NHSE National Secure Data Environment (Get Access to Data) Alpha Reassessment

From: DHSC
Assessment date: 18/5/2023
Reassessment date: 26/10/2023
Stage: Alpha reassessment
Result: Met at reassessment
Service provider: NHS England

Service description

This service aims to solve the problem of enabling secure access to and support in the use of NHS datasets for external users for health and social care research.

Service users

The primary users of this service are Researchers and Analysts, who use the environment to access NHSE datasets and perform analysis using analytical tools.

Secondary users are Data Managers, who facilitate SDE access for researchers/analysts, and support them on a regular basis.

Users access the SDE to access NHS data broadly for one of these purposes:

Using health data to conduct research into the causes, prevention and treatment of diseases/conditions
Using health data to inform policy, ministerial decision-making, or planning of services

Report contents

Understand users and their needs
Solve a whole problem for users
Provide a joined-up experience across all channels
Make the service simple to use
Make sure everyone can use the service
Have a multidisciplinary team
Use agile ways of working
Iterate and improve frequently
Create a secure service which protects users’ privacy
Define what success looks like and publish performance data
Choose the right tools and technology
Make new source code open
Use and contribute to open standards, common components and patterns
Operate a reliable service

1. Understand users and their needs

Decision

The service did not meet point 1 of the Standard.

What the team has done well

The panel was impressed that:

the team has recruited existing Trusted Research Environment users to understand their needs
the team has conducted further interviews after Discovery to add detail to user needs statements
the team has involved the wider project team in workshops and held regular show and tells to share research findings gather feedback on design proposals
the team has identified the lack of representation from users with digital accessibility needs in Discovery and sought to include such users in Alpha

What the team needs to explore

Before their next assessment, the team needs to:

conduct user research with all potential users of the service, ensuring fringe and seldom heard users’ needs are captured and they are included in usability testing
identify hypotheses about how user needs could be met through the SDE service and test them in Alpha
identify ways to understand how people use the existing Trusted Research Environment whilst ensuring information governance rules are upheld
consider opportunities to test content and user journeys with members of the public to evaluate the transparency of the SDE service

Reassessment

Decision

The service met point 1 of the Standard.

What the team has done well

The panel was impressed that:

the team has started to identify the user needs of those applying to access data, analysing data, and those involved in supporting users to use the service
the team has identified further user research to be conducted with a wider range of users with differing accessibility needs in the next stages of their work
the team has mapped the end-to-end service based on user research and attempted to join up experiences between separate services designed to register and then facilitate access to the Secure Data Environment
the team has a collaborative approach to identifying and understanding user needs

What the team needs to explore

Before their next assessment, the team needs to:

seek to identify and involve users in their context to understand the specific needs of those in academia, pharmaceutical industry and charities who may be less competent and confident in using the service
review methods for recruiting and engaging users with different roles who have differing accessibility needs
continue to prioritise user needs and user testing as the service incrementally changes
consider rating user needs by importance or urgency of the user, along with the team's confidence in the level of evidence that has been collected
undertake research to identify users’ understanding of messages stating that it is the organisations responsibility to verify the identity of users

2. Solve a whole problem for users

Decision

The service met point 2 of the Standard.

What the team has done well

The panel was impressed that:

the team is attempting to consolidate an environment where some research is done through a TRE (Trusted Research Environment) whereas in other environments data is sent in batches directly to users for analysis into one where most or all NHS data is accessed for research through a single channel
the team has considered the whole user journey all the way from requesting access to NHS data and out via requesting a safe export of data and analysis post processing

What the team needs to explore

Before their next assessment, the team needs to:

ensure that different transactions, including the ‘request access’ transaction, are lined up seamlessly with the main body of the service. The journey from requesting access through to the research environment should be tested end-to-end for any design issues, and iterated accordingly

3. Provide a joined-up experience across all channels

Decision

The service met point 3 of the Standard.

What the team has done well

The panel was impressed that:

the team is trying to replicate the experience that they created with the TRE during the Covid-19 pandemic, and to make this consistent for all users of NHS data, with standardised and modern tooling
the team’s aspiration is to reach a place where, irrespective of the data you are analysing or the data sharing agreement which forms the basis for that analysis, there is a single consistent channel for accessing, analysing and exporting NHS data for planning & research

What the team needs to explore

Before their next assessment, the team needs to:

stop treating the web service and the virtual desktop research environment as separate elements or different services. From a user’s perspective these should flow as seamlessly as possible into one another

4. Make the service simple to use

Decision

The service did not meet point 4 of the Standard.

What the team has done well

The panel was impressed that:

the team has identified pain points in the TRE user experience and developed ideas to make the SDE service easier to understand and use
the team has tested a knowledge hub prototype to help users understand the service and get started
the team has used standardised patterns from the NHS design system

What the team needs to explore

Before their next assessment, the team needs to:

take a content design approach to review and improve existing content, plan and write new content, and test that users can understand content in all parts of the service
test a range of ways to reduce complexity and help users complete their journeys with a minimum of help
consider using the text area component instead of making users send emails
test alternatives to the A to Z of datasets
consider the names of their services. The acronyms SDE and DARS will be confusing to new users and difficult to find through search engines. Instead, the team should use self-descriptive terms to describe the different journeys that users are going through. For example, instead of ‘DARS’, the team should consider ‘Request access to NHS data’

Reassessnent

Decision

The service met point 4 of the Standard.

What the team has done well

The panel was impressed that:

the team has iterated the interaction designs and content to meet user needs and simplify user journeys
the team has identified user groups that may need extra support to complete the service and how this could be provided. They have also investigated some of the specific barriers that could impact users, such as a higher proportion of low digital confidence
the team has added a content designer to focus on testing and iterating content

What the team needs to explore

Before their next assessment, the team needs to:

continue to explore user needs identified by other Secure Data Environments and how they can share learning with other teams
continue to work collaboratively with the Data Access Request Service to understand user needs around closing the service
take a ‘less is more’ content design approach and explore opportunities to design their way out of relying on heavy guidance
continue to explore ways to reduce the help users need to complete their journeys
Follow best practice for naming services to choose the right name for their service

5. Make sure everyone can use the service

Decision

The service did not meet point 5 of the Standard.

What the team has done well

The panel was impressed that:

the team has reached out to the NHSE Ability Network and Neurodiversity Network
the team has acknowledged gaps in research with people with accessibility needs and assisted digital needs

What the team needs to explore

Before their next assessment, the team needs to:

conduct more user research with people who have digital accessibility needs. Identify recruitment channels to invite people with digital accessibility needs and ways for them to communicate those needs.
expand their definition and understanding of accessibility needs, and to acknowledge that there is a wide spectrum of disabilities which might affect people’s ability to use the SDE service. The objective of the design team should be to avoid excluding as many people as possible from using the service, rather than starting from the point of view that the service is already inaccessible to many
develop the user journeys for all user groups, including data managers
consider the needs of future users to make sure the service can scale as the number of datasets and use of data increases

Reassessment

Decision

The service met point 5 of the Standard.

What the team has done well

The panel was impressed that:

the team has conducted research with users with different accessibility needs
the team has tested ideas with new and potential users of the service
the team has given examples of different user journeys, including data managers

What the team needs to explore

Before their next assessment, the team needs to:

conduct further research with users that have accessibility and assistive technology needs to ensure that they can complete the journey and access any additional help needed. This is part of the team’s research plan and they have referred to building a volunteer pool including these user groups
consider an accessibility audit to support the prioritisation of addressing user needs

6. Have a multidisciplinary team

Decision

The service met point 6 of the Standard.

What the team has done well

The panel was impressed that:

the team has built a UCD core around the existing TRE service
the team will be in place to work on this service until at least the end of 2023

What the team needs to explore

Before their next assessment, the team needs to:

add a content designer for private Beta and beyond
develop a publishing pipeline to ensure that content design support is available when new content is being developed for the service
explore ways to secure the team developing the service beyond the calendar year 2023, and to avoid a cliff-edge where most or all the team move off the service in 2024

7. Use agile ways of working

Decision

The service met point 7 of the Standard.

What the team has done well

The panel was impressed that:

the team has adopted agile ways of working
the team has integrated the research environment with an agile service team

8. Iterate and improve frequently

Decision

The service did not meet point 8 of the Standard.

What the team has done well

The panel was impressed that:

the team has done some basic iteration on their prototypes

What the team needs to explore

Before their next assessment, the team needs to:

test a variety of ways of solving user needs by prototyping different user journeys, iterating some and throwing some away
give evidence of earlier versions of ideas and prototypes which the team pivoted away from, based on the evidence of their research

Reassessment

Decision

The service met point 8 of the Standard.

What the team has done well

The panel was impressed that:

the team has given examples of iterating content to make the service as intuitive and stress-free as possible
the team has iterated prototypes during the alpha phase based on user research findings. This allowed them to work towards meeting prioritised user needs. Research plans are evolving to continue to identify user needs of novice users

What the team needs to explore

Before their next assessment, the team needs to:

continue to iterate design ideas throughout the Beta phase to design the service based on user needs and feedback

9. Create a secure service which protects users’ privacy

Decision

The service did not meet point 9 of the Standard.

What the team has done well

The panel was impressed that:

the team has carried out regular penetration testing of the service and plan to do further penetration testing
the team has had a third-party supplier risk profile the service
the team is following best practice for securing the AWS S3 storage buckets that contain the pseudonymised datasets
the team has ensured that all access to the data is through the privacy enhancing IMUTTA service via the Databricks cluster, no direct access to the S3 storage and the datasets is allowed
the team has made sure that each dataset that is to be accessed is delivered into the SDE via process of pseudonymization, using a cryptographic key unique to the data sharing agreement relevant to the specific SDE

What the team needs to explore

Before their next assessment, the team needs to:

assume responsibility for authenticating the identity of users of the SDE as part of the service, currently all responsibility for the authentication and verification of the identity of the users of the SDE is placed on the customer
consider how to increase the layers of security present in the SDE, moving away from the current perimeter model, towards a more least privilege zero trust approach, currently once a user has authenticated with MFA and accessed the SDE, they are fully trusted, albeit in the confines of the logical “agreement” container. For example, there could more proactive monitoring and alerting of suspicious activity
be represented on the Cyber Security Incident Response Team (CSIRT) and be familiar with the Cyber Security Incident Response Process (CSIRP), with a clear understanding of how a cyber incident would be handled and what role they would play, also how and when a customer would be informed of a security breach

Reassessment

Decision

The service met point 9 of the Standard.

What the team has done well

The panel was impressed that:

the team has taken steps to improve the process of registering new users and how the hand-off from the DARS system works
the team has introduced email validity checks including checking email domains against an allow list before sending registration emails
the team has understood the risks of not implementing identity verification checks as part of their service and has agreed this with their SRO
the team has engaged with the cyber security operations team to plan their response to a cyber security incident, including how they would work with service bridge team who are responsible for incident management and pulling together the CSIRT
the team have explored ways of moving to a more Zero Trust model within the SDE using standard AWS platform components such as AWS Cloud Watch and Guard Duty, to monitor activity in the platform and alert for suspicious behaviour

What the team needs to explore

Before their next assessment, the team needs to:

test their cyber security incident response plan, for example, by carrying out a simulated cyber security incident
evidence that they have done risk profiling of their architecture to ensure they understand the impact and likelihood of each security risk and how they can mitigate them
have considered how the SDE handles sensitive identity data within the datasets. Sensitive identity data includes data about individuals that if compromised could present a risk to those individuals, for example: members of the security services, police or victims of domestic abuse

10. Define what success looks like and publish performance data

Decision

The service met point 10 of the Standard.

What the team has done well

The panel was impressed that:

the team has thought constructively about how to capture the spirit of the mandatory KPIs, even where these metrics are not strictly applicable
the team has done some provisional thinking about what metrics could be used to measure the success of the service

What the team needs to explore

Before their next assessment, the team needs to:

decide what the critical success factors for the service are, and what metrics will be used to measure these
agree a consistent performance framework with common success factors across both the VDI and the web service, so that performance analysis and reporting is done with the same thoroughness across both ‘sides’ of the service

11. Choose the right tools and technology

Decision

The service met point 11 of the Standard.

What the team has done well

The panel was impressed that:

the team is following a cloud first approach, using OTS and open-source components hosted in the AWS cloud
the team has had their cloud architecture reviewed by AWS architects

What the team needs to explore

Before their next assessment, the team needs to:

explore features of identity access management which could increase the security of the SDE, for example, is there an AWS feature equivalent to the Azure Privileged Identity Management feature, which could be used to only provide Data Wranglers and other dev-ops users access to environments and data for a time limited period?
explore options to replace the current manual process for extracting CSV data from the DARS D365 system to load into the SDE platform, to administer user access, for example could this integration be made more secure via an API?

12. Make new source code open

Decision

The service did not meet point 12 of the Standard.

What the team has done well

The panel was impressed that:

the team spoke of the intention to publish some aspects of the service in an open repository, specifically the infrastructure as code in terraform scripts and the custom Lamba functions they have created

What the team needs to explore

Before their next assessment, the team needs to:

make all new source code open and reusable, and publish it under appropriate licences

Reassessment

Decision

The service conditionally met point 12 of the Standard.

What the team has done well

The panel was impressed that:

the team have presented a roadmap to releasing their code in a public repository during private beta

What the team needs to explore

Before their next assessment, the team needs to:

make all new source code open and reusable and publish it under appropriate licences. Or if this is not possible in full, provide a comprehensive justification of why this cannot be done for specific subsets of the source code

13. Use and contribute to open standards, common components and patterns

Decision

The service met point 13 of the Standard.

What the team has done well

The panel was impressed that:

the team has reused the KeyCloak component that was being used in the DPS service for identity and access management
the team intends to use the NHS.UK design system for the SDE portal

What the team needs to explore

Before their next assessment, the team needs to:

identify code or patterns used in the service that could be reusable, and publish these in the open alongside details of how they could be used, for example, the approach to pseudonymising data using a unique key for each agreement may be a pattern that could be reused elsewhere in the NHS

14. Operate a reliable service

Decision

The service did not meet point 14 of the Standard.

What the team has done well

The panel was impressed that:

the team has considered the scaling and loading requirements of the service, for example, there are presently 750 data sharing agreements which each could have around 10 users needing access to an SDE

What the team needs to explore

Before their next assessment, the team needs to:

fully quantify the usage requirements of the service, and plan for how the service can be scaled up to cope during periods of high load, whilst minimising the cost of running resources during quite periods
understand the disaster recovery requirements of the service, and plan for how the service would respond in the event of a failure

Reassessment

Decision

The service met point 14 of the Standard.

What the team has done well

The panel was impressed that:

the team has quantified the usage requirements of the service, and have planned for how the service can be scaled up to cope during periods of high load, whilst minimising the cost of running resources during quiet periods
the team has understood the disaster recovery requirements of the service, and have planned for how the service would respond in the event of a failure

What the team needs to explore

Before their next assessment, the team needs to:

carry out performance and load testing of the SDE platform to ensure they can meet their planned usage requirements