sa-tre / satre-specification

Standard Architecture for Trusted Research Environments specification
https://satre-specification.readthedocs.io
Creative Commons Attribution 4.0 International
18 stars 8 forks source link

[Change]: Review of Information Governance page #283

Open jawsgrant opened 1 year ago

jawsgrant commented 1 year ago

Summary

Suggestions on Information governance page

Source

Personal contribution

Detail

Specification

On one community call there was a suggestion that statements should be ordered by importance. Mandatories first, then recommended, then optional?

Information governance

the figure refers to all the pillars. Should it (+ more detailed alt text) move to an overview page for the specification reiterating the 4 pillars, justifiying the choices, explaining structure, restating the categories. This could be here or in the previous section between principles and roles

*Does the numbering require a trailing dot?

1.1.1 Requirements Gathering and Monitoring Is it worth referencing potential/examples of legal regulatory and ethical standards. Which ones do folk use at the moment - ISO, DEA, GDPR ... or pratical examples

1.2.2 Should guidance also include the rational behind the change in summary of changes, it is necessary, is it implicit? Later in 1.2.10 this is referenced explicitly, should 1.2.2 specifiy e.g in resolution of issues arising, response to auditors suggestions for process improvements.

1.2.4/1.2.5 Internal Audit Process *Confused that the title is internal, the description refers to an 'independent evaluation process'

1.2.4 Statement refers to audit, guidance refers to process to ensure you remain compliant. Confused as to whether these are consistent or are we referring to processes to ensure auditing happens?

1.2.8 Asset Management Process should there be a corresponding statement for physical assets not in scope. E.g. for cloud recording details of supplier compliance around wiping data from devices?

1.2.11 Quality Management Data comment that Goldacre review talks explicitly to the use of clinical data to monitor individual's performance. A minefield to get into but perhaps the statement and guidance include a 'for the purpose of' qualifier

1.3.1 should there be a risk assessment of the TRE (design, functionality, operational and IG practices) as well.

1.3.4/1.3.5 Risk Ownership Process

1.3.4 In guidance the link is via (see governance roles) previously e.g. 1.2.11 we link directly from the role name to the anchor for the group. Should this be consistent?

Should there be a whistleblower outlet, should be clear guidelines on how to raise issues about risk outwith the organisation if risks are not being addressed?

1.4. Study Management

Where has the term study come from? Is this Research Project and we're trying to avoid calling it project management? If so and want to keep this can we add a definition for study to the glossary

1.4.2/1.4.3 Compliance Checking Process Can we reference applicable laws, perhaps this needs to be its own page into categories. Framework/Guidance;Law;Formal standards/certifications

1.4.2 Why only time limited requirements? 1.4.3 Has no guidance

1.4.4 Study Closure Process Should this include offboarding users who no longer need access to the system or processes?

1.4.7 Study register importance: query. Why is this only 'recommended'. This is a record of how data has been used, and the details. of documention required for its approval. Isn't this just as important as the data asset register?

 1.5. Member Accreditation

having read on and returning here ... do 'Identity and Access Management Services', 'Authentication Application' and 'User Identity Attributes' live under IG as written. Arguably having a single unique ID per user across a TRE, and that users can only access projects/systems required for their research/role are IG components, but the others seem to be computing technology to implement the requirement

1.5.2 User Onboarding Process guidance: query. should the guidance on training be stronger. Ensure that they have completed training. Users confirming they have done training doesn't seem adequate.

*User Onboarding Process specifies data consumers. Should this not apply to non-researcher users admins/operators/builders etc? Does this need specific statements, of remove the current limitation

1.5.3/1.5.4 Identity and Access Management Services

1.5.4 Uses a term 'Data Controller' that I can't easily find defined anywhere. Is there an argument that access permissions to specific datasets should be managed at a study rather than dataset level. Here then user permissions should restrict users to audit access to research projects/studies they are part of. Is there a need to include admins/oeprators/builders who have access to the system here?

1.5.5 Authentication Application

In my view the statement and guidance are potentially contradictary. Statement requires authentication within the TRE boundary, effectively requires operating an IdP within the TRE. Guidance says to keep authN applications to a minimum. Generally my advice would be to use the institutional IdP where possible as this is owned by the institution and the responsibility of 'Top Management', it also falls within the purview of IdP and security specalists. This can be addressed by removing the 'within the TRE' from the Statement. I would also suggest recommending under guidance, to use institutional IdP where viable and where it has appropriate controls included and monitored.

1.5.6 User Identity Attributes

I think this would benefit from clarification of authN and authZ. As above, if institutional IdP is used users would not get a unique 'logon' if I'm understanding the use correctly. However a uniqueID that an external identity maps to would be clear.

1.6 Training Delivery and Management

1.6.1/1.6.2/1.6.3 Curriculum Creation and Management Process

1.6.1 Guidance: clarification. Undefined acronym GCP 1.6.2 Guidance: clarification. Is this about training being available per component definition, or users completing training and being certified? For me Guidance should be that training is avaialble for roles. Members should know where to find it and may also require additional guidance to help them do so, or know what is required for their role 1.6.3 Guidance as above, mismatch between keeping training current, and informing members the need to keep their certification up to date.

Definition talks to training needs analysis, but this isn't clearly surfaced in the statements/guidance.

I think this needs two separate components. First is around curriculum and content management. Second is aroud providing training and ensuring it is up to date for users.

1.6.4/1.6.5 Certification Management Process

1.6.4 Guidance: query. that repeat training happens regularly doesn't seem like it fits here. Perhaps informing users that training is required is, but providing the training or ensuring users complete training for me lives under providions of training and ensuring it is up to date.

Perhaps there should be a means to revoke access to the TRE if training is not current under this component?

Where

https://satre-specification.readthedocs.io/en/latest/pillars/information_governance.html

Proposal

1.1 Governance Requirements

there is no overview of this capability How the organisation approaches its governance commitment.

1.1.2 Controls Statement: suggested rephrasing You must ensure controls are implemented to meet stakeholder requirements.

1.3.1 Statement: suggested rephrasing You must have a way to quantify risk in order to understand the underlying severity.

1.4.5 Study Management Portal description: Suggested rephrasing This application component is an online platform for managing research studies including onboarding studies, controlling access and administering compliance tasks.

statement: Suggested rephrasing You could implement a portal that can provide a workflow engine and database which automates components relating to study management.

1.4.6 Data asset register guidance: Suggested rephrasing Details of all data assets (current and past) held by the system should be retained along with meta-data required to demonstrate compliance. This should include ownership, data lifecycle, contracts, risk assessments and other quality data. This is likely to already exist within the wider organisation but may require augmenting for the TRE.

Who can help

No response