics Authority.