Data Sharing Remote Audit: Oxford University Hospitals NHS Foundation Trust
This report records the key findings of a remote data sharing audit of Oxford University Hospitals NHS Foundation Trust in August 2021.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Oxford University Hospitals NHS Foundation Trust (OUHNHSFT) between 23 and 27 August 2021. It provides an evaluation of how OUHNHSFT conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-312001-X8W1Y v2.01
- the data sharing agreement (DSA) DARS-NIC-135294-P7L0F-v2.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | September 2018 to March 2020 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | September 2018 to March 2020 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | September 2018 to March 2020 |
| Demographics | Pseudo/Anonymised, Sensitive | Latest available |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | Latest available |
The Controller is OUHNHSFT and the Processor is the Nuffield Department of Primary Care Health Sciences (NDPCHS) within the Medical Sciences Division (MSD) at the University of Oxford (UoO).
Valvular heart disease (VHD) occurs when one or more valves does not form properly before birth (congenital) or if they are damaged (acquired) during life. In the developing world, infections such as rheumatic fever are still prevalent and can cause valve damage. In the UK and other developed countries, the most common cause of VHD is degeneration over time. The OxValve-Survive study reports on the survival rates of people in the OxValve cohort, with and without VHD.
This report also considers whether OUHNHSFT and NDPCHS conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions | Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Medium
This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.
Data recipient’s acceptance statement
OUHNHSFT and NDPCHS have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
OUHNHSFT and NDPCHS will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with OUHNHSFT and NDPCHS to confirm the findings have been satisfactorily addressed.
Findings
The following tables identify the 2 agreement nonconformities, 1 organisation nonconformity, 3 observations, and 10 opportunities for improvement raised as part of the audit.
OUHNHSFT
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 | Data are being stored at locations not declared on the DSA. | Information Transfer | DSA, Annex A, Section 2b | Agreement nonconformity | |
| 2 | OUHNHSFT’s Data Security and Protection Toolkit (DSPT) submission is currently not fully met. A special condition stated in the DSA requires this to be rectified within the specified timeframe. | Operational Management | DSA, Annex A, Section 6 | Observation | |
| 3 | OUHNHSFT should consider whether a formal data processing agreement between the Controller and the Processor is required. | Operational Management | Opportunity for improvement | ||
| 4 | OUHNHSFT should consider defining the standard operating process for assessing when a Data Protection Impact Assessment (DPIA) is required. | Operational Management | Opportunity for improvement |
NDPCHS
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 5 | NDPCHS does not maintain an up-to-date equipment asset register for equipment associated with data supplied by NHS Digital. | Operational Management | DSFC, Schedule 2 Section A, clause 4.7 | Agreement nonconformity | |
| 6 | NDPCHS is not adhering to key sections within the UoO Risk Management Policy. | Risk Management | UoO, Risk Management Policy | Organisation nonconformity | |
| 7 | An access control review recently performed by NDPCHS did not challenge one account as having access to data supplied by NHS Digital. Through discussions it was identified that this person no longer required access and although the account was active, the person was technically unable to access the data. | Access Control | DSFC, Schedule 2, Section A, clause 4.1 | Observation | |
| 8 | The journal paper that was recently published in relation to the study described in the DSA did not include a sufficient acknowledgement to the source of the data as required by the DSFC. It is important that an appropriate acknowledgement is included in future publications, including those currently in draft. | Use and Benefits | DSFC, Part 2, clause 3.13 | Observation | |
| 9 | NDPCHS should undertake a risk assessment of the networking infrastructure between storage locations. | Risk Management |
Opportunity for improvement | ||
|
10
|
NDPCHS should consider providing risk management training, to ensure staff are aware of the processes for raising, recording and monitoring risks. | Risk Management | Opportunity for improvement | ||
| 11 | NDPCHS should update the Information Asset Register (IAR) in relation to the Information Asset Owner for the data supplied by NHS Digital. | Operational Management | Opportunity for improvement | ||
| 12 | NDPCHS should determine whether it has collected sufficient information to constitute a Record of Processing Activities (ROPA) for the data provided, as required by General Data Protection Regulations (GDPR). NDPCHS may also wish to define ROPA in its Privacy by Design Policy especially for those instances when it is not acting as Controller and therefore not completing a Data Protection Impact Assessment (DPIA). | Operational Management | Opportunity for improvement | ||
| 13 | The MSD should consider whether in future penetration test reports, the scope could be better defined in terms of inclusions and exclusions. | Access Control |
Opportunity for improvement |
||
| 14 | NDPCHS should consider providing specialist training. For example, Senior Information Risk Officer (SIRO) and Information Asset Owner (IAO) training. | Operational Management |
Opportunity for improvement |
||
| 15 |
NDPCHS should consider adding a footnote in its IT Asset Management policy to state that any removable storage devices which hold data provided by NHS Digital must be included in the equipment asset register. |
Operational Management |
Opportunity for improvement |
1 | |
| 16 |
The Audit Team suggested that all appropriate teams and stakeholders review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant. |
Operational Management |
Opportunity for improvement |
Supplementary notes
Note 1. It should be noted that no data provided by NHS Digital was being held on removable storage devices and the use of removable storage devices for confidential data is not promoted.
Use of data
NDPCHS confirmed that the dataset was only being processed and used for the purposes defined in the DSA and was only being linked with those datasets explicitly allowed in the DSA.
Data location
OUHNHSFT confirmed that processing and storage locations, including disaster recovery and backups, of the data were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| OUHNHSFT | England & Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| MSD at UoO | Disk | Currently 1 year (6 months minimum according to available space) |
| MSD at UoO | Tape | 90 days |
Good practice
During the audit, the Audit Team noted the following area of good practice:
- NDPCHS were able to clearly demonstrate the value the data supplied under this DSA has had towards researching survival rates of VHD.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 January 2022 9:07 am