NHS Digital Data Sharing Remote Audit: GlaxoSmithKline
This report records the key findings of a remote data sharing audit of GlaxoSmithKline in August 2021.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of GlaxoSmithKline (GSK) between 9 and 19 August 2021. It provides an evaluation of how GSK conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-329103-F4Y8W
- the data sharing agreement (DSA) DARS-NIC-297783-V4P6H-v0.15
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) - Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 2017/18 - 2019/20 |
| HES - Outpatients | Pseudo/Anonymised, Non-sensitive | 2017/18 - 2019/20 |
| HES - Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2017/18 - 2019/20 |
| HES - Critical Care | Pseudo/Anonymised, Sensitive | 2017/18 - 2019/20 |
The Controller is GSK, and the Processors are Ignite Data Limited (Ignite) and Microsoft Limited. Microsoft supplies cloud storage services to Ignite.
Healthcare resource utilisations is the quantifiable measure of a person’s use of services for the purpose of both preventing and curing health problems, and the promotion of maintenance of health and wellbeing. Through systematic review, the disease burden experienced by both patients and their healthcare providers can be assessed.
The datasets include data from approximately 600 patients who had been involved in a previous clinical study and who provided explicit consent for the use of their data to evaluate health resource utilisations.
This report also considers whether GSK and Ignite conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: High
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
GSK and Ignite have accepted, and are acting on, the findings presented in this report. Whilst GSK has acknowledged the “high” risk statement presented in section 1.3, GSK considers that any risk to the data in relation to duty of care, confidentiality and integrity is mitigated by the systems and processes that already exist.
Data recipient’s action plan
GSK and Ignite will each establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate the plans and the resultant actions at a post audit review with both GSK and Ignite to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 10 agreement nonconformities, 3 organisation nonconformities, 3 observations, 8 opportunities for improvement and 2 follow up items were raised as part of the audit.
GSK
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 |
Data supplied by NHS Digital, which are being stored in England, was accessed by 4 GSK data analysts based in North America. Such access is outside the territory of use (England and Wales) declared in the DSA. GSK stated that access to the data was removed for the data analysts in North America during the audit. |
Use and Benefits | DSA, Annex A, Section 2c Data sharing standard 2 - Processing and Storage Locations - NHS Digital DSFC, Part 2, Clause 3.1.1 |
Agreement nonconformity | |
| 2 | Data supplied by NHS Digital are being processed and stored at locations not declared in the DSA. These locations are GSK sites in England. | Information Transfer | DSA, Annex A, Sections 2a and 2b | Agreement nonconformity | |
| 3 | Data in transit between the processing and storage locations is not encrypted as required by the DSFC. GSK reported that the transit is via GSK’s private network. | Information Transfer | DSFC, Schedule 2, Section A, Clause 4.6 | Agreement nonconformity | |
| 4 | The Audit Team found that some staff with access to the data had not completed annual data protection training within the last 12 months as required by the DSFC. | Operational Management | DSFC, Schedule 2, Section A, Clause 1.2.2 | Agreement nonconformity | 1 |
| 5 | Issues that had been identified by vulnerability scanning for the infrastructure holding data supplied by NHS Digital were not being resolved in a reasonable timescale, and also were not in line with GSK’s policy on vulnerability management. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 GSK, SOP-IT-0029 Software Currency and Vulnerability Management, Step No. 5.2.3.1 |
Agreement nonconformity | |
| 6 | GSK does not have a coherent Information Asset Register (IAR) which covers the data types as per the DSA. Instead, information specific to the DSA datasets is spread across different documents. | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity | |
| 7 | The firmware on the file network storage server had not been updated to the latest version due to the hardware being scheduled for replacement. A risk assessment was shared with the Audit Team, however, it did not cover the file network storage to an adequate level of detail and the risk had been closed, even though the server had not been updated. | Access Control | GSK, SOP-IT-0029 Software Currency and Vulnerability Management, Step No. 5.2.3.1 | Organisation nonconformity | |
| 8 | GSK confirmed that it will not be able to deliver the outputs defined in the DSA unless it renews the DSA by 19 October 2021. At the time of the audit, GSK had not taken any steps to renew the DSA. | Use and Benefits | DSA, Annex A, Section 5c | Observation | |
| 9 |
There is a mismatch in the definition of ‘manipulated data’ in the Data Protection Impact Assessment (DPIA) and the DSFC, which could lead to NHS Digital data being disseminated outside the scope of the DSA. GSK updated the wording in the DPIA to ‘aggregated / summarised’ during the audit. |
Operational Management | DSFC, Schedule 3, Applicable Law and Guidance - General Data Protection Regulation DSFC, Schedule 1 |
Observation | |
| 10 | GSK should include the Intrepid study in its future internal audit programme to ensure it is fully compliant with the requirements of the DSFC and DSA. | Operational Management | Opportunity for improvement | ||
| 11 | GSK should disable the ability to add local drives in the Microsoft Remote Desktop Protocol (RDP) session for staff with access to the data. | Access Control | Opportunity for improvement | ||
| 12 | GSK should create a risk register for this study if the DSA is renewed to capture ongoing risks including those identified during discussions with the Processor. | Risk Management | Opportunity for improvement | ||
| 13 | GSK should consider developing procedures or enhancing existing documentation to cover electronic data destruction where the media is not going to be physically destroyed. For example, on a targeted area of a file server or Storage Area Network (SAN) to ensure the data is permanently deleted. | Data Destruction |
Opportunity for improvement |
||
| 14 | At the post audit review, the Audit Team will look at procedures to support data deletion following withdrawal of consent. | Operational Management | Follow up |
Ignite
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 15 | Generic login credentials were used by a small number of staff members to access an Azure container holding the data supplied by NHS Digital. As a result, there is no way to identify individual access to the data. Additionally, the capture of access related events was not enabled, and logging information had not been recorded at the time of the audit. | Access Control | DSFC, Part 2, Clause 5.4.6 | Agreement nonconformity | |
| 16 | Security testing had not been carried out on the Microsoft Azure cloud storage where the data are held. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity | |
| 17 | Ignite had not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. | Operational Management | DSFC, Schedule 3, General Data Protection Regulation (GDPR) | Agreement nonconformity | |
| 18 | Ignite has not formally recognised the Information Asset Owner (IAO) in the IAR for the data supplied by NHS Digital. | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity | |
| 19 | The Data Protection Policy Statement references documents that are no longer available. | Operational Management | Ignite, GDPR_DOC_1.0_Policy Statement, Sections 4 and 9.4 | Organisation nonconformity | |
| 20 | Ignite has not performed reviews to check operating system patches are being applied to corporate computers. | Access Control | Ignite, DOC A12 Operations Security, v3.0, Clause 3.10 | Organisation nonconformity | 2 |
| 21 | Should the DSA be extended, Ignite is to review the DPIA to resolve the inaccuracies identified during the audit and to ensure that the DPIA is correct. | Operational Management | DSFC, Schedule 3, General Data Protection Regulation (GDPR) | Observation | |
| 22 |
The Audit Team identified that one of Microsoft Azure's settings was not in line with Microsoft’s recommended guidance. Ignite updated the setting during the audit. |
Access Control | Opportunity for improvement | ||
| 23 | The IAO should consider undertaking specialist role-based training. | Operational Management | Opportunity for improvement | ||
| 24 | Procedures should be developed, or existing documentation updated, to cover:
|
Operational Management | Opportunity for improvement | ||
| 25 |
Antivirus was not enabled on the Azure cloud storage. Therefore, there was a reliance on the client antivirus to detect a virus associated with a saved file, or on expansion of zip files as they are opened from the server. During the audit Ignite enabled antivirus on the cloud storage. |
Access Control | Opportunity for improvement | ||
| 26 |
At the post audit review, the Audit Team will look at:
|
Operational Management | Ignite, DOC A9.2 Access Control Procedure, Clause 3.1.5 | Follow Up |
Supplementary notes
Note 1. It should be noted that GSK had a comprehensive data protection training programme in place, but staff are only required to complete it every 2 years. Some staff had completed the training within the last 12 months. GSK reported that new data protection training had been developed and it is planned for staff to complete the training by the end of January 2022.
Note 2. The Audit Team reviewed the patch levels on the Ignite laptops accessing the data and confirmed they had received the most recent patches issued by Microsoft.
Use of data
GSK and Ignite confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
GSK and Ignite confirmed that storage locations, including disaster recovery and backups, for the data were limited to the locations shown in the following table. However, GSK staff were processing data, via remote access, outside of the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| GSK | England/ Wales |
| Ignite (Microsoft Azure) | England/ Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| GSK | Disk | 60 days |
| Ignite (Microsoft Azure) | Disk | 30 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 10 December 2021 3:53 pm