Data Sharing Remote Audit: UK Biobank Limited
This report records the key findings of a remote data sharing audit of UK Biobank Limited between 19 and 23 July 2021
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of UK Biobank Limited (UKB) between 19 and 23 July 2021. It provides an evaluation of how UKB conforms to the requirements of both:
• the data sharing framework contract (DSFC) CON-309882-D1H7D-v2.01
• the data sharing agreement (DSA) DARS-NIC-08472-V9S6K-v12.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Critical Care | Identifiable, Non-Sensitive | 2008/09 – 2020/21_M12 |
| National Diabetes Audit | Identifiable, Sensitive | 2003/04 – 2017/18 |
| Emergency Care Data Set (ECDS) | Identifiable, Sensitive | October 2017 to 2020/21_M12 |
| Mental Health Minimum Data Set | Identifiable, Sensitive | 2006/07 – 2014/15 |
| Mental Health and Learning Disabilities Data Set |
Identifiable, Sensitive | 2014/15 – 2015/16 |
| Improving Access to Psychological Therapies Data Set | Identifiable, Sensitive | 2012/13 – 2018/19 |
| Medical Research Information Service (MRIS) – Members and Postings Report | Identifiable, Sensitive | 2011/12 to March 2020 |
| HES Admitted Patient Care | Identifiable, Sensitive | 1997/98 - 2020/21_M12 |
| HES Outpatients | Identifiable, Sensitive | 2003/04 - 2020/21_M12 |
| HES Accident and Emergency | Identifiable, Sensitive | 2007/08 - 2019/20_M12 |
| Diagnostic Imaging Dataset | Identifiable, Sensitive | 2012/13 – 2017/18 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | 2011/12 to March 2020 |
| Mental Health Services Data Set | Identifiable, Sensitive | 2016/17 – 2017/18 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | 2011/12 to March 2020 |
| MRIS - List Cleaning Report | Identifiable, Sensitive | 2011/12 to March 2020 |
| GPES Data for Pandemic Planning and Research (COVID-19) | Identifiable, Sensitive | Latest available |
| Demographics | Identifiable, Sensitive | Latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available |
| Cancer Registration Data | Identifiable, Sensitive | Latest available |
| Bridge file: HES to Diagnostic Imaging Dataset | Identifiable, Non-Sensitive | |
| Bridge file: HES to Mental Health Minimum Data Set | Identifiable, Non-Sensitive |
The Controller is UKB and the Processor is the Nuffield Department of Population Health (NDPH) at the University of Oxford.
UKB was established as a medical research charity in 2003 and between 2006 and 2010 recruited 500,000 participants (then aged between 40 and 69) to take part in the project. The participants underwent measures, provided blood, urine and saliva samples for future analysis, supplied information about themselves and agreed to have their health followed via linkage to their health-related records. De-identified data are then made available to researchers who apply to use the resource to undertake health-related research that is in the public interest.
This report also considers whether UKB and NDPH conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions | Access control - limited visibility of physical controls |
As NDPH are responsible for the processing and storing of data, the audit focussed predominantly on technical controls at NDPH. Note, although researchers are increasingly being granted access to de-identified data through UK Biobank’s Research Analysis Platform, it was not considered during the audit as this location is excluded from the DSA.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium – Low.
Current risk statement: Low
This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.
Data recipient’s acceptance statement
UKB and NDPH have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UKB will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with UKB and NDPH to confirm the findings have been satisfactorily addressed.
Findings
The following tables identify the 1 agreement nonconformity, 2 organisation nonconformities and 8 opportunities for improvement raised as part of the audit.
UKB
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 | UKB should add appropriate document management information to its Data Protection Impact Assessment (DPIA). | Operational Management | Opportunity for improvement | ||
| 2 | UKB should consider what specialist training is provided to new staff employed in named positions, for example, Senior Information Risk Owner (SIRO), Data Protection Officer (DPO) and Information Asset Owner (IAO). | Operational Management | Opportunity for improvement | ||
| 3 | UKB should review the wording on its annual project report to ensure that the customer is confirming compliance to both the original Material Transfer Agreement and any subsequent UKB requirements. UKB should also consider whether it needs to audit companies to confirm adherence to the requirements. | Operational Management | Opportunity for improvement |
NDPH
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 4 | There was insufficient evidence to show that access and privileges for the folders holding data supplied by NHS Digital are reviewed by NDPH on a regular basis. | Access Control | DSFC, Schedule 2, Section A, Clause 4.1 NDPH, Information Governance Handbook, v3.0, Clause 8.1.4 |
Agreement nonconformity | |
| 5 | NDPH to ensure the information it receives from its third-party disposal company provides a more definitive and accurate statement of what was destroyed, in line with its Data Disposal Policy, and this list is then reconciled with its own records. | Data Destruction | NDPH, Data Disposal Policy v1.0, Section 6 | Organisation nonconformity | |
| 6 | The level of encryption applied to the laptop used to manage the download of data from NHS Digital through the Secure Electronic File Transfer (SEFT) download portal was not in line with NDPH policy. | Access Control | NDPH, Information Governance and Security Procedures, v1.0, Clause 5.10 | Organisation nonconformity | |
| 7 | NDPH should revise some of the statements in its documentation to reflect folders in its storage environment are backed up, though only within the same environment. | Operational Management |
Opportunity for improvement |
||
| 8 | NDPH should review its process for communicating the publication of new policies to all staff. | Operational Management |
Opportunity for improvement |
||
| 9 |
NDPH should contact the SEFT team to establish whether data can be downloaded to a named location so that the number of touchpoints for the data can be reduced. |
Information Transfer |
Opportunity for improvement |
||
| 10 | In evolving the new wiki page regarding the destruction of data, NDPH should ensure that the instructions are fully compliant with its Data Destruction Policy. | Data Destruction |
Opportunity for improvement |
||
| 11 | NDPH should include the UKB project in its future internal audit programme. This audit should be conducted against the internal audit processes as outlined in the NDPH information governance and security procedures. | Operational Management |
Opportunity for improvement |
Supplementary notes
No notes.
Use of data
UKB and NDPH confirmed that the datasets were only being processed and used for the purposes defined in the DSA and and were only being linked with those datasets explicitly allowed in the DSA.
Data location
UKB confirmed that processing and storage locations, including disaster recovery and backups, of the dataset was limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| UKB | Worldwide |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| NDPH | Storage - disk (snapshot) | 6 days |
| NDPH | Database - disk (intermediate) | 45 days |
| NDPH | Database - disk (monthly) | 400 days |
Good practice
During the audit, the Audit Team noted the following area of good practice:
• UKB and NDPH were able to clearly demonstrate the value the data supplied under this DSA has had towards researching cause, prevention and treatment of disease.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 4 March 2022 2:29 pm