diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5fc1a85..8df690c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,19 +9,21 @@ jobs:
name: Lint
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
- - uses: actions/setup-python@v4
- - uses: pre-commit/action@v3.0.0
+ - uses: actions/checkout@v4
+ - uses: actions/setup-python@v5
+ with:
+ python-version: "3.12"
+ - uses: pre-commit/action@v3.0.1
build:
name: Build docs
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
- python-version: "3.10"
+ python-version: "3.12"
cache: pip
cache-dependency-path: "**/requirements.txt"
@@ -36,4 +38,4 @@ jobs:
- name: Link check
run: |
cd docs
- make linkcheck
+ make SPHINXOPTS="--color --keep-going" linkcheck
diff --git a/docs/conf.py b/docs/conf.py
index ccbee68..1a915e4 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -60,9 +60,13 @@
r"https://www.turing.ac.uk/.*",
r"https://www.hpe.com/.*",
r"https://csrc.nist.gov/.*",
- # Currently down
+ r"https://digital.nhs.uk/services/secure-data-environment-service",
+ # Redirects to Confluence which seems to block the linkchecker
+ r"https://www.dundee.ac.uk/corporate-information/standard-operating-procedures-hic",
+ # Currently down or broken
r"https://www.goldacrereview.org/",
r"https://www.rd-alliance.org/trusted-research-environments-sensitive-data-fairness-closed-data-and-processes",
+ r"https://www.datashield.org/about/about-datashield-collated",
]
# These pages use in-page JavaScript anchors which aren't seen by the link checker
diff --git a/docs/events/wg_workshops/2024-09-02-september-meeting/dare_uk_logo.png b/docs/events/wg_workshops/2024-09-02-september-meeting/dare_uk_logo.png
deleted file mode 100644
index dc418ea..0000000
Binary files a/docs/events/wg_workshops/2024-09-02-september-meeting/dare_uk_logo.png and /dev/null differ
diff --git a/docs/events/wg_workshops/2024-09-02-september-meeting/dare_uk_logo.svg b/docs/events/wg_workshops/2024-09-02-september-meeting/dare_uk_logo.svg
new file mode 100644
index 0000000..f97ee06
--- /dev/null
+++ b/docs/events/wg_workshops/2024-09-02-september-meeting/dare_uk_logo.svg
@@ -0,0 +1,17 @@
+
+
diff --git a/docs/events/wg_workshops/2024-09-02-september-meeting/discussion-accelerating-digital-science.md b/docs/events/wg_workshops/2024-09-02-september-meeting/discussion-accelerating-digital-science.md
new file mode 100644
index 0000000..6e17ded
--- /dev/null
+++ b/docs/events/wg_workshops/2024-09-02-september-meeting/discussion-accelerating-digital-science.md
@@ -0,0 +1,15 @@
+# Breakout Discussion: Accelerating digital science
+
+## Summary of discussions from the breakout rooms.
+
+The discussions were positive, people were energised by the recognition of the importance of TREs and the emerging priority of federation. Logically this made sense to attendees.
+
+But federation is not the focus of TREs at present. The TREs are focussed on their own local problems: for example delivering siloed project specific facilities and data.
+
+Another key theme is the focus on TRE costs, each looking to monetise their data to offset their operations costs. This is often part of TREs strategies. Such business models are not supporting a move towards federation and the separation of Data Zone and Research Zone.
+
+The heterogeneous solution world causes complexity and as a result people cannot see how federation could work. The data is not standardised so how will that work? The systems are different technologies so how will they integrate? There is not a way of discovering data so who will be able to find and use it in a federated world?
+
+In addition, the governance processes are different and not trusted between TREs. No TRE has enough trust in any other part to enable the connection of the entities delivering data zone facilities with each other let alone one delivering Research Zone facilities to researchers. The stakeholder space was very full, and no incentives for governance to become involved and change.
+
+People could see all this complexity but felt they had no way of navigating it or seeing a way through. Many groups commented on how complicated a solution to this would have to be (which they could not see). Having a few projects to lead the way would be very helpful and help encourage the community that federation would come and be something to help make happen.
diff --git a/docs/events/wg_workshops/2024-09-02-september-meeting/index.md b/docs/events/wg_workshops/2024-09-02-september-meeting/index.md
index 2e88883..61fed79 100644
--- a/docs/events/wg_workshops/2024-09-02-september-meeting/index.md
+++ b/docs/events/wg_workshops/2024-09-02-september-meeting/index.md
@@ -9,22 +9,35 @@
Sponsored by
-```{image} dare_uk_logo.png
+```{image} dare_uk_logo.svg
:alt: DARE UK
:width: 300px
:align: center
:target: https://dareuk.org.uk/
```
+```{toctree}
+:maxdepth: 1
+:hidden: true
+
+keynote-accelerating-digital-science
+discussion-accelerating-digital-science
+
+wg-extending-control
+wg-cybersecurity-risks
+wg-funding-sustainability
+wg-satre
+```
+
## Background
Trusted research environments and datasets are fundamental to digital science, but work is often delayed due to the time and effort required to set up a secure project, get access to the right approved data, and to sign legal agreements.
There is enormous value locked up because of this: new research ideas are blocked by the hurdles of getting started and accessing data, and typical fixed term project funding means significant research time is lost.
-We want to discuss what is stopping us from fixing these three critical issues: getting data federated to approved projects; instant provisioning of infrastructure for collaborative projects; and streamlining legal discussions with standard accepted T&Cs and operating models.
+We wanted to discuss what is stopping us from fixing these three critical issues: getting data federated to approved projects; instant provisioning of infrastructure for collaborative projects; and streamlining legal discussions with standard accepted T&Cs and operating models.
-The UK TRE community has already setup several working groups to look at some of these problems, and we plan to submit a [UKRI Digital Research Technical Professional Skills NetworkPlus](https://www.ukri.org/opportunity/ukri-digital-research-technical-professional-skills-networkplus/) grant to create a long-term footing for the UK TRE community, and to support the community in joining or creating working groups to solve the critical issues which are hampering secure digital research.
+The UK TRE community has already setup several working groups to look at some of these problems, and had planned to submit a [UKRI Digital Research Technical Professional Skills NetworkPlus](https://www.ukri.org/opportunity/ukri-digital-research-technical-professional-skills-networkplus/) grant to create a long-term footing for the UK TRE community, and to support the community in joining or creating working groups to solve the critical issues which are hampering secure digital research.
## Agenda
@@ -38,11 +51,11 @@ The UK TRE community has already setup several working groups to look at some of
- Community Management updates and announcements: Bid for funding
- - 11:00 - 12:15
- Federation: Accelerating digital science Panel
- - Keynote 1
- - Keynote 2
+ - Keynote 1: James Fleming, Chief Information Officer, Francis Crick Institute
+ - Keynote 2: Darren Bell, Director of Technical Services, UK Data Service
- Panel discussion + Q&A
- - 12:15 - 12:55
- - Accerating digital science: Focused discussion breakouts
+ - Accelerating digital science: Focused discussion breakouts
- Where is the community is going and how do we get there
- - 13:00 - 14:00
- Lunch and networking
@@ -60,41 +73,159 @@ The UK TRE community has already setup several working groups to look at some of
```
-### Keynote panel
+## Presentations
+
+:Video recording: https://www.youtube.com/watch?v=53CqCUh8YwM
+:Slides from Keynotes: https://zenodo.org/records/13909022
+:Slides from lightning talks: https://zenodo.org/records/13908460
+
+## Summary of the day
+
+### Community management updates and announcements: bid for funding
+
+UK TRE community co-chairs David Sarmiento and Simon Li set the context and background of the UK TRE community and its growth over the past couple of years. Some of the key points covered were:
+
+- **Emphasis on the grassroots nature of the UK Trusted Research Environments (TRE) community**, which relies on volunteers and is open to more co-chairs and informal help.
+- **TRE community expansion**: originally coming out of the research software engineering community, membership has expanded to include data management, information governance, and funding stakeholders. The community has grown significantly, from an initial 30 members to over 300, with over 100 organizations involved. A number of **Working Groups** have also been established
+- There is strong emphasis on flexibility and adapting to community needs and feedback.
+- **Governance and Community Participation**: Emphasis on "lazy consensus", where community members are encouraged to take the initiative unless there is opposition. Governance charters and working groups are in place, and transparency is a core principle.The group has formalized governance processes to prepare for growth but retains a focus on community-driven initiatives.
+
+#### Key community priorities identified in the introductory section
+
+- **Federation**: probably the most critical topic identified for the day - given we want a distributed network, how can we enable analysis on data held across different TREs?
+- **Data Quality**: Desire for better quality and more standardized data.
+- **AI Integration**: Growing interest in leveraging AI in TRE environments.
+- **Public and Patient Involvement**: Important for UK TREs, with recognition that the UK generally performs well in this area. The role of public participation in TRE initiatives was noted as essential but missing from current discussions. A call to engage with PPIE more fully in future projects.
+- **Funding Challenges**: Discussion on how to fund working groups and ongoing community work, as most contributions are currently voluntary. There was a call for help in preparing a bid for a significant funding opportunity (up to £2 million over four years), which could support governance, digital spaces, and working groups.
+- **Call to Action**: Attendees were encouraged to join various working groups, contribute to ongoing governance processes, and help with the upcoming funding bid.
+
+### Keynote 1: James Fleming, CIO, Francis Crick Institute
+
+**Importance of Data Federation**:
+
+- Emphasis on the need to federate data across research and healthcare systems to drive a shift from reactive to proactive, health management-driven care. Federation is essential for advancing precision medicine, holistic diagnostics, and personalized treatments.
+
+**Current Challenges**:
+
+- The data landscape is highly fragmented, with many thousands of data sources and hundreds of Trusted Research Environments (TREs), leading to overwhelming complexity.
+- Issues related to policy, strategy, and funding complicate attempts to streamline data sharing across healthcare and research sectors.
+
+**Simplification and Integration**:
+
+- Vision to dramatically simplify the infrastructure, aiming to reduce the number of systems and create common platforms that enable seamless data sharing and governance across the continuum of research, clinical trials, and healthcare.
+- Research is increasingly multimodal and multiscale, requiring the integration of various data types (e.g., genomics, imaging, patient data) from different sources.
+
+**Federated Data Fabric**:
+
+- Proposal for a common data fabric that balances control by the data provider and flexibility for researchers. This would allow organizations to manage compute/storage costs while enabling data aggregation and use for research.
+
+**Citizen-Centric Approach**:
+
+- An important theme was the need to involve the citizen in controlling their data. The proposal suggests creating a "data account" that allows patients to see who has access to their data and manage consent for studies dynamically.
+
+**Call for Collaboration**:
+
+- The initiative seeks collaboration from other organizations to build and support this federated data model, emphasizing shared governance and data use for both public health and research benefits.
+
+### Keynote 2: Darren Bell, Director of Technical Services, UK Data Service
+
+- **Federation as a solution:** Similiar to the first keynote, highlighted the fragmentation of data repositories, which leads to underutilization of available data. Federation involves creating shared rules and standards to unify various repositories and infrastructures across domains and countries, enabling better interoperability.
+
+- **Importance of data standards:** There was a particular emphasis about the (sometimes overlooked) importance of data standards. Interoperability depends on the adoption of common standards for data formats, metadata, and workflows. Without standardization, especially across organizations, federated analysis isn't possible.
+
+- **Challenges with current practices:** Many repositories are currently small, isolated, and follow their own data classification systems. This lack of consistency creates inefficiencies for researchers trying to access and link data across platforms. There was a call for consolidation and stronger governance to enforce common standards.
+
+- **Researcher-centric focus:** A major focus was on improving user experience for researchers, and not simply building infrastructure for its own sake. He envisioned a future where researchers could easily find, access, and use data through an intuitive, federated infrastructure, much like booking a flight online. However, this requires better metadata, particularly for data curation and privacy management.
-This year we will follow a panel format with invited speakers discussing their experience in the practicalities of federating TREs and bridging communities.
-There will be plently of time for questions and discussions to arise.
+- **Incentives and enforcement:** There was a call for clear incentives to encourage organizations to adopt federated standards, along with disincentives for non-compliance. Standardization won’t happen purely through consensus but will need to be enforced at a policy level, potentially by bodies like UKRI.
-Speakers will be confirmed soon.
+- **Long-term vision:** Bell proposed a vision where all sensitive data could eventually be managed through trusted research environments (TREs), but acknowledged this is likely a decade or more away. In the interim, he stressed the need for better automated tools for data classification, risk modeling, and privacy engineering.
-### Community updates
+Overall, federation was presented as a necessary evolution in research infrastructure, and should be driven by researcher-needs.
-Hear about everything that has happened in the community for the past year and next steps.
-These include our intention to submit a [UKRI Digital Research Technical Professional Skills NetworkPlus](https://www.ukri.org/opportunity/ukri-digital-research-technical-professional-skills-networkplus/) grant, so during this time we will unpack our plans so you can contribute and support it.
+### Panel discussion
-All other working groups will also share updates and how they are contributing to our common challenges:
+A panel made up of Peter McCallum (Chief Technical Officer, Elixir), Emily Jefferson (CTO, HDR UK and Interim Director, DARE UK), Darren Bell (Director of Technical Services, UK Data Service) and James Fleming (CIO, Francis Crick Institute) came together for a discussion on federation, standards, governance, and citizen involvement in controlling the use of their data.
-- SATRE: An accreditation and specification for generic SDE/TRE facilities is needed. How these adapt to cover the different parts of a digital science platform remains a central need, helping the federation of datasets to projects.
+#### Federation
-- SDE/TRE terminology & the TRE Glossary: Developing the community language for the digital science platform will make sure the parts join up and projects can be provisioned.
+- Federation was described as collaboration with shared rules and mutual benefits, but also obligations. There was consensus that a clear, unified definition is lacking, which poses a barrier to effective data federation.
+- Federation requires both technological and social solutions, standards, and strategy considerations.
+- Avoiding Single Points of Failure: Centralizing all data into one TRE is not feasible or desirable due to innovation challenges and data custodians’ reluctance. Instead, a federated approach with multiple specialized TREs across domains and regions is generally preferred.
-- Extending Control: How the technology works with and enables information governance. So helping the federation of datasets to projects.
+#### Challenges of Standards
-- Cybersecurity risk: A base capability for any digital science platform, and how these risks change with new approaches and tools (e.g. AI/ML) is an ever emerging factor.
+- There are many fragmented standards across different sectors (e.g., healthcare, biomedical data), leading to inconsistent data entry and quality. Harmonizing these standards is critical for successful federation.
+- A balance between flexibility for individual organizations and shared constraints for mutual benefit is needed.
+
+#### European Perspective
+
+- The European model, such as the European Open Science Cloud, emphasizes setting common standards without full governmental control, highlighting an alternative approach to federation through treaties or de facto standards.
+
+#### Data Controllers and Governance
+
+- A tension exists between data controllers' individual requirements and the need for unified federation. In the future, models that engage individuals (citizen agency) will likely play a more significant role in data governance, moving beyond current legislation-based control.
+- Balancing transparency about data risks with the needs of research is crucial. Tools for clearer empirical risk assessments would help reassure data owners, facilitating more open data sharing.
+
+#### Incentives
+
+- Research councils should play an active role in encouraging federation by funding and setting enforceable standards. There is some reluctance to take on this role, but it is crucial for driving progress.
+
+#### Citizen Involvement
+
+- There is a growing need to involve patients and the public in decision-making about their data use. Current consent models (e.g., all-or-nothing) are blunt, and future systems should offer more granular control to individuals, enabling ongoing conversations about data use. There was some disagreement on the panel about the feasibility of granular citizen control given the number of projects that could potentially be using data about a given individual.
+
+#### Overall feeling
+
+The overall sense in the room was that the UK TRE community has matured and discussions on federation have moved on since the Swansea meeting in 2023 to a position where organisations are really starting to talk to one another to make this happen.
+
+[Questions](keynote-accelerating-digital-science)
+
+### Breakout session 1: Accelerating digital science: Focused discussion breakouts
+
+[Notes](discussion-accelerating-digital-science)
+
+### Breakout session 2: Working Groups
+
+Each Working Group ran a breakout discussion for community input into how they are contributing to our common challenges :
+
+- [SATRE](wg-satre): An accreditation and specification for generic SDE/TRE facilities is needed. How these adapt to cover the different parts of a digital science platform remains a central need, helping the federation of datasets to projects.
+
+- SDE/TRE terminology: Developing the community language for the digital science platform will make sure the parts join up and projects can be provisioned.
+
+- [Extending Control](wg-extending-control): How the technology works with and enables information governance. So helping the federation of datasets to projects.
+
+- [Cybersecurity risks](wg-cybersecurity-risks): A base capability for any digital science platform, and how these risks change with new approaches and tools (e.g. AI/ML) is an ever emerging factor.
- Citizen Agency: Digital science is all about collaboration with people. Failure will result unless it is ensured that they remain connected to the platform and support science that is consent based as well as population.
-### Breakout sessions
+- Glossary: Focused on developing a shared lexicon for TREs to support interoperability and federation.
-As usual there will be plenty of time dedicated to community discussions and we will break into groups for them.
+- [Funding & Sustainability](wg-funding-sustainability)
-For the first session we will pose key questions about the direction of the community for everyone to discuss over coffee,
-collaboratively setting our goals to ensure this is the community you want.
+### Lightning talks
-For our second session you can join any of the working groups and discuss with them their progress (it's okay if you are not already part of it, or unsure about joining it afterwards).
-But we will also hold community lead discussions on the topics YOU PROPOSE!
-Make sure to complete the form you received after registering, and if you haven't please do (get in touch at hello@uktre.org if you can't find it)
+
-```
+Watch the lightning talks starting at 1:57:30
-```
+### DARE UK Phase 2 presentation (Fergus McDonald, Deputy Director DARE UK; Emily Jefferson, Interim Director DARE UK)
+
+DARE UK Phase 2 is an £18.2m investment from UKRI over 2.5 years (reduced from the figure of £20.6m presented - reflecting adjustments in spending allocation for this financial year) that aims to revolutionize the use of cross-domain sensitive data in research by enhancing TRE capabilities, while maintaining public trust and benefiting researchers.
+
+#### Core Activities
+
+**Transformational Programs:** Phase 2 focuses on advancing the capabilities developed in Phase 1, working with early adopters to test, configure, and implement these solutions in real-world settings. The transformational programs focus on:
+
+- Automation and AI capabilities in TREs: Developing new capabilities for secure AI model training and semi-automated disclosure control to reduce manual processing and accelerate research in TREs
+- Reference TRE standards and implementations
+- Federated analytics (both remote query and 'single-pane-of-glass' data view)
+
+**Next-generation proof-of-concepts:** Similar to Phase 1 Sprint Exemplar projects, this workstream will provide funding to build prototypes of next-generation TRE capabilities
+
+**Early testing of a national network of TREs:** Technology evaluation and feasibility test implementations for creating a connected national network of TREs
+
+**Community Engagement and standards:** Phase 2 includes funding for community building, supporting information sharing, consensus building, and collaboration across domains.
diff --git a/docs/events/wg_workshops/2024-09-02-september-meeting/keynote-accelerating-digital-science.md b/docs/events/wg_workshops/2024-09-02-september-meeting/keynote-accelerating-digital-science.md
new file mode 100644
index 0000000..ad822ad
--- /dev/null
+++ b/docs/events/wg_workshops/2024-09-02-september-meeting/keynote-accelerating-digital-science.md
@@ -0,0 +1,42 @@
+# Federation: Accelerating digital science panel
+
+## Notes
+
+### Question: what is federation?
+
+Membership which comes with benefits and obligations.
+May end up with a de facto standard being pushed by the largest player.
+The rulebook for how a community can work together.
+
+### Question: How do you reconcile the requirements of individual data controllers in order to federate, beyond asking nicely?
+
+Distinguish between the data provider and the data controller. Most TREs likely to be hosted on someone else's infrastructure, but the control can be more granular.
+Facilitate the conversation with the individual who's data it is - give control to the citizen - but consider how that may affect bias/coverage/representation.
+Consider advocating for changes in primary legislation on control of data.
+Controllers are cautious - be transparent about disclosure risk. Can't currently demonstrate to the controller how risky their data is - providing more transparent empirical information can demonstrate the risk involved.
+
+### Question: Do Research Councils have a role to play and what would that look like for you?
+
+EU Commission are not shy to say "you need to standardise" so the people advising the Councils are not pushing it.
+
+Doesn't have to be a Research Council employee. Telecomms industry emerged as community driven standards, UKRI have to recognise the value and put in place the policies to drive value longer term. We do not need another rider on all grants of "comply with this".
+
+Consider a Standards Commission with teeth - ability to disincentivise if people do not comply. Need a compelling use case - the "killer app" - what could that be in this case? Suggest need more stick.
+
+DARE Phase 2 teaser for later talk...
+
+### Question: If we put everything into a smaller number of TREs, how do we avoid single points of value?
+
+Don't put everything in one TRE - incredibly hard to get all the different custodians to agree to that - work to federate in such a way that it's streamlined rather than amalgamating.
+Domain specialisms make sense for different, fewer TREs - e.g. health and social science rather than health and particle physics. Important to map and understand what those domains are.
+
+Would never work for trans-national communities.
+
+### Question: What role can the public play in federation?
+
+Giving people control on which studies they are involved in, rather than yes to research or not. Need to move beyond asking "are you happy for your data to be used in research?" to "what do we need to do to accommodate your concerns?". Should be a constant conversation.
+
+Not necessarily practical to ask at every level of granularity - e.g. every project level would be extremely difficult.
+The level of granularity is a really interesting point - for providing future-proofed platforms, we need to engage with younger audiences as they are hugely underrepresented in PPIE and their opinion matters
+
+### What about a _data donor_ similar to the organ donor initiative?
diff --git a/docs/events/wg_workshops/2024-09-02-september-meeting/wg-cybersecurity-risks.md b/docs/events/wg_workshops/2024-09-02-september-meeting/wg-cybersecurity-risks.md
new file mode 100644
index 0000000..99df6b9
--- /dev/null
+++ b/docs/events/wg_workshops/2024-09-02-september-meeting/wg-cybersecurity-risks.md
@@ -0,0 +1,52 @@
+# Working Group: CyberSecurity Risk
+
+Chair: Donald Scobbie (EPCC)
+
+## Notes
+
+- Presentation (Donald): How to assess import of researcher analysis code to a TRE
+- Investigation of container vulnerability scanning
+ - 16 examples for researchers
+ - 25 with 1bn+ downloads, recently built, "official" or "sponsored"
+ - Scan with Trivy and assess vulnerabilities
+- Results (1bn+ club)
+ - Top ~20 resuls all based on Debian
+ - Many more unpatched vulnerabilities than would ever be allowed as part of infrastructure or research VM. Not unexpected!
+ - Alpine comes out quite well...
+- Container "best practices" may need to be reviewed for TRE use-cases
+- Results (Research examples)
+ - Large number of outstanding defects e.g. pytorch has ~1k defects
+ - More Ubuntu base images, no Alpine
+ - Security clearly not a concern
+- Immediate thoughts
+ - Major distros appear to be poorly rated
+ - Best practices undermined
+ - Build on existing "good" images
+ - Difficult to retrofit "security" on existing containers
+ - Imperative to share global code base
+ - Why does Alpine score so well?
+- CVE review
+ - Debian apparently has poor CVE history, but is quite heavily scrutinised vs others
+ - Alpine has basically 0 CVEs reported. Appears that no one is looking at it closely! May not be as easy as "switch to Alpine"
+- Coverage blind spots in scanning tools
+- What's the point?
+ - Remote exploits rare compared to breaches due to human error
+ - TREs need to conform to compliance / audit requests
+ - Being compliant may not adequately address the actual risks
+- Still to investigate
+ - Is over-reporting an issue?
+ - Does patching make a difference
+ - Other scanners beyond Trivy?
+ - Hardening reports using Lynis
+- Working Group Next steps
+ - Publish initial findings paper
+ - Begin monthly WG meetings
+ - Community survey
+- Group Discussion
+ - UCL TRE group very interested! Contradiction of vulnerable containers vs researchers having choice of software. Can risks such as data egress be mitigated by the environment? Even when users have super-user privileges
+ - How to "sell" this to IG groups? (all software is buggy)
+ - Can rootless containers be a potential solution?
+ - Win7 example. Core infrastructure had to be wrapped. NCSC advice was this is not sustainable. TRE containers are ephemeral though, so is this the same?
+ - Will these mitigations cause deployment and infrastructure issues when analyses are scaled-out?
+ - What are implications of vulnerabilities in e.g. Quarto? Don't know! EPCC will baseline container and monitor additional software to show vulnerabilities are no worse
+ - Some benefits are unclear beyond ensuring compliance, and come with great effort
diff --git a/docs/events/wg_workshops/2024-09-02-september-meeting/wg-extending-control.md b/docs/events/wg_workshops/2024-09-02-september-meeting/wg-extending-control.md
new file mode 100644
index 0000000..597de3a
--- /dev/null
+++ b/docs/events/wg_workshops/2024-09-02-september-meeting/wg-extending-control.md
@@ -0,0 +1,38 @@
+# Working Group: Extending Control
+
+Chair: James Fleming (standing in for Pete Barnsley)
+
+## Prompts
+
+- see Notes for Problem questions
+
+## Notes
+
+Problems?
+
+1. How to minimise time to research?
+2. How to combine datasets easily? ← Physically? Logically/virtually?
+3. Citizens agency
+
+Typically local information governance around one dataset at a time. However, how can we bring together many datasets while maintaining some information governance boundary?
+
+Data federation in current practice / examples
+
+- OMOP model for health datasets
+- Should there be a playbook to work too? OMOP is a 'step' in a playbook for standardising.
+- Open Safely (but limitation in data - COVID, Primary GP data)
+- UK LLC (longitudinal studies) single governance access route across data from the various longitudinal studies
+- Scottish Regional Safe Haven Network Federated Governance project
+- FEMS
+- Synthetic Data Project across Scottish Safe Havens
+- Scotland Caldicott Guardian sharing / accepting liability
+
+What's common and what's distinct across the existing federated projects around governance?
+
+What changes do we want to see? Enablers & Barriers
+
+- Barrier: Liability between data controllers
+- Barrier: Understanding of the data, and it's limitations, between controllers/researchers/DPOs etc
+- Barrier: Desire to monetise vs. data quality/feasibility of projects
+
+**Addition by attendee:** We need to develop systems where we have trusted research groups within institutions and that governance from one organisation can be directly correlated/equated with the governance from another e.g. a trusted researcher passport - as a governance person I am aware that we only value processes within our own institution, and that we don't take the assurances from elsewhere with as much credibility as we sometimes could. I think that if we look to develop a trusted researcher passport which works in a cross-institutional way, then we can look to reduce the time to conducting analysis. The benefit of this would be that there would be an additional level of transparency there, where other institutions would have sight of all of the research interests of an individual/research group. It's not 100% thought out, but represents an evolution in how federation between institutions could work.
diff --git a/docs/events/wg_workshops/2024-09-02-september-meeting/wg-funding-sustainability.md b/docs/events/wg_workshops/2024-09-02-september-meeting/wg-funding-sustainability.md
new file mode 100644
index 0000000..6f1aa7d
--- /dev/null
+++ b/docs/events/wg_workshops/2024-09-02-september-meeting/wg-funding-sustainability.md
@@ -0,0 +1,27 @@
+# Working Group: Funding & Sustainability
+
+## Notes
+
+- Various strands to TREs: data partner - technology / infrastructure side - data curation itself, information governance
+- Sustaining the future of the 'TRE' workforce itself - career progressions/frameworks/training
+ - Very specialised work
+ - Any staff churn is very damaging to hive knowledge/capability
+ - Hard to recruit and retain
+- Cohesion at UKRI (really across councils) level is really needed
+- Using RSE Con as an example: came about to (1) reduce the brain drain in the RSE space and (2)
+- How does funding work today?
+ - So many models today and horrible to work with.
+ - What could it look like?
+ - Define challenge and difficulty
+ - Health, admin, etc. all fund/operate in different ways
+- 80% FEC is difficult for non-academic roles
+- What is the role of TREs in teaching new methods/techiques?
+- How do we bring information governance knowledge up to date with software/infra/data techniques in order to provide appropriate audit? (training challenge)
+- Roadmap between current state and goal.
+ - Who is funding different challenges?
+ - How are these coordinated?
+ - Articulate risks and issues
+- What is the direction of the community?
+ - Should it be it's own society?
+ - Should it be part of RSE soc?
+ - How do we represent very different skills without needing to join _yet another org_
diff --git a/docs/events/wg_workshops/2024-09-02-september-meeting/wg-satre.md b/docs/events/wg_workshops/2024-09-02-september-meeting/wg-satre.md
new file mode 100644
index 0000000..35d9173
--- /dev/null
+++ b/docs/events/wg_workshops/2024-09-02-september-meeting/wg-satre.md
@@ -0,0 +1,95 @@
+# Working Group: SATRE
+
+Chair: Chris Cole
+
+## Prompts
+
+- Community updates/priorities
+- DARE phase 2
+- Working Group activities
+- Specification Version 2.0
+
+## Notes
+
+### In Person Group
+
+- SATRE: a baseline specification for what a TRE is
+- Feedback from Vicky Glynn - SATRE was useful for defining what good looks like. Haven't yet assessed ourselves
+- In the near future, a question we should answer is how to sustain SATRE? Fee for accreditation? - Important to identify how to fund maintenance. This was part of the original proposal but remains to be done - CE has a tiered model, self accreditation and _formal_ accreditation
+- The industrial/IT world has moved on faster than the research world, what is acceptable looks different. SATRE should be ambitious and push for improvement - There is also an accessibility argument. If rules are too strict/specific they could unreasonably exclude existing TREs - Also, if rules are too fuzzy or vague, the spec could be toothless and ineffective
+- SATRE 1 achievements
+ - Using what exists and fitting what the community is doing, rather than dictating
+ - Engaging public
+ - Started as a purely technical spec, became a truly community driven project
+- SATRE could be a tool to help federation. When talking to the public about data sharing/federation, SATRE could be used as a common understanding of what a TRE is, why they are trustworthy
+- The next DARE phase could be reference implementations of SATRE elements. We should get feedback on what components the community would value the most.
+ - We imagine modular components would be useful
+ - Many existing TREs are fairly monolithic
+ - Modularity/reusability also benefits from system agnostic designs. E.g. targetting Kubernetes rather than a particular cloud provider
+- There are a couple of in-depth questions being raised. The SATRE standard is pretty high level. What does good look like at a process/technical implementation or policy level, e.g. Infrastructure-as-code environment on Kubernetes or machine readable information risk assessment
+- Nuanced approach where things are aware of the tier of data being processed.
+- We did some work in SACRO to look at the risk and tiering model.
+
+### Online group
+
+NHS SDE research network in England have taken the published SATRE model and enhanced it for their own needs, such as adding maturity levels.
+
+- 11 subnational SDEs in addition to NHS England SDE which is using the core data returned by all the providers.
+- Split of 12 SDEs
+- For SDE read TRE
+
+Key part of what was needed was federation piece.
+
+- Starting to tackle the federation aspect.
+- Pulling out the federation aspects (prefixed SNSDE things they have added).
+- Federation and interoperability pulled out to focus on needs of SDE colleagues.
+
+Focus on capabilities that weren't well defined in initial SATRE draft.
+
+- Use SATRE model to self assess capabilities - for a number of them taken some of these capabilities and started to think about the different ways they can implement that capability.
+- Initially started off thinking this would be a maturity model, but for a number of them there are a number of different ways to do it none of which are any better than the others.
+
+End user computing taken as an example
+
+- different aspects of the SATRE model - egress (Code, ML model, data)
+- may need all of them.
+
+What's our minimum maturity level across our SDEs?
+
+Support for adding federation
+
+- Talk to MONAI FL working group?
+
+SATRE - more a specification right now - move to becoming more of a standard. Certifying SDEs against that standard.
+
+Be careful that SATRE is not just for SDEs, SATRE is moving towards accreditation.
+
+- Wider process - UK Stats authority - using this architecture and the stats behind it.
+- Self assessment wider than the existing spreadsheet that already exists.
+
+Can some of SNSDE be brought back into SATRE?
+
+- Federation and interoperability: either a separate pillar or incorporate into existing pillars. A piece of work providing we have capacity to do it.
+- Can we see what can't be brought into SATRE, and see if the remainder can be tweaked so it's applicable?
+
+"Data de-identification" suggested rather then pseudonymisation.
+
+What do you mean by federation?
+
+- In NHS England it is data access without the data moving. The least mature is to copy it all into one place.
+
+NVidia's NVFlare and federated learning
+
+SATRE v1 compared to SHAIP v3
+
+- Numbers broke out as 80 enablers, 10-12 on supporters, requires/NA another 60 or so,
+- For each of the 160
+- If it becomes a standard wouldn't want to be trapped by the ones a solution can't do.
+
+Aridhia: similar numbers / findings to SHAIP.
+
+- Quite high level descriptions, not detailed.
+- Like it as a standard, found it stronger on security/supporting services than on specific software requirements.
+- Performed own SATRE assessment in early 2024: https://www.aridhia.com/assessing-the-aridhia-dre-against-the-satre-specification/
+
+Would like to see v2 of a standard to tackle federation.