Domain H: Infrastructure & Compute Capacity¶
Focus: Technical infrastructure including SDEs, compute, security, AI capability
Indicators: 9 (6 Core, 3 Enhancement)
The business question
Is our tech safe and scalable? Ensures we can handle AI workloads and cyber threats.
Secure Data Environments (SDEs/TREs) are the technical backbone of health data research. As workloads shift toward machine learning and large-scale genomics, compute demands are growing exponentially while cyber threats intensify. This domain assesses whether infrastructure meets current standards (NHS SDE specs, SATRE, ISO 27001), can scale for emerging use cases, and maintains the security posture that underpins all other domains. Two of the five Foundational Requirements sit here.
Contains 2 Foundational Requirements
Indicators H.3.1 and H.3.2 are Foundational Requirements requiring a minimum of Level 3 for baseline participation.
Indicator Summary¶
| ID | Indicator | Type | Class | Unit | Foundational |
|---|---|---|---|---|---|
| H.1.1 | SDE Architecture & Standards | Core | B0 | Service | |
| H.1.2 | User Environment & Experience | Core | B0 | Service | |
| H.2.1 | Compute Scalability | Core | B0 | Service | |
| H.2.2 | Storage & Data Management | Enhancement | O | Service | |
| H.3.1 | Security Certification & Audit | Core | B0 | Service | |
| H.3.2 | Security Operations | Core | B0 | Service | |
| H.3.3 | Privacy-Enhancing Technologies | Enhancement | O | Service | |
| H.4.1 | ML/AI Platform Capability | Enhancement | O | Service | |
| H.4.2 | Responsible AI Practices | Core | C3/4 | Service |
H.1 — Secure Data Environment¶
H.1.1 SDE Architecture & Standards¶
CORE · B0 · Service
| Level | Description |
|---|---|
| L1 | No dedicated SDE. Ad-hoc access. Controls inconsistent. |
| L2 | SDE developing. Architecture defined. NHS SDE specs and SATRE reviewed. |
| L3 | Operational meeting basic requirements. ISO 27001 in progress. Some gaps vs gold-standard/SATRE. |
| L4 | Mature meeting NHS SDE gold-standard and SATRE mandatory. ISO 27001. DEA accredited. |
| L5 | Advanced exceeding baseline. Most SATRE recommended. Enables emerging uses. Contributing to UK standards. |
H.1.2 User Environment & Experience¶
CORE · B0 · Service
| Level | Description |
|---|---|
| L1 | Poor experience. Difficult access. Tools outdated. Significant complaints. |
| L2 | Issues identified. Roadmap defined. Upgrades underway. |
| L3 | Functional. Standard tools (R, Python, SQL). Process works but cumbersome. |
| L4 | Good with modern environment. Tools updated. Onboarding <1 day. Satisfaction tracked. |
| L5 | Excellent matching commercial platforms. Rich tools. Rapid onboarding. >= 80% satisfaction. |
H.2 — Compute & Storage¶
H.2.1 Compute Scalability¶
CORE · B0 · Service
| Level | Description |
|---|---|
| L1 | Severely limited. Analysis constrained. Frequent delays/failures. |
| L2 | Assessed. Upgrade requirements defined. Cloud/HPC evaluated. |
| L3 | Adequate for standard. Queuing for intensive. GPU limited. Cloud/HPC for exceptions. |
| L4 | Scalable meeting demand with headroom. GPU for AI/ML. Scaling pathway. Cost management. |
| L5 | Elastic auto-scaling. Advanced GPU. Cost-optimised. Benchmarked internationally. |
H.2.2 Storage & Data Management¶
ENHANCEMENT · O · Service
| Level | Description |
|---|---|
| L1 | Constrained. Retention unclear. No tiering. Costs unmanaged. |
| L2 | Assessment completed. Tiered strategy. Retention developing. |
| L3 | Adequate with tiering. Retention operational. Costs monitored. |
| L4 | Scalable. Comprehensive lifecycle. Costs optimised. Backup/DR tested. |
| L5 | Advanced with automated tiering/lifecycle. Costs benchmarked. Multi-site resilience. |
H.3 — Security¶
H.3.1 Security Certification & Audit¶
CORE · B0 · Service · FOUNDATIONAL REQUIREMENT (minimum L3)
| Level | Description |
|---|---|
| L1 | No certification. Controls undocumented/untested. |
| L2 | Assessment initiated. Gap analysis vs ISO 27001. Remediation plan. |
| L3 | Controls implemented. ISO 27001 in progress. Penetration testing. Incident process defined. |
| L4 | ISO 27001 certified (full scope). Annual penetration with remediation. Incident management. DEA accredited. |
| L5 | Continuous assurance and independent testing. Demonstrable security outcomes; additional certifications as appropriate. |
H.3.2 Security Operations¶
CORE · B0 · Service · FOUNDATIONAL REQUIREMENT (minimum L3)
| Level | Description |
|---|---|
| L1 | No dedicated ops. Monitoring ad-hoc. Incident response untested. |
| L2 | Function identified. Monitoring implementing. Incident plan drafted. |
| L3 | Basic ops monitoring key systems. Incident plan documented. |
| L4 | Mature with comprehensive monitoring. 24/7 alerting. Incident tested. Metrics reported. |
| L5 | Advanced with threat intelligence. Proactive hunting. Automated response. Benchmarked. |
H.3.3 Privacy-Enhancing Technologies¶
ENHANCEMENT · O · Service
| Level | Description |
|---|---|
| L1 | No PETs. All analysis requires pseudonymised data in secure environment. |
| L2 | Options assessed. Federated/differential privacy pilots planned. |
| L3 | Selected capabilities (DataSHIELD, federated). Limited use cases. |
| L4 | Routinely available (federated, secure computation, differential privacy). Support. Governance. |
| L5 | Advanced with multiple technologies. PET default where appropriate. Contributing to standards. |
H.4 — AI & Advanced Analytics¶
H.4.1 ML/AI Platform Capability¶
ENHANCEMENT · O · Service
| Level | Description |
|---|---|
| L1 | No ML/AI capability. Cannot run ML workloads. |
| L2 | Requirements assessed. Platform evaluated. Pilot planned. |
| L3 | Basic with standard libraries. GPU limited. No MLOps. |
| L4 | Mature with MLOps (tracking, registry, pipelines). GPU. Governance defined. |
| L5 | Advanced full lifecycle. Automated pipelines. Monitoring. Synthetic data. Contributing to UK AI standards. |
H.4.2 Responsible AI Practices¶
CORE · C3/4 · Service
Capability module
This indicator is mandatory if claiming HDRS Capabilities 3 or 4 (Multi-modal data / Trial acceleration).
| Level | Description |
|---|---|
| L1 | No consideration. Projects without ethics, bias assessment, or reporting. |
| L2 | Principles acknowledged. STANDING Together, TRIPOD-AI, CONSORT-AI reviewed. Some awareness. |
| L3 | Framework developing. Diversity assessed for some using STANDING Together. Guidelines referenced. Selected bias assessment. |
| L4 | Comprehensive framework. All projects assess diversity per STANDING Together. TRIPOD-AI/CONSORT-AI mandated. Bias embedded. NICE AI aligned. |
| L5 | Leading practice. Full STANDING Together. Contributing to standards. Advanced fairness monitoring. Scottish AI Playbook aligned. Sharing frameworks. |