Data Sharing Remote Audit: University of Aberdeen
This report records the findings of a remote data sharing audit of the University of Aberdeen in April 2021.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit at the University of Aberdeen (UoA) between 19 and 23 April 2021. It provides an evaluation of how the UoA conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-313306-V2W6S
- the data sharing agreement (DSA) DARS-NIC-322051-S8N9N-v2.4
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 2007/08 – 2010/11 |
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | October 2004 – June 2017 |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | October 2004 – June 2017 |
| HES – Admitted Patient Care | Identifiable, Non-sensitive | 2011/12 – 2019/20 |
| Demographics | Identifiable, Sensitive | Latest available release |
The UoA and the University of Oxford (UoO) are joint Controllers.
The Knee Arthroplasty Trial (KAT) was funded by the National Institute for Health Research (NIHR) Health Technology Assessment (HTA) programme in 1998, to examine the clinical effectiveness and cost-effectiveness of four aspects of knee replacement surgery. It is the largest randomised trial of knee replacement surgery ever undertaken, involving 2352 participants.
This report also considers whether the UoA conform to its own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions | Access control - limited visibility of physical controls |
As the DSA only allows the data supplied by NHS Digital to be processed at the UoA, the audit focussed predominantly on the controls maintained by this joint Controller. The UoO is responsible for producing the outputs from the aggregated data.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium – Low.
Current risk statement: Low
This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.
Data recipient’s acceptance statement
The UoA and UoO have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The UoA will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the UoA to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 2 agreement nonconformities, 5 opportunities for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 | Data is being stored at locations not declared on the DSA. Both locations were UoA buildings. | Information Transfer | DSA, Annex A, Section 2 |
Agreement nonconformity |
|
| 2 | 2 individuals with access to the data supplied by NHS Digital have not completed their annual Information Governance training. | Operational Management | DSFC, Schedule 2, Section A, Clause 1.2.2 |
Agreement nonconformity |
|
| 3 | The Controllers should either complete a Data Protection Impact Assessment (DPIA) or document the rational for not completing a DPIA. | Operational Management |
|
Opportunity for Improvement |
|
| 4 | The UoA should consider completing a Record of Processing Activities (ROPA) for the data provided, as recommended in the Information Commissioner’s Office (ICO) Accountability Framework. | Operational Management |
Opportunity for Improvement |
||
| 5 | The UoA should log all requests to add or remove user access to NHS Digital data via the Service Desk tool, rather than relying on email trails in personal mailboxes. | Access Control |
Opportunity for Improvement |
||
| 6 | The System Level Security Policy (SLSP) should include document version control and be reviewed annually, or whenever a change is made to the system. | Operational Management |
Opportunity for Improvement |
||
| 7 | The Audit Team suggested that all appropriate teams within the UoA review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant. | Operational Management | Opportunity for Improvement | ||
| 8 | At the post audit review, the Audit Team will review the University’s revised approach to risk management, regarding updates to the corporate risk register and the associated risk criteria. | Risk Management | Follow-up |
Supplementary notes
No notes
Use of data
The UoA confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
The UoA confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| The UoA | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| The UoA | Disk | 14 days |
| The UoA | Tape | 24 months |
Good practice
During the audit, the Audit Team noted the following area of good practice:
- The UoA was able to clearly demonstrate the value the data supplied under this DSA has had towards influencing surgical practice. The results are one of the key sources for the American Academy of Orthopaedic Surgeons surgical management of osteoarthritis of the knee evidence-based clinical practice guidelines.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 4 March 2022 2:19 pm