Foundational Requirements¶
Foundational Requirements are the five indicators that require a minimum of Level 3 for any system or service claiming baseline HDRS participation. These represent non-negotiable safety and governance requirements.
Minimum Level 3 Required
A system or service cannot claim baseline readiness if any Foundational Requirement is below Level 3, regardless of performance on other indicators.
The Five Foundational Requirements¶
| ID | Indicator | Domain |
|---|---|---|
| C.1.1 | Legal Basis for Processing | Governance & Access |
| C.2.2 | Data Access Committee | Governance & Access |
| C.4.1 | Statistical Disclosure Control | Governance & Access |
| H.3.1 | Security Certification & Audit | Infrastructure & Compute |
| H.3.2 | Security Operations | Infrastructure & Compute |
Why These Five?¶
These indicators represent the foundational safety and trust requirements without which data sharing would be inappropriate:
Governance (Domain C)¶
- C.1.1 — Legal Basis for Processing
- Without a clear legal basis for research data processing, any data sharing activity is legally precarious. This is the foundational requirement for all downstream activities.
- C.2.2 — Data Access Committee
- An operational DAC with published criteria and public benefit assessment ensures that every data access decision is transparent, accountable, and proportionate.
- C.4.1 — Statistical Disclosure Control
- Systematic output checking prevents the release of potentially identifiable information. Without this, re-identification risks undermine the entire trust framework.
Infrastructure (Domain H)¶
- H.3.1 — Security Certification & Audit
- Formal security certification (e.g., ISO 27001) and penetration testing provide assurance that the technical environment is secure against external threats.
- H.3.2 — Security Operations
- Operational security monitoring and incident response ensure that threats are detected and managed in real time, not discovered after a breach.
What Level 3 Means for Each¶
| Requirement | Level 3 Requirement |
|---|---|
| C.1.1 | Primary legal basis established. Controller/processor defined. Review process exists. |
| C.2.2 | Operational DAC meeting monthly. Published criteria including NDG public benefit. Decisions documented. |
| C.4.1 | Policy operational. Trained checkers. Manual review of outputs. |
| H.3.1 | Controls implemented. ISO 27001 in progress. Penetration testing conducted. |
| H.3.2 | Basic ops monitoring key systems. Incident plan documented and tested. |