
From: DHSC
Assessment date: 18/5/2023
Reassessment date: 26/10/2023
Stage: Alpha reassessment
Result: Met at reassessment
Service provider: NHS England
Service description
This service aims to solve the problem of enabling secure access to and support in the use of NHS datasets for external users for health and social care research.
Service users
The primary users of this service are Researchers and Analysts, who use the environment to access NHSE datasets and perform analysis using analytical tools.
Secondary users are Data Managers, who facilitate SDE access for researchers/analysts, and support them on a regular basis.
Users access the SDE to access NHS data broadly for one of these purposes:
- Using health data to conduct research into the causes, prevention and treatment of diseases/conditions
- Using health data to inform policy, ministerial decision-making, or planning of services
Report contents
- Understand users and their needs
- Solve a whole problem for users
- Provide a joined-up experience across all channels
- Make the service simple to use
- Make sure everyone can use the service
- Have a multidisciplinary team
- Use agile ways of working
- Iterate and improve frequently
- Create a secure service which protects users’ privacy
- Define what success looks like and publish performance data
- Choose the right tools and technology
- Make new source code open
- Use and contribute to open standards, common components and patterns
- Operate a reliable service
1. Understand users and their needs
Decision
The service did not meet point 1 of the Standard.
What the team has done well
The panel was impressed that:
- the team has recruited existing Trusted Research Environment users to understand their needs
- the team has conducted further interviews after Discovery to add detail to user needs statements
- the team has involved the wider project team in workshops and held regular show and tells to share research findings gather feedback on design proposals
- the team has identified the lack of representation from users with digital accessibility needs in Discovery and sought to include such users in Alpha
What the team needs to explore
Before their next assessment, the team needs to:
- conduct user research with all potential users of the service, ensuring fringe and seldom heard users’ needs are captured and they are included in usability testing
- identify hypotheses about how user needs could be met through the SDE service and test them in Alpha
- identify ways to understand how people use the existing Trusted Research Environment whilst ensuring information governance rules are upheld
- consider opportunities to test content and user journeys with members of the public to evaluate the transparency of the SDE service
Reassessment
Decision
The service met point 1 of the Standard.
What the team has done well
The panel was impressed that:
- the team has started to identify the user needs of those applying to access data, analysing data, and those involved in supporting users to use the service
- the team has identified further user research to be conducted with a wider range of users with differing accessibility needs in the next stages of their work
- the team has mapped the end-to-end service based on user research and attempted to join up experiences between separate services designed to register and then facilitate access to the Secure Data Environment
- the team has a collaborative approach to identifying and understanding user needs
What the team needs to explore
Before their next assessment, the team needs to:
- seek to identify and involve users in their context to understand the specific needs of those in academia, pharmaceutical industry and charities who may be less competent and confident in using the service
- review methods for recruiting and engaging users with different roles who have differing accessibility needs
- continue to prioritise user needs and user testing as the service incrementally changes
- consider rating user needs by importance or urgency of the user, along with the team's confidence in the level of evidence that has been collected
- undertake research to identify users’ understanding of messages stating that it is the organisations responsibility to verify the identity of users
2. Solve a whole problem for users
Decision
The service met point 2 of the Standard.
What the team has done well
The panel was impressed that:
- the team is attempting to consolidate an environment where some research is done through a TRE (Trusted Research Environment) whereas in other environments data is sent in batches directly to users for analysis into one where most or all NHS data is accessed for research through a single channel
- the team has considered the whole user journey all the way from requesting access to NHS data and out via requesting a safe export of data and analysis post processing
What the team needs to explore
Before their next assessment, the team needs to:
- ensure that different transactions, including the ‘request access’ transaction, are lined up seamlessly with the main body of the service. The journey from requesting access through to the research environment should be tested end-to-end for any design issues, and iterated accordingly
3. Provide a joined-up experience across all channels
Decision
The service met point 3 of the Standard.
What the team has done well
The panel was impressed that:
- the team is trying to replicate the experience that they created with the TRE during the Covid-19 pandemic, and to make this consistent for all users of NHS data, with standardised and modern tooling
- the team’s aspiration is to reach a place where, irrespective of the data you are analysing or the data sharing agreement which forms the basis for that analysis, there is a single consistent channel for accessing, analysing and exporting NHS data for planning & research
What the team needs to explore
Before their next assessment, the team needs to:
- stop treating the web service and the virtual desktop research environment as separate elements or different services. From a user’s perspective these should flow as seamlessly as possible into one another
4. Make the service simple to use
Decision
The service did not meet point 4 of the Standard.
What the team has done well
The panel was impressed that:
- the team has identified pain points in the TRE user experience and developed ideas to make the SDE service easier to understand and use
- the team has tested a knowledge hub prototype to help users understand the service and get started
- the team has used standardised patterns from the NHS design system
What the team needs to explore
Before their next assessment, the team needs to:
- take a content design approach to review and improve existing content, plan and write new content, and test that users can understand content in all parts of the service
- test a range of ways to reduce complexity and help users complete their journeys with a minimum of help
- consider using the text area component instead of making users send emails
- test alternatives to the A to Z of datasets
- consider the names of their services. The acronyms SDE and DARS will be confusing to new users and difficult to find through search engines. Instead, the team should use self-descriptive terms to describe the different journeys that users are going through. For example, instead of ‘DARS’, the team should consider ‘Request access to NHS data’
Reassessnent
Decision
The service met point 4 of the Standard.
What the team has done well
The panel was impressed that:
- the team has iterated the interaction designs and content to meet user needs and simplify user journeys
- the team has identified user groups that may need extra support to complete the service and how this could be provided. They have also investigated some of the specific barriers that could impact users, such as a higher proportion of low digital confidence
- the team has added a content designer to focus on testing and iterating content
What the team needs to explore
Before their next assessment, the team needs to:
- continue to explore user needs identified by other Secure Data Environments and how they can share learning with other teams
- continue to work collaboratively with the Data Access Request Service to understand user needs around closing the service
- take a ‘less is more’ content design approach and explore opportunities to design their way out of relying on heavy guidance
- continue to explore ways to reduce the help users need to complete their journeys
- Follow best practice for naming services to choose the right name for their service
5. Make sure everyone can use the service
Decision
The service did not meet point 5 of the Standard.
What the team has done well
The panel was impressed that:
- the team has reached out to the NHSE Ability Network and Neurodiversity Network
- the team has acknowledged gaps in research with people with accessibility needs and assisted digital needs
What the team needs to explore
Before their next assessment, the team needs to:
- conduct more user research with people who have digital accessibility needs. Identify recruitment channels to invite people with digital accessibility needs and ways for them to communicate those needs.
- expand their definition and understanding of accessibility needs, and to acknowledge that there is a wide spectrum of disabilities which might affect people’s ability to use the SDE service. The objective of the design team should be to avoid excluding as many people as possible from using the service, rather than starting from the point of view that the service is already inaccessible to many
- develop the user journeys for all user groups, including data managers
- consider the needs of future users to make sure the service can scale as the number of datasets and use of data increases
Reassessment
Decision
The service met point 5 of the Standard.
What the team has done well
The panel was impressed that:
- the team has conducted research with users with different accessibility needs
- the team has tested ideas with new and potential users of the service
- the team has given examples of different user journeys, including data managers
What the team needs to explore
Before their next assessment, the team needs to:
- conduct further research with users that have accessibility and assistive technology needs to ensure that they can complete the journey and access any additional help needed. This is part of the team’s research plan and they have referred to building a volunteer pool including these user groups
- consider an accessibility audit to support the prioritisation of addressing user needs
6. Have a multidisciplinary team
Decision
The service met point 6 of the Standard.
What the team has done well
The panel was impressed that:
- the team has built a UCD core around the existing TRE service
- the team will be in place to work on this service until at least the end of 2023
What the team needs to explore
Before their next assessment, the team needs to:
- add a content designer for private Beta and beyond
- develop a publishing pipeline to ensure that content design support is available when new content is being developed for the service
- explore ways to secure the team developing the service beyond the calendar year 2023, and to avoid a cliff-edge where most or all the team move off the service in 2024
7. Use agile ways of working
Decision
The service met point 7 of the Standard.
What the team has done well
The panel was impressed that:
- the team has adopted agile ways of working
- the team has integrated the research environment with an agile service team
8. Iterate and improve frequently
Decision
The service did not meet point 8 of the Standard.
What the team has done well
The panel was impressed that:
- the team has done some basic iteration on their prototypes
What the team needs to explore
Before their next assessment, the team needs to:
- test a variety of ways of solving user needs by prototyping different user journeys, iterating some and throwing some away
- give evidence of earlier versions of ideas and prototypes which the team pivoted away from, based on the evidence of their research
Reassessment
Decision
The service met point 8 of the Standard.
What the team has done well
The panel was impressed that:
- the team has given examples of iterating content to make the service as intuitive and stress-free as possible
- the team has iterated prototypes during the alpha phase based on user research findings. This allowed them to work towards meeting prioritised user needs. Research plans are evolving to continue to identify user needs of novice users
What the team needs to explore
Before their next assessment, the team needs to:
- continue to iterate design ideas throughout the Beta phase to design the service based on user needs and feedback
9. Create a secure service which protects users’ privacy
Decision
The service did not meet point 9 of the Standard.
What the team has done well
The panel was impressed that:
- the team has carried out regular penetration testing of the service and plan to do further penetration testing
- the team has had a third-party supplier risk profile the service
- the team is following best practice for securing the AWS S3 storage buckets that contain the pseudonymised datasets
- the team has ensured that all access to the data is through the privacy enhancing IMUTTA service via the Databricks cluster, no direct access to the S3 storage and the datasets is allowed
- the team has made sure that each dataset that is to be accessed is delivered into the SDE via process of pseudonymization, using a cryptographic key unique to the data sharing agreement relevant to the specific SDE
What the team needs to explore
Before their next assessment, the team needs to:
- assume responsibility for authenticating the identity of users of the SDE as part of the service, currently all responsibility for the authentication and verification of the identity of the users of the SDE is placed on the customer
- consider how to increase the layers of security present in the SDE, moving away from the current perimeter model, towards a more least privilege zero trust approach, currently once a user has authenticated with MFA and accessed the SDE, they are fully trusted, albeit in the confines of the logical “agreement” container. For example, there could more proactive monitoring and alerting of suspicious activity
- be represented on the Cyber Security Incident Response Team (CSIRT) and be familiar with the Cyber Security Incident Response Process (CSIRP), with a clear understanding of how a cyber incident would be handled and what role they would play, also how and when a customer would be informed of a security breach
Reassessment
Decision
The service met point 9 of the Standard.
What the team has done well
The panel was impressed that:
- the team has taken steps to improve the process of registering new users and how the hand-off from the DARS system works
- the team has introduced email validity checks including checking email domains against an allow list before sending registration emails
- the team has understood the risks of not implementing identity verification checks as part of their service and has agreed this with their SRO
- the team has engaged with the cyber security operations team to plan their response to a cyber security incident, including how they would work with service bridge team who are responsible for incident management and pulling together the CSIRT
- the team have explored ways of moving to a more Zero Trust model within the SDE using standard AWS platform components such as AWS Cloud Watch and Guard Duty, to monitor activity in the platform and alert for suspicious behaviour
What the team needs to explore
Before their next assessment, the team needs to:
- test their cyber security incident response plan, for example, by carrying out a simulated cyber security incident
- evidence that they have done risk profiling of their architecture to ensure they understand the impact and likelihood of each security risk and how they can mitigate them
- have considered how the SDE handles sensitive identity data within the datasets. Sensitive identity data includes data about individuals that if compromised could present a risk to those individuals, for example: members of the security services, police or victims of domestic abuse
10. Define what success looks like and publish performance data
Decision
The service met point 10 of the Standard.
What the team has done well
The panel was impressed that:
- the team has thought constructively about how to capture the spirit of the mandatory KPIs, even where these metrics are not strictly applicable
- the team has done some provisional thinking about what metrics could be used to measure the success of the service
What the team needs to explore
Before their next assessment, the team needs to:
- decide what the critical success factors for the service are, and what metrics will be used to measure these
- agree a consistent performance framework with common success factors across both the VDI and the web service, so that performance analysis and reporting is done with the same thoroughness across both ‘sides’ of the service
11. Choose the right tools and technology
Decision
The service met point 11 of the Standard.
What the team has done well
The panel was impressed that:
- the team is following a cloud first approach, using OTS and open-source components hosted in the AWS cloud
- the team has had their cloud architecture reviewed by AWS architects
What the team needs to explore
Before their next assessment, the team needs to:
- explore features of identity access management which could increase the security of the SDE, for example, is there an AWS feature equivalent to the Azure Privileged Identity Management feature, which could be used to only provide Data Wranglers and other dev-ops users access to environments and data for a time limited period?
- explore options to replace the current manual process for extracting CSV data from the DARS D365 system to load into the SDE platform, to administer user access, for example could this integration be made more secure via an API?
12. Make new source code open
Decision
The service did not meet point 12 of the Standard.
What the team has done well
The panel was impressed that:
- the team spoke of the intention to publish some aspects of the service in an open repository, specifically the infrastructure as code in terraform scripts and the custom Lamba functions they have created
What the team needs to explore
Before their next assessment, the team needs to:
- make all new source code open and reusable, and publish it under appropriate licences
Reassessment
Decision
The service conditionally met point 12 of the Standard.
What the team has done well
The panel was impressed that:
- the team have presented a roadmap to releasing their code in a public repository during private beta
What the team needs to explore
Before their next assessment, the team needs to:
- make all new source code open and reusable and publish it under appropriate licences. Or if this is not possible in full, provide a comprehensive justification of why this cannot be done for specific subsets of the source code
13. Use and contribute to open standards, common components and patterns
Decision
The service met point 13 of the Standard.
What the team has done well
The panel was impressed that:
- the team has reused the KeyCloak component that was being used in the DPS service for identity and access management
- the team intends to use the NHS.UK design system for the SDE portal
What the team needs to explore
Before their next assessment, the team needs to:
- identify code or patterns used in the service that could be reusable, and publish these in the open alongside details of how they could be used, for example, the approach to pseudonymising data using a unique key for each agreement may be a pattern that could be reused elsewhere in the NHS
14. Operate a reliable service
Decision
The service did not meet point 14 of the Standard.
What the team has done well
The panel was impressed that:
- the team has considered the scaling and loading requirements of the service, for example, there are presently 750 data sharing agreements which each could have around 10 users needing access to an SDE
What the team needs to explore
Before their next assessment, the team needs to:
- fully quantify the usage requirements of the service, and plan for how the service can be scaled up to cope during periods of high load, whilst minimising the cost of running resources during quite periods
- understand the disaster recovery requirements of the service, and plan for how the service would respond in the event of a failure
Reassessment
Decision
The service met point 14 of the Standard.
What the team has done well
The panel was impressed that:
- the team has quantified the usage requirements of the service, and have planned for how the service can be scaled up to cope during periods of high load, whilst minimising the cost of running resources during quiet periods
- the team has understood the disaster recovery requirements of the service, and have planned for how the service would respond in the event of a failure
What the team needs to explore
Before their next assessment, the team needs to:
- carry out performance and load testing of the SDE platform to ensure they can meet their planned usage requirements
Leave a comment