NHS Digital Data Sharing Remote Audit: Merck Sharp & Dohme Limited
This report records the key findings of a remote data sharing audit of Merck Sharp & Dohme Limited and Manchester University NHS Foundation Trust in October 2021.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Merck Sharp & Dohme Limited (MSD) and Manchester University NHS Foundation Trust (MFT) between 4 and 8 October 2021. It provides an evaluation of how MSD and MFT conform to the requirements of:
- the data sharing framework contracts (DSFC)
o MSD: CON-290527-P5C0Y
o MFT: CON-324681-Z8K6R
- the data sharing agreement (DSA) DARS-NIC-290527-P5C0Y-v1.3
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 2010/11 – 2020/21_M02 |
| HES Outpatients | Identifiable, Non-sensitive | 2010/11 – 2020/21_M02 |
| Diagnostic Imaging Dataset (DID) | Identifiable, Non-sensitive | Historic Data Request |
| Bridge file: HES to DID | Identifiable, Non-sensitive | Latest Available - 08/2020 |
The Joint Controllers are MSD and MFT and the Processors are NorthWest EHealth Limited (NWEH), Salford Royal NHS Foundation Trust (SRFT) and Microsoft Limited. The Joint Controllers do not process the data. Microsoft Limited supplies cloud storage services, via the Microsoft Azure platform, to SRFT. SRFT manages the Microsoft Azure platform on behalf of NWEH. The data supplied by NHS Digital under this DSA is processed and stored on Microsoft Azure.
The study aims to increase the understanding of the profile and characteristics of patients with unexplained Refractory Chronic Cough (RCC) by analysing the healthcare resource utilisation (HRU) and treatment patterns of these patients. RCC is a condition which is notoriously difficult to diagnose as its associated symptoms, such as gastroesophageal reflux, heartburn, and regurgitation, can easily be attributed to other conditions.
The rationale for the study is to analyse the cost of the healthcare resource utilisation (for example, how much and what healthcare services are used) by patients with RCC and better understand the burden (for example, the cost in both money and time) of managing patients diagnosed with RCC to the greater health care system.
This is a stand-alone study commissioned by the sponsor MSD, in collaboration with the Principal Investigator (PI) who is employed by MFT. The consented cohort of patients have been recruited from a specialist clinic led by the PI which is part of MFT.
This report also considers whether MSD and MFT and its Processors conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access Control - Limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Medium
This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.
Data recipient’s acceptance statement
MSD, MFT and NWEH have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
MSD, MFT and NWEH will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the MSD, MFT and NWEH to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identifies the 4 agreement nonconformities, 3 observations, 9 opportunities for improvement and 3 points for follow-up raised as part of the audit.
Some of the findings have been repeated for MSD and MFT as they are joint Controllers, and the finding applies to both organisations.
MSD
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 | The Legitimate Interests Assessment (LIA) completed by MSD and MFT in 2019, and NWEH’s Data Protection Impact Assessment (DPIA) are in need of a refresh by all parties as there is inconsistent information. A copy of the updated DPIA should be provided to the Data Protection Officers (DPO) for approval. | Operational Management | MFT and MSD’s LIA NWEH’s DPIA |
Observation | |
| 2 | Staff need to be aware of the DSFC and DSA requirements. The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements. |
Operational Management | Opportunity for improvement | ||
| 3 | The DSA should be reviewed and updated as it was confirmed at the audit:
|
Operational Management | Opportunity for improvement | ||
| 4 | MSD’s Supplier Privacy Assessment on NWEH should be reviewed and updated. This includes:
|
Operational Management | Opportunity for improvement | ||
| 5 | MSD’s Privacy Advisor Impact Assessment on the study should be reviewed and updated. Potential areas for change include:
|
Operational Management | Opportunity for improvement |
MFT
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 6 | The Legitimate Interests Assessment (LIA) completed by MSD and MFT in 2019, and NWEH’s DPIA are in need of a refresh by all parties as there is inconsistent information. A copy of the updated DPIA should be provided to the Data Protection Officers (DPO) for approval. | Operational Management | MFT and MSD’s DPIA and LIA NWEH’s DPIA |
Observation | |
| 7 | Staff need to be aware of the DSFC and DSA requirements. The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements. |
Operational Management | Opportunity for improvement | ||
| 8 | The DSA should be reviewed and updated as it was confirmed at the audit:
|
Operational Management | Opportunity for improvement |
NWEH
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 9 | Users from NWEH with access to data supplied by NHS Digital held on Microsoft Azure did not hold valid honorary contracts with SRFT. The DSA requires the NWEH Database Administrator and Statistics team to hold honorary NHS contracts with SRFT. | Use and Benefits | DSA, Annex A, Section 5b | Agreement nonconformity | |
| 10 | NWEH did not complete the Data Security Protection Toolkit (DSPT) in 2019/20 and 2020/21 as required by the MSD’s System Level Security Policy (SLSP) that was agreed with NHS Digital in February 2020. | Access Control | DSA, Annex A, Section 1b SLSP, version 1.0, Section 4.0, DSPT |
Agreement nonconformity | 1 |
| 11 | No justification to support the presence of a domain administrator account on the Microsoft Azure platform was provided. SRFT stated that it should be disabled. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity | |
| 12 | NWEH to review and update its Record of Processing Activities (ROPA) as it includes inaccurate information. This includes fields on special category data, missing joint controller information and missing data source. | Operational Management |
DSFC, Schedule 3, General Data Protection Regulation (GDPR) |
Agreement nonconformity | |
| 13 | There is an inconsistency between the MSD’s SLSP and NWEH Security Testing policy with respect to the penetration testing of the Azure platform. The SLSP states that testing will be carried out annually and the NWEH policy states that it will be every 2 years. The last penetration test was conducted in the last 12 months. |
Access Control | MSD, SLSP, Section F, Penetration Testing / Vulnerability Testing NWEH - Security Testing Policy, Section 5.3.2 |
Observation | |
| 14 | MSD’s SLSP includes a statement that IP filtering based on “Deny-all first” principle will be in place and is managed by the SRFT via a change management process. Both SRFT and NWEH should consider reviewing the rules setup to ensure that they are up to date. | Access Control | Opportunity for improvement | ||
| 15 | NWEH should consider if technical controls could be implemented to prevent users transferring data from the Azure platform to their own corporate machines. | Access Control | Opportunity for improvement | ||
| 16 | NWEH should consider including additional fields in the Information Asset Register (IAR) such as details on the datasets received (type of data and classification), date of receipt, date of data deletion, linking to which version of the DSA it came with and certificate of destruction. | Operational Management | Opportunity for improvement | ||
| 17 | A Microsoft Azure vulnerability security scan covering various parts of the platform has been recently conducted which highlighted a number of findings. At the post audit review, the Audit Team will ensure that all of the highlighted vulnerabilities have been adequately addressed. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Follow Up | |
| 18 | The DSA includes a statement that NWEH should only hold data in accordance with the consent material provided 5 years before and 2 years after diagnosis. All data outside this window should be securely deleted and evidence provided to NHS Digital by 31/7/2021. At the time of the audit, this has not been completed as NWEH was waiting for further data and should seek further guidance from the Data Access Request Service team. | Data Destruction | DSA, Annex A, Section 6 - Special Conditions | Follow Up | |
| 19 | At the post audit review, the Audit Team will review the following:
|
Access Control | Follow Up |
Supplementary notes
Note 1. NWEH is ISO 27001 certified.
Use of data
MSD and MFT confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
MSD, MFT and NWEH have confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| Microsoft Limited | England/ Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Microsoft Limited | Cloud storage | 7 days |
Good practice
During the audit, the Audit Team noted the following area of good practice:
- the PI was able to explain the benefits to health and social care that this study will have with RCC patients. This includes better understanding of the cost to the health economy and treatment patterns for these patients.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 13 January 2022 12:22 pm