Present

 Committee members  

  • Paul Boyle (Chair)
  • Ann Berrington (Independent Member)
  • Mark Brewin (HM Revenue & Customs)
  • Michael Chapman (NHS England)
  • Tricia Dodd (Independent Member)
  • Andrew Garrett (Independent Member)
  • Emma Gordon (Independent Member)
  • Roger Halliday (Independent Member)
  • Sarah Henry (Office for National Statistics)
  • Andrew McHugh (Independent Member)
  • Geraint Jowers (HM Revenue & Customs) until Item 6
  • Alexander Singleton (Independent Member)
  • Paul Lodge (Department for Work & Pensions)
  • Philip Wales (Northern Ireland Statistics and Research Agency)

Advisors  

  • Jason Marsh (deputising for Keith Nicholson (Security Advisor, ONS)) present from Items 2 & 3
  • Jason Riches (Legal Advisor, ONS)
  • Ross Young (Data Protection Officer, UK Statistics Authority)

In Attendance  

  • Edward Bextor (UKSA) for Items 2
  • Colin Farrell (ONS) for Items 2 & 3
  • Cal Gott (IDS Analytical Services Business Analyst, ONS) for Item 4
  • Gabor Farkas (IDS Service Operations, ONS) for Item 4
  • Catherine Naylor (IDS Service Operations, ONS) for Item 4
  • Lily O’Flynn (UKSA)
  • Nitya Raghava (UKSA)
  • Rhys Nadin (UKSA)

UK Statistics Authority  

  • Lewis Hopcroft
  • Natasha Kong
  • Matt Short

Apologies  

  • Martin Bowyer (Central Digital and Data Office)
  • Chris Dibben (Independent Member)
  • Stephanie Howarth (Welsh Government)
  • Alastair McAlpine (Scottish Government)

1. Minutes and matters arising from previous meetings

  1. The Chair welcomed the members to the thirty-first meeting of the Research Accreditation Panel (RAP).
  2. Members approved the minutes of the meeting held on 14 September 2023.
  3. Chris Dibben, Alastair McAlpine, Stephanie Howarth, Martin Bowyer, gave their apologies.
  4. Natasha Kong updated the meeting with progress on actions from previous meetings. All actions were complete or otherwise in progress.

2. DEA Processor Accreditation Annual Reviews

  1. Colin Farrell (DEA Processor Accreditation Security Assessor, ONS) and Edward Bextor (DEA Processor Accreditation Capability Assessor, UKSA) presented the Panel with the outcomes of the annual processor accreditation review of several processing environments under DEA requirements. These were:
    1. UK Secure eResearch Platform (UK SeRP)
    2. Office for National Statistics Secure Research Service (ONS SRS)
    3. Office for National Statistics (ONS DAP)
    4. National Records of Scotland (NRS)
    5. Electronic Data Research and Innovation Service (eDRIS)
    6. Edinburgh Parallel Computing Centre (EPCC)
    7. Northern Ireland Statistics and Research Agency Census Office (NISRA) – Research Support Unit
    8. Northern Ireland Statistics and Research Agency Census Office (NISRA) – Census Office

UK Secure eResearch Platform’s (UK SeRP) Annual Review

  1. The assessors informed the Panel that UK SeRP have voluntarily withdrawn from their DEA accreditation as it was determined that their accreditation is no longer required following discussions on the scope of their service. UK SeRP’s accreditation will run until the end of this year.
  2. The Panel were in agreement with UK SeRP to allow their DEA accreditation to lapse at the end of the year (2023) following the verbal update presented by the assessors.

Office for National Statistics Secure Research Service’s (ONS SRS) Annual Review

  1. The assessors presented the Panel with an overview of ONS SRS’ accreditation review report.
  2. The accreditation review report provides a summary of the assessors’ findings and recommendations regarding ONS SRS’ compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
  3. Overall, the maturity opinion of security and service capability for ONS SRS is as follows:
    1. In terms of security, ONS SRS is operating nine (9) control areas as Mature and six (6) control areas as Capable, which is summarised as a Capable level of maturity overall.
    2. In terms of service capability, ONS SRS is operating Data Governance and Processor Reporting obligations (2) controls areas as Capable, Research Governance (1) control area as Maturing, which is summarised as a Capable level of maturity overall.
  4. The assessors recommended that the Panel should allow the continuation of ONS SRS’s accreditation under the DEA.
  5. The assessors informed the Panel that due to ongoing discussions in the ONS SRS, their accreditation renewal assessment may be slightly different next year to accommodate potential changes.
  6. The Panel was supportive of the findings and recommendation provided in the report.
  7. The Panel agreed to continue ONS SRS’ accreditation for the provision of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. The accreditation is set to expire on 31 July 2024.

Office for National Statistics’ (ONS) Annual Review

  1. The assessors presented the Panel with an overview of ONS’ accreditation review report.
  2. The accreditation review report provides a summary of the assessors’ findings and recommendations regarding ONS’ compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
  3. Overall, the maturity opinion of security and service capability for ONS is as follows:
    1. In terms of security, ONS is operating eleven (11) controls areas as Mature and four (4) control areas as Capable, which is summarised as a Capable level of maturity overall.
    2. In terms of service capability, ONS is operating Service Provision and Processor Reporting Obligations (2) controls areas as Capable, Data Governance (1) control area as Maturing, which is summarised as a Capable level of maturity overall.
  4. The assessors recommended that the Panel should allow the continuation of ONS’ accreditation under the DEA.
  5. The assessors informed the Panel that the Data Access Platform (DAP) are considering changes to their infrastructure environment which will be in scope for ONS’ full accreditation review in 2024.
  6. The Panel was supportive of the findings and recommendation provided in the report.
  7. The Panel agreed to continue ONS’ accreditation for the preparation and provision of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. The accreditation is set to expire on 31 July 2024.

National Records of Scotland’s (NRS) Annual Review

  1. The assessors presented the Panel with an overview of NRS’ accreditation review report.
  2. The accreditation review report provides a summary of the assessors’ findings and recommendations regarding NRS’ compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
  3. Overall, the maturity opinion of security and service capability for NRS is as follows:
    1. In terms of security, NRS is operating ten (10) controls areas as Mature and five (5) control areas as Capable, which is summarised as a Capable level of maturity overall.
    2. In terms of service capability, NRS is operating two (2) controls as Capable, two (2) controls as Maturing and one (1) control as Mature, which is summarised as a Capable level of maturity overall.
  4. The assessors recommended that the Panel should allow the continuation of NRS’s accreditation under the DEA.
  5. The Panel was supportive of the findings and recommendation provided in the report. These following points were raised by the RAP:
  6. The Panel agreed to continue NRS’s accreditation for the preparation of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. The accreditation is set to expire on 31 October 2026.

Electronic Data Research and Innovation Service’s (eDRIS) Annual Review

  1. The assessors presented the Panel with an overview of eDRIS’ accreditation review report.
  2. The accreditation review report provides a summary of the assessors’ findings and recommendations regarding eDRIS’ compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
  3. Overall, the maturity opinion of security and service capability for eDRIS is as follows:
    1. In terms of security, eDRIS is operating ten (10) controls areas as Mature and five (5) control areas as Capable, which is summarised as a Capable level of maturity overall.
    2. In terms of service capability, eDRIS is operating Research Governance, Service Provision and Reporting Obligations to the Accrediting Body (3) controls areas as Capable, Data Governance and People Capability (2) control area as Maturing, which is summarised as a Capable level of maturity overall.
  4. The assessors recommended that the Panel should allow the continuation of eDRIS’ accreditation under the DEA. However, it was recommended that eDRIS changes the scope of their accreditation from both the provision and preparation of data to the provision of data only. eDRIS have agreed that this change to their accreditation is appropriate.
  5. The Panel was supportive of the findings and recommendation provided in the report.
  6. The Panel agreed to continue eDRIS’ accreditation for the provision of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. The accreditation is set to expire on 31 December 2025.

Edinburgh Parallel Computing Centre (EPCC)’s Annual Review

  1. The assessors presented the Panel with an overview of EPCC’s accreditation review report.
  2. The accreditation review report provides a summary of the assessors’ findings and recommendations regarding EPCC’s compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
  3. Overall, the maturity opinion of security and service capability for EPCC is as follows:
    1. In terms of security, EPCC is operating thirteen (13) controls areas as Mature and two (2) control areas as Capable, which is summarised as a Capable level of maturity overall.
    2. In terms of service capability, EPCC is operating Data Governance and People Capability 2 controls areas as Maturing which is summarised as a Maturing level of maturity overall.
  4. The assessors recommended that the Panel should allow the continuation of EPCC’s accreditation under the DEA. Provided the level of maturity, it is recommended that an accreditation review is scheduled next year for security and in 2025 for data capability with the option for an ad-hoc audit.
  5. The assessors informed the Panel that due to the overlap between the functions of eDRIS and EPCC of the provisioning of data, eDRIS provide the relevant metrics under the data capability guidance’s control 5.1 to reflect the service eDRIS and EPCC provide.
  6. The Panel was supportive of the findings and recommendation provided in the report.
  7. The Panel agreed to continue EPCC’s accreditation for the provision of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. The accreditation is set to expire on 31 March 2025.

Northern Ireland Statistics and Research Agency Research Support Unit’s (NISRA RSU) Annual Review

  1. The assessors presented the Panel with an overview of NISRA RSU’s accreditation review report.
  2. The accreditation review report provides a summary of the assessors’ findings and recommendations regarding NISRA RSU’ compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
  3. Overall, the maturity opinion of security and service capability for NISRA RSU is as follows:
    1. In terms of security, NISRA RSU is operating fifteen (15) controls areas as Mature and two (2) control areas as Capable, which is summarised as a Capable level of maturity overall.
    2. In terms of capability, NISRA RSU is operating Service Provision and Processor Reporting Obligations (2) controls areas as Capable, Data Governance and People Capability (2) control area as Maturing which is summarised as a Capable level of maturity overall.
  4. The assessors recommended that the Panel should allow the continuation of NISRA RSU’s accreditation under the DEA. In line with the accreditation schedule, NISRA RSU’s full accreditation review will be carried out in 2024 for both security and service capability.
  5. The Panel was supportive of the findings and recommendation provided in the report. These following points were raised by the RAP:
    1. The Panel agreed to continue NISRA RSU’s accreditation for the preparation and provision of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. The accreditation is set to expire on 31 May 2024.
  6. The Panel agreed to continue NISRA RSU’s accreditation for the preparation and provision of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. The accreditation is set to expire on 31 May 2024.

Northern Ireland Statistics and Research Agency Census Office’s (NISRA Census Office) Annual Review

  1. The assessors presented the Panel with an overview of NISRA Census Office’s accreditation review report.
  2. The accreditation review reports provide a summary of the assessors’ findings and recommendations regarding NISRA Census Office’s compliance against the DEA processor accreditation framework, which was agreed by the Research Accreditation Panel and reflects the DEA Code of Practice.
  3. Overall, the maturity opinion of security and service capability for NISRA Census Office is as follows:
    1. In terms of security, NISRA Census Office is operating sixteen (16) controls areas as Mature and one (1) control area as Capable, which is summarised as a Capable level of maturity overall.
    2. In terms of service capability, NISRA Census Office is operating Data Governance and Processor Accreditation Obligations (2) controls areas as Capable, People Capability (1) control area as Maturing. which is summarised as a Capable level of maturity overall.
  4. The assessors recommended that the Panel should allow the continuation of NISRA Census Office’s accreditation under the DEA.
  5. The Panel was supportive of the findings and recommendation provided in the report. These following points were raised by the RAP:
    1. The Panel highlighted the importance of assessor site visits as NISRA found the site visit process for the accreditation review very helpful. It was encouraged that physical site visits take place for each review where possible.
  6. The Panel agreed to continue NISRA Census Office’s accreditation for the preparation of data under Chapter 5 of Part 5 of the Digital Economy Act, based on the evidence provided in the accreditation report. The accreditation is set to expire on 28 February 2025.

Summary of DEA Processor Accreditation Annual Reviews

  1. The Panel was supportive of the overall findings and recommendations provided in all the reports for the Trusted Research Environments/Processor DEA Accreditation Reviews. The following further points were raised by the RAP:
    1. The Panel highlighted the high volume of DEA Accreditation Reviews being presented and requested consideration to ensure that these are staggered in the future and that more summary information is provided to ensure the reports are more presentable in the future. The Panel also noted that the volume of accreditations for consideration at this meeting may have been caused by previous extensive consideration of matters relating to the accreditation of the Integrated Data Service during the course of this year.
    2. The Panel noted there is a common theme in the reviews on the lack of management information (MI) to support the TRE’s services and would like to see a focus on this from TRE’s in future accreditation reviews.
    3. The Panel were impressed with the amount of work undertaken for the DEA Accreditation Reviews for TRE’s and observed that the reports, presentations and feedback provide a good level of assurance for the Panel that the accreditations are thorough.

Action:

Secretariat to ensure summaries for future DEA Accreditation Reviews are clearly presented to RAP.

Action:

Secretariat to ensure that the DEA Accreditation Reviews for 2024 are staggered throughout the year to spread out the workload for both assessors and the Panel.

Action:

Secretariat to ensure the continuation of Trusted Research Environment accreditation reviews with an additional focus on MI reporting for 2024.

Action:

Secretariat to update the UKSA website to reflect the positive renewals of DEA Accreditation for Trusted Research Environments and UK Secure eResearch Platform’s decision to allow their DEA accreditation to lapse at the end of this calendar year (2023).

3. Revised DEA Security Assessment Framework

  1. Colin Farrell (DEA Processor Accreditation Security Assessor) presented this item.
  2. This item provided RAP with the security assessors proposed revisions to the DEA security assessment framework for Trusted Research Environments (TREs), after they had undertaken a review of the security assessment framework, with a view to continuous improvement.
  3. The Panel were told that the proposed changes do not affect the overall scope of security accreditations and have been designed to make the assessment more effective for everyone involved without increasing the workload on applicants. Key aspects include:
    1. A move from a small number of extremely high level, broad controls to a larger number of more specific, smaller controls.
    2. The new controls cover the same ground as the old controls, and there is no change to the scope of the assessment.
    3. The inclusion of a couple of additional scoring metrics, useful for record keeping, repeatability, and justification of scoring.
    4. New documentation, changing the structure of the information that applicants will need to provide, to make it more user-friendly.
    5. The proposed revisions have been consulted informally with representative from a number of TRE’s including, NISRA, NRS, EPCC and eDRIS.
  4. The Panel were supportive of the proposal and appreciative of the security assessor for continuing to evolve and improve the process. The Panel were supportive of the assessor’s approach, and the following points were raised in discussion:
    1. The Panel requested further clarification on the scoring matrix for security controls and would like this to inform the Panel on how the measure is adequate and effective. The Panel encourages the assessor to be more precise with the scoring and terminology.
    2. The Panel requested consideration of how the full details of 82 controls will be presented to the Panel as part of their consideration of DEA Research Accreditation Reviews.
    3. Recognising parallels but also differences to ISO27001 accreditation frameworks, the need for accreditations to consider any TRE’s ISO accreditation, and relevant audits/assessments undertaken.

Action:

Colin Farrell to draft a document containing additional information and clarification for the scoring matrix and provide this to the Secretariat to send onto the Panel via correspondence.

Action:

Colin Farrell to consider how the revised DEA Security Assessment Framework, containing eighty-two controls, will be presented to the Research Accreditation Panel in summary form for future DEA accreditation review reports.

4. IDS Project Application Form Pilot Project: Results from Data Owners and User Testing

  1. Cal Gott (IDS Analytical Services Business Analyst, ONS) presented this item.
  2. This presentation of the Integrated Data Service (IDS) project application form is a follow up from the June 2023 meeting of the RAP, where the Panel approved the IDS form be used in a six-month pilot phase to gather feedback from (1) researchers/government analysts and (2) non-ONS data owning government departments making their data available via the IDS.
  3. The presentation proposed to extend the pilot for a further 6 months, to collect feedback from researchers and data owners who have used the IDS form on live project applications. This included:
    1. The IDS application form and accompanying guidance for RAP member’s reference;
    2. Feedback from researchers; and
    3. Feedback from non-ONS data owners
  4. The Panel were supportive of the IDS’ request for a six-month extension of the project application forms pilot phase and the following points were raised in discussion:
    1. The Panel acknowledges that researchers and analysts are required to request access to data from multiple Trusted Research Environments (TREs) and that each may ask for differing information. The Panel recommended UKSA to work with other TREs to standardise elements of the DEA Application Form.
    2. The Panel recommended that the IDS considers a wider set of feedback and insights from data owners and users across the researcher community.
    3. The Panel have agreed that the section containing information about methodology aspects of proposed projects in DEA application forms requires further consideration, possibly through a sub-group of the Panel meeting to discuss.

Action:

UK Statistics Authority to commit to work with DEA accredited environments to ensure their DEA applications consider the needs of all stakeholders.

Action:

IDS to ensure a wider set of feedback and insights are considered from data owners and users across the researcher community and present their findings to RAP.

Action:

The Research Accreditation Panel to review the way that information about methodology aspects of project proposals are captured and communicated in project applications, and the Secretariat to consider establishing a small sub-group of the Panel to consider and to make recommendations.

5. RAP Annual Self-Assessment

  1. Natasha Kong and Lewis Hopcroft (RAP Secretariat, UKSA) presented this item.
  2. The presentation was divided into the following two sections:
    1. Research Accreditation: Progress from the last year; and
    2. RAP annual self-assessment results.
  3. The first section of the presentation informed RAP of the activities in the Research Accreditation team, in particular improvements in research accreditation services and gave Panel members the opportunity to give feedback on the progress made in processes within the last year. Areas presented include:
    1. Automation of project entry into DEA public register.
    2. Uptake of Project Accreditation Tool (PAT) by data owners, increased from 63% to 89% of projects.
    3. Successful migration of 105 projects that were previously approved by the Microdata Release Panel (MRP) to be accredited under the DEA.
    4. Streamlining of the project change request process.
    5. Research Accreditation Metrics.
  4. The second section of the presentation informed RAP of the results of the annual self-assessment. Natasha Kong (RAP Secretariat, UKSA) presented the results to the Panel which was divided into the following two sections:
    1. Overview of the self-assessment results
    2. Thematic areas for improvement
  5. The Panel raised the following points following the presentation of the RAP Annual Self-Assessment:
    1. The Panel requested consideration on the induction of new Panel members and how they could be informed on their responsibilities.
    2. The Panel raised an open question about tenure and composition of RAP members and would like further consideration on whether its inclusive of required specialisms of government departments, academia and beyond.

Action:

Secretariat to develop an induction process for new Research Accreditation Panel members to ensure they clearly understand their role and responsibilities.

Action:

Secretariat to support the Chair in considering the current membership of the Research Accreditation Panel to ensure the Panel is inclusive of required specialisms of government departments, academia and beyond.

Action:

Further to the previous discussion on item #4, the Secretariat to consider how they can support Trusted Research Environments with integrating different accreditation forms and processes.

6. Proposal for Items in the Research Accreditation Panel Strategic Workshop 2024

  1. Natasha Kong (RAP Secretariat, UKSA) presented this item.
  2. The presentation informed the Panel on potential strategic items that may be presented in the RAP 2024 Strategic Workshop following an action agreed by RAP during the September 2023 meeting.
  3. The Panel were presented with the following potential strategic items that may be presented in the RAP 2024 Strategic Workshop:
    1. Theme 1: The DEA accreditation framework and meeting modern TRE requirements
      1. Cloud services and the DEA
    2. Theme 2: Improving data access
      1. The data access journey
      2. Administrative data from government departments and devolved administrations
    3. Theme 3: The scope of the DEA and wider data sharing
      1. The DEA Research Code of Practice and Accreditation Criteria
      2. Functional anonymisation of data processed under the DEA
      3. Insights from health data
      4. The DEA and data from private organisations
    4. Optional: Overview of the DEA Project Accreditation Processes
      1. DEA Project Accreditation Processes and the Project Accreditation Tool (PAT)
  4. The Panel were supportive of the Secretariat’s suggested items for the RAP 2024 Strategic Workshop. The following points were raised in discussion.
    1. The Panel recommended the Secretariat to ensure there is plenty of time on the agenda for discussions and not just presentations.
    2. The Panel suggested the following topics to be presented at the workshop: Project methodology, Legal & Operational Scope & Committee, and differential perspectives and interpretation of Functional Anonymisation across TREs.
    3. The Panel suggested consideration around whether it would be possible to invite relevant members from other government departments to potentially present or contribute to discussions.

Action:

Secretariat to invite relevant members from government departments that can contribute to discussions at the RAP 2024 Strategic Workshop. 

Action:

Secretariat to collaborate with ADR UK to find suitable researchers to ensure that the views of researchers are represented through the RAP 2024 Strategic Workshop.

Action:

Secretariat to draft an agenda with important points raised by the Panel for the RAP 2024 Strategic Workshop and offer to the Panel via correspondence.

Action:

Research Accreditation Panel to consider how best to review the methodology section of DEA project applications.

7. Any other business

  1. The Chair noted the ‘for information’ reports provided and welcomed any comments. This included:
    1. The usual report of accreditation processes undertaken by the UKSA and overseen by the Panel in the interim period between meetings.
  2. The Panel were content with the ‘for information’ reports with no further points raised.
  3. The Chair asked the Panel whether they were content with the items on the forward agenda for 2024 and welcomes any feedback.
  4. The Chair informed the Panel that the next Research Accreditation Panel meeting will be shorter than usual and will lead into the RAP 2024 Strategic Workshop.
  5. The Research Accreditation Panel will meet next in March 2024.

Action:

Secretariat to schedule the next Research Accreditation Panel meeting in line with the RAP 2024 Strategic Workshop, taking into consideration Panel members’ availability.