Present
Committee Members
Advisors
In Attendance
UK Statistics Authority
Apologies
1. Minutes and Matters Arising from Previous Meetings
- The Chair welcomed the members to the twenty-ninth meeting of the Research Accreditation Panel (RAP).
- Members approved the minutes of the meeting held on 17 March 2023.
- Alistair McAlpine gave his apologies.
- Natasha Kong updated the meeting with progress on actions from previous meetings. All actions were complete or otherwise in progress.
2. DEA Processor Accreditation: UK Data Archive (UKDA) Annual Review & Integrated Data Service (IDS) Accreditation
UK Data Archive (UKDA) Annual Review
- John Delaney (DEA Processor Accreditation Security Assessor) and Edward Bextor (DEA Processor Accreditation Capability Assessor) presented the Panel with the outcomes of the UKDA’s processor accreditation annual review against the Digital Economy Act 2017 (DEA) processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
- Overall, the maturity opinion for UKDA is Capable.
- For security, UKDA are operating eleven (11) controls at a Mature level and six (6) at a Capable level. Overall, the conclusion is that this represents a Capable opinion for security. Two controls, 09-ASM and 11-Cry, operating at Capable per the original accreditation in 2020 has been progressed to Mature showing satisfactory progress.
- For service capability, the UKDA is operating two (2) Research Governance and Data Governance controls areas as Maturing, and two (2) Service Provision and Processor Accreditation controls have been rated as Capable.
- The assessors recommended that the Panel continues the UKDA’s accreditation under the DEA.
- The Panel was supportive of the findings and recommendation provided in the report. However, they requested clarification on one particular point:
- The extent of improvements needed for UKDA’s endeavour system. The assessors clarified that the system was capable of capturing a good amount of information regarding researchers and the research they are undertaking, and captures all key information required. However, the consistency of information captured could be improved but also noted that the inconsistency was not significant.
- The Panel agreed to continue UKDA’s accreditation for the provision of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. This accreditation is set to expire on 31 March 2025.
ACTION: Secretariat to write to UKDA to confirm the continuation of accreditation under the Digital Economy Act 2017, following the successful completion of this annual review.
Integrated Data Service (IDS) Accreditation
- John Delaney, Daniel O’Brien (Security Assessors) and Edward Bextor (Capability Assessor) presented the Panel with an overview of the accreditation report for the IDS. The accreditation report provides a summary of the assessors’ findings and recommendations regarding the IDS’s compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel.
- Overall, the Panel noted that the application needs to evidence further assurance that the IDS has complied with the DEA Processor Accreditation framework. The RAP emphasised that they should not be, or perceived to be, lowering standards and/or provide favourable treatment to any particular applicant. The RAP queried why an applicant processor had questioned the assessors’ interpretation of certain accreditation controls – this was evident in the IDS application in respect of some of the service-capability controls in particular.
- The assessors recommended that the Panel accredit the IDS with a time-limited accreditation of 6 to 9 months for the provision of data under the DEA. This would enable use of new data to support the development of a more robust service to analysts.
- While the Panel were supportive of the aims of the IDS and the benefits it is expected to bring to both government and the wider research community, the RAP emphasised the importance of all TREs adhering to all appropriate security and capability controls in the DEA processor accreditation framework. This framework was developed in collaboration with all currently accredited TREs and agreed by the Research Accreditation Panel.
- Overall, the Panel noted that the application needs to evidence further assurance that the IDS has complied with the DEA Processor Accreditation framework. The RAP emphasised that they should not be, or perceived to be, lowering standards and/or provide favourable treatment to any particular applicant. The RAP queried why an applicant processor had questioned the assessors’ interpretation of certain accreditation controls – this was evident in the IDS application in respect of some of the service-capability controls in particular.
- The Panel raised several points concerning the IDS security controls. The security assessors were asked to clarify if the capable rating for these controls aligned with the outstanding improvement actions detailed in the narrative of the submission. The assessors confirmed in the affirmative, explaining that the improvement actions were centred on the embedding and further refinement of security processes. The fact that these processes were in place and operational meant the capable rating was appropriate. Panel members were satisfied with this explanation and raised no further concerns.
- The RAP then requested further clarification and assurances in relation to the following security matters:
- The Panel queried the evidence to justify the assessor’s opinion that all processing is performed within the UK and requested that more assurance be provided.
- The Panel questioned whether they needed to seek assurance on (1) the lawfulness of the processing of IDS user data under UK data protection legislation and (2) whether the safeguards for IDS user data should be subject to a different level of security and control than statistical data.
- The Panel wanted more clarification from the IDS on the data protection safeguards in place for the data of users of the IDS.
- The IDS to provide clarity on how they are making it clear to users of the IDS on the following: (1) where user data is processed, (2) the safeguards in place for the handling of personal data of users of the IDS, and (3) ensuring that users of the service are aware that their personal data may be processed outside of the UK if that is the case.
- Further clarification on the zoning of where analytics are happening and the potential of two analytics interfaces (one more traditional / desktop, one more notebook based).
- More detail on how ‘verbose IDS logging’, such as whether a complete query and potentially elements of the response, could and should be captured in log outputs.
ACTION: The IDS and the Secretariat to provide the requested information to the RAP at a future RAP meeting.
- The Panel then discussed the capability assessment and raised the following:
- The Panel requested the IDS to provide more evidence on how they will maintain sufficiently detailed records, including any accreditation conditions, for all projects in the processor’s environment.
- The Panel questioned the adequacy of relying on accredited researchers/analysts to self-report adherence with accredited project specifications. The IDS needs to provide more evidence of how they will proactively monitor how researchers are using data in the environment. The Panel strongly emphasised the importance of maintaining the trust of data owners and the public, and the consequences arising in respect of not fully monitoring what researchers were doing and wider consequences for the DEA-accreditation process and TREs.
- The Panel requested that the IDS make improvements in communicating metadata and supplementary documentation more accessibly for all users of the IDS.
- The Panel required further clarification from the IDS on the IDS’s governance when supporting Government analysts and Government research. In particular, the Panel wanted the IDS to provide assurance about how it will adhere to the transparency requirements, related to the publication of results, that underpin the wider use of the DEA Research Powers.
- The Panel advised that rather than accrediting the IDS as a DEA- accredited trusted research environment for a time-limited period of 6-9 months, the IDS could use other legal gateways to demonstrate how it can best make improvements across the controls detailed in the accreditation report and to resolve security and capability issues identified.
- The RAP welcomes the IDS to revisit their accreditation at the September 2023 RAP meeting.
ACTIONS: The IDS to provide the requested information to the RAP at a future RAP meeting.
3. Overview of ECHILD – Education and Child Health Insights from Linked Data Presentation
- Katie Harron (UCL) presented an overview of the ECHILD project. The ECHILD project links together administrative data from health and education for all children and young people in England. This database will be re-used by researchers across the UK to undertake research that benefits the public, health and education or social care services, and the promotion of health and education. The project involves a partnership between University College London (UCL), NHS Digital (NHSD) and the Department for Education (DfE), funded by the ADR UK.
- The ECHILD dataset is a significant new dataset that will be going through the DEA legal gateway.
- These were the key areas that were discussed in the presentation:
- What is the ECHILD project and its intended benefit?
- The datasets linked in ECHILD and its coverage;
- The current progress of the project; and,
- How researchers will access the ECHILD dataset
- The Panel thanked Katie Harron for her presentation and was supportive of the ECHILD project and the research and benefits it will enable. The Panel raised the following points in their discussion:
- Requested more information on disclosure control as there is a risk of data subjects being re-identified from the data. It was explained that the project is operating under the ONS’s 5-Safes framework, thus the risk of re-identification is minimal.
- Clarification on the legal gateways involved in the ECHILD project. It was clarified that the only the sharing of education data is covered by the DEA legal gateway. With the linkage of datasets in the ECHILD project, ‘public task’ was the lawful basis utilised.
- Whether the ECHILD dataset will be used for aggregated data and predictive purposes? It was confirmed that the ECHILD dataset will only be used for aggregated data purposes.
- More clarification on why the project utilises data which involves data subjects who may be reaching their 40s. It was clarified that the project involves understanding early life factors and their long-term effects, and therefore will involve data subjects who are older.
4. Update: Revised IDS Project Application and User Testing Findings
- Sarah Fisher (Head of IDS Customer Support Development, ONS) and Cal Gott (IDS Analytical Services Business Analyst, ONS) presented on the development of the Integrated Data Service (IDS) project application form and user testing findings, as well as a proposal to start using the IDS Project Application Form for IDS project submissions for a six-month pilot phase.
- As the IDS is committed to processor accreditation under the Digital Economy Act (DEA), the project application form has been designed to ensure research projects meet the requirements for access to data under the DEA Research Strand and direct RAP consideration, as well as to provide a more streamlined experience to users.
- As this is a follow up from a previous item presented in the March 2023, the presentation focussed on the actions derived from that meeting. It includes:
- Feedback from the Economic & Social Research Council workshop
- The team’s response to the RAP’s feedback regarding how methodology information is collected in the IDS application form
- Feedback from researchers
- Feedback from data owners including (1) Census, (2) Labour Force Survey and Annual Population Survey, (3) Ministry of Justice, and (4) Health and Pandemic Insight
- Central Digital and Data Office’s (CDDO) service assessment of the IDS
- The presentation also proposed that the IDS Project Application Form be used for IDS project submissions for a six-month pilot phase. During this phase, IDS Analytical Services will undertake the following:
- Continue to work closely with the UK Statistics Authority (UKSA) to ensure the form provides the required assurances to RAP and all stakeholders.
- Continue to engage with data owners, the ESRC and researchers.
- Fully triage applications through the processor’s review stages before passing the completed application form and Project Accreditation Tool to the UKSA for accreditation and comment or escalation to the RAP where required.
- Closely monitor all applications submitted and feedback for further developments required to the form and engage with the RAP on any proposed developments.
- The Panel agreed to the proposal to trial the form for a 6-month period and for the team to update the RAP on this pilot phase in the December 2023 RAP meeting. The Panel also raised the following point in their discussion:
- Recommended that more data owner engagement should be undertaken, in particular data-owning government departments such as Department for Education (DfE), HM Revenue & Customs (HMRC) and Department for Work and Pensions (DWP).
ACTION: The IDS Analytical Services team to conduct a six-month pilot phase for the IDS Project Application Form to be used for IDS project submissions and undertake the agreed actions noted in the proposal, as well as conduct more engagement with data-owning governments on the form that are external to the ONS. The outcome of this pilot phase is to be presented at the December 2023 RAP meeting.
5. Information Papers
- The Chair noted the ‘for information’ reports provided and welcomed any thoughts regarding via correspondence or in the next RAP meeting. The papers included in the ‘for information’ reports are:
- A paper that outlines the main points presented in Sir Patrick Vallance’s report, Pro-innovation Regulation of Technologies Review: Digital Technologies and the response from Government that are relevant to the Digital Economy Act (DEA) 2017 Research powers. This paper was a follow up to an action from the March 2023 RAP meeting.
- The usual report of accreditation processes undertaken by the UKSA and overseen by the Panel in the interim period between meetings. This also includes a new addition of a report which provides key metrics regarding the research accreditation service to RAP members.
- The Panel recommended that it would be useful to have the key metrics regarding the research accreditation service to be published on the UKSA website and other suitable mediums.
ACTION: The Secretariat to publish the key metrics regarding the research accreditation service to the UKSA website and other appropriate mediums.
6. Any Other Business
- No other business was raised.
- The Research Accreditation Panel will meet next on 14 September 2023.