Add breakout room summary notes and raw notes

docs/events/wg_workshops/2024-03-14-march-meeting/demo-kings-tre.md

@@ -35,3 +35,39 @@ https://docs.er.kcl.ac.uk/CREATE/TRE/tre/
 ### Target audience
 
 This session is open to anyone interested in both using and deploying TRE.
+
+## Session
+
+### Summary
+
+Michal presented a demo and overview of King's College London's new Trusted Research Environment (TRE), currently hosting of 16 live projects, including notable ones like the MIREDA maternity study and Kings/GSK digital biological twin studies. The on-prem TRE has an automated deployment process with a software stack that is 99% open-source, using tools like Terraform/OpenTofu for environment deployment and Chocolatey for software package deployment, including Microsoft Office, R, and Stata. Each project within the TRE is limited to a maximum of two users. The importance of data egress over ingress was mentioned (note Breakout Session 1, Room 1 discussion on Cybersecurity that discussed a similar point). During a demo, Michal showcased how researchers access the TRE, including a view of the deployed software packages and the Data Egress Portal, which features tasks functionality exclusive to Egress Supervisors. Researchers also have access to data backups for up to 20 days in case they delete something accidently. Future considerations for the TRE include a potential move from on-prem to Azure and exploring automation for the egress process, though challenges remain due to the variety of output formats and resource limitations (one person only) for implementing new features.
+
+#### Next steps
+
+- DARE UK AI Risk Evaluation Workgroup publishing [report](https://dareuk.org.uk/dare-uk-community-working-groups/dare-uk-community-working-group-ai-risk-evaluation-working-group/#:~:text=AI%20Risk%20Evaluation%20Group&text=The%20AI%20Evaluation%20Working%20Group,of%20individuals%20within%20the%20data) end of March/Early April which will detail additional steps & consideration needed as part of egress process for AI models from TRE's 
+
+### Raw notes
+
+- Michal provided an overview of the timeline of implementation of the Kings TRE - slides to be attached to these notes
+- Current Metrics for the TRE were presented. 98.63% uptime, 16 Live projects
+- Projects include MIREDA maternity study and Kings/GSK digital biological twin studies
+- Automated Deployment Process - 99% of software stack used is open source. Use Terraform/OpenTofu to deploy environment. Uses Chocolatey to deploy software packages such as Microsoft Office, R, Stata.
+- Maximum two users per project
+- Egress more important than ingress
+- Non-sensitive egress process described.
+- Michal provided a demo of the TRE access, and connected to a VM as a researcher, showing the deployed software packages as requested by the researcher.
+- The Data Egress Portal was demoed. 'Tasks' functionality is only available to Egress Supervisors.
+- Researchers can access backups of their data for up to 20 days, in case they delete something accidentally.
+- Is the environment in the cloud, or on-prem?
+    - It's currently on-prem, but assessing a move to Azure in the future.
+- Any thoughts on using automation for the Egress process?
+    - Too many output formats to be able to cover with current automation tools. Responsibility of the PI to decide what files to send into the Egress process.
+- Have you thought about for support for API submitted egress requests (e.g. from a workflow)?
+    = have looked at the feature but not high enough on the roadmap given the limited resource available to implement changes to the TRE environment (just Michal!!!)
+- TRE [intranet page](https://docs.er.kcl.ac.uk/CREATE/TRE/tre/_) in King's 
+- My contact email [email protected]
+- [Link to the presentation](https://emckclac-my.sharepoint.com/:p:/g/personal/k2256745_kcl_ac_uk/ER_QyW2DfztKgDIP-_PUY80BJ_VtwgLs5uZghva1Z0IGPA?e=4X7I3H)
+
+#### Next steps
+
+- Dare UK AI Risk Evaluation Workgroup publishing [report](https://dareuk.org.uk/dare-uk-community-working-groups/dare-uk-community-working-group-ai-risk-evaluation-working-group/#:~:text=AI%20Risk%20Evaluation%20Group&text=The%20AI%20Evaluation%20Working%20Group,of%20individuals%20within%20the%20data) end of March/Early April which will detail additional steps & consideration needed as part of egress process for AI models from TRE's 

docs/events/wg_workshops/2024-03-14-march-meeting/demo-scotland-ras.md

@@ -24,3 +24,36 @@ Read GDPR recitals 26 and156, and article 89.
 ### Target audience
 
 Information governance and data protection staff of TREs.
+
+## Session
+
+### Summary
+
+Scotland is advancing its data systems to facilitate research while navigating GDPR regulations. The approach includes dividing the challenge into two segments: data controllers preparing and anonymizing data to create 'research-ready' datasets in compliance with GDPR, and once researchers access this anonymized data within a Trusted Research Environment (TRE), it's considered outside GDPR's purview because of anonymisation. This strategy aims to move away from the inefficient create-and-destroy method, reducing the oversight burden on privacy boards. The discussion also focused on the importance of maintaining public trust, with plans to engage the public in dialogues about the definition of public good and the mechanisms of data access and use by researchers, alongside a review of private sector access to NHS data.
+
+Discussions highlighted the necessity of explaining to the public the low likelihood of reidentification from anonymized datasets and the non-applicability of GDPR to such data in research contexts. The conversation acknowledged ongoing challenges, such as bottlenecks caused by the requirement to keep data separate across different organizations and concerns over private sector access to NHS data
+
+#### Next steps
+
+- info sharing between Research Data Scotland and Smart Data Foundry on public engagement plans, and on Rowntree foundation on fine grain data into TREs for answering policies - Launch of Income Volatility Dashboard with JRF (smartdatafoundry.com)
+
+### Raw notes
+
+Scotland is looking to mature data systems to learn
+- Scientific research is featured in the GDPR, data subject rights are lifted for scientific research. This must be balanced with the rights and deal with the public
+- Scotland is aiming to split the challenge into two parts. Data controllers to prepare data and anonymise and create research ready datasets (using and accounted for by GDPR guidelines). Once researchers access the data in the TRE then it is no longer under GDPR regulations since it is anonymised. 
+- The aim is to replace the create and destroy method. This is inefficient and a lot for the PBPP to look at. 
+- In terms of public engagement important to balance public trust
+- Expect to come across all of the issues in their future work, including public engagement. Smart Data Foundry - currently have a fund open for projects which will be in public good https://www.ukri.org/opportunity/smart-data-research-uk-data-services/  
+- Queries how to cover with data controllers about the final data accessed by researchers doesn't need to be personal data therefore isn't covered by GDPR. And the low liklihood of reidentification. 
+- Comissioning first set of public engagement dialogues in the summer. This will cover public good definition and how researchers access and the role of public
+- Similar to work at RDS for our next steps. Ours will be planned in for next year - potential to build on the work of Smart Data. 
+- Highlighted Ruth Gilberts work in reference to communicating to public
+- Works with ADR-S which is relevant for the research ready aims. There's a lot of bottlenecks because so many organisations are required to keep data separate. Has seen different tenants of Safe Havens operating. 
+- Recent news stories around dodgy private sector companies having access to NHS data
+- Review of private sector access currently being done at RDS
+
+#### Next steps
+- Emails to be exchanged between RDS/SDF for follow up on public engagement plans including intro to Scot Gov contacts
+- RDS to send intial research (now) and public good work (once public)
+- Smart Data Foundry to send info on Rowntree foundation on fine grain data into TREs for answering policies - Launch of Income Volatility Dashboard with JRF (smartdatafoundry.com)

docs/events/wg_workshops/2024-03-14-march-meeting/demo-trenity.md

@@ -31,3 +31,38 @@ To make the most of this session, we encourage you to visit https://trenity.co.u
 ### Target audience
 
 This session is open to anyone managing or looking to manage a TRE or TRE Project
+
+## Session
+
+###  Summary
+
+Trenity aims to standardize the construction, deployment, and management of Trusted Research Environments (TREs), driven by principles like SATRE (achieving 70% SATRE compliance from the outset) and the Five Safes framework. The product suite includes Trenity Secure and Trenity Edge among others, all managed through a unified dashboard facilitating Information Governance (IG) actions such as data ingress and egress, customizable descriptive data models, and comprehensive views of assets (datasets) and projects. Project dashboards provide members with various tools including task management, discussions, and literature review, with a distinct results tab that integrates the approval process for data release through a multi-role approval process (PI -> reviewer -> final release by TRE) for data egress. Trenity plans to adopt a service-based business model, offering the "base" software for free with a service-based business model on top.
+
+### Raw notes
+
+- [Trenity](https://trenity.co.uk/) demo
+- Aim is to harmonise the building, deployment & management of TREs
+- Big drivers for Trenity include
+    - SATRE, Five Safes
+- Aim is a 1-tool solution for deploying & managing a TRE
+    - 70% SATRE compliance on day 1
+- Four products
+    - Trenity Secure
+    - 2
+    - 3
+    - Trenity Edge
+- Single management dashboard for IG actions like ingress/egress
+    - What's the descriptive data model behind the scenes?
+        - Can define and customise your own
+    - Views of assets (datasets), projects, etc.
+- Project dashboard visible to project members
+    - tabs for task views, discussions, literature, more
+    - results tab allows PI approval for release, then creating "outbound request"
+        - this hands off to an approval process
+    - Three roles involved: PI (to release from project); reviewer (IG review); release authority (final release from TRE)
+        - "release" pushes approved files to Internet-facing part of the TRE
+        - still requires log-in to access
+- Plan is to release "base" Trenity software for free, with service-based business model on top
+- Currently Azure-based
+    - auto-deployment of TRE would be a premium/freemium feature
+    - pretty cloud-agnostic underneath

docs/events/wg_workshops/2024-03-14-march-meeting/discussion-researcher-verification.md

@@ -2,7 +2,9 @@
 
 **Chair**: Rachel Tesfaye (HDR UK)
 
-## Background
+## Proposal
+
+### Background
 
 Following a funding award from UKRI, HDR UK is working in partnership with governance and technical stakeholders across the UK Health Data Research Alliance (HDRA), TRE Community, and SDE Network to develop an integrated Researcher Registry system, supporting streamlined researcher verification in line with the Five Safes Safe People principle.
 
@@ -12,8 +14,38 @@ The aims of this breakout session are to:
 - Consider how verification of a researcher’s affiliation with a university/institution should be verified
 - Consider how a standardised Researcher Registry could be designed and implemented across research entities from both a governance and technical perspective, including across the TRE Community and sub-national SDEs
 
-## Prompts
+### Prompts
 
 - What are the minimum requirements for vetting criteria and why?
 - What are the key challenges and risks associated with researcher verification?
 - What are the key considerations for pulling information from existing systems?
+
+## Session
+
+### Summary
+
+The discussion revolved around work being led out of HDR UK on a Researcher Registry/"passport" system aimed at facilitating access to Safe Data Environments (SDEs) and Trusted Research Environments (TREs) by verifying researchers. Key points touched upon the registry's validity period, the importance of a digital identifier aligned with existing digital identity frameworks (like DSIT's digital identities work), and the registry serving as a "living ledger" of a researcher's identity, credentials, experience, and affiliations. The potential use of blockchain technology was discussed for maintaining a balance between immutable and mutable information to provide a comprehensive view of researchers' accreditations.
+
+Challenges and considerations included aligning accreditation meanings across different organizations, integrating information from external systems like ORCHID and IRAS for ethics verification, and the responsibility of TREs to make final access decisions based on registry data. The registry aims to streamline the vetting process by compiling information from various systems into a common model, thereby assisting TREs in making informed decisions regarding data access. The conversation also highlighted the necessity of including project ethics and permissions in the vetting criteria and discussed the logistics of maintaining the registry's accuracy and currency, emphasizing the collaborative role of researchers and organizations in keeping their information up to date.
+
+#### Next steps
+
+- Slides and break out notes to be circulated following the meeting. 
+- Interested in working with us to provide requirements and/or test a researcher passport solution? Please contact [email protected]
+
+### Raw notes
+
+- Interested in how long a Researcher Registry/"passport" is valid for because this links with some of the work he does. He has worked with metadata within the context of national SDEs and worked with the likes of Andy Payne. Consider the metadata catalog as the Registry might have its own catalog but still use that passport to let a data custodian/controller know if that's the same person and then they can make the decision on access. Accreditation might mean different things at different organisations and that's where the trickiness potentially comes in because you're not comparing apples the more example
+    - In practice the the Researcher Registry itself would would have digital identifier aligned with the [DSIT digital identity framework](https://www.gov.uk/guidance/digital-identity). Identifiers or attributes associated with a researchers identity, experience, training and affiliation would make up a "living ledger" for that individual researcher. We're still currently exploring use of blockchain technology for the system in terms of immutable history/information versus mutable information. There may be elements of both built into the prototype to give a relatively complete view of the the researchers accreditations e.g. training and equivalent accreditation criteria from the ONS and UKSA for example
+- This is about proving identity and experience, not making decision about whether someone should be let in or not as that's a TREs decision.Consider whether they're in the registry or whether they're visas issued by these truth of being being allowed in those
+    - We do want to pull information from from ORCHID and and IRAS from an ethics perspective but it also looking at authentication methods.
+- Would it be up to a TRE to make decision and weather to better researcher a research team or research organisation.
+    - Yes. In terms of the research entity where referring to the individual researcher as the organisational information. It would be up to the TRE to take teh decision to grant access. The purpose of the Registry would be to pull information together from different systems included in an agreed common vetting model, to enable TREs decision making around data access.
+- Project ethics and permissions also need to be a criteria, not just previous projects.
+    - We have engaged with HRA to discuss pulling ethics information from IRAS.
+- Who'll be responsible for keeping the registry up to date?
+
+
+#### Next steps
+- Slides and break out notes to be circulated following the meeting. 
+- Interested in working with us to provide requirements and/or test a researcher passport solution? Please contact [email protected]