Data Sharing Remote Audit: University of York
This report records the findings of a remote data sharing audit of the University of York - Epidemiology and Cancer Statistics Group in June 2021.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Epidemiology and Cancer Statistics Group (ECSG) at the University of York (UoY) between 2 and 9 June 2021. It provides an evaluation of how the ECSG and the UoY conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-314909-S3P2M
- the data sharing agreement (DSA) DARS-NIC-06759-X5V7P-v5.12
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) – Critical Care | Pseudo/Anonymised, Non-sensitive | 2008/09 – 2022/23 |
| HES – Admitted Patient Care | Pseudo/Anonymised, Sensitive | 1997/98 – 2022/23 |
| HES – Outpatients | Pseudo/Anonymised, Sensitive | 2003/04 – 2019/20_M12 |
| HES – Accident and Emergency | Pseudo/Anonymised, Sensitive | 2007/08 – 2015/16 |
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | August 2009 – March 2020 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | August 2009 – March 2020 |
| MRIS – Cause of Death Report | Identifiable, Sensitive | August 2009 – March 2020 |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available release |
| Emergency Care Data Set (ECDS) | Pseudo/Anonymised, Sensitive | 2020/21 – 2022/23 |
| Demographics | Pseudo/Anonymised, Sensitive | Latest available release |
| Cancer Registration Data | Pseudo/Anonymised, Sensitive | Latest available release |
The Controllers are the UoY and the Hull University Teaching Hospitals (HUTH) NHS Trust and the Processor is the UoY. Although the research was commissioned by the HUTH, it does not receive, process or store the data.
Data supplied by NHS Digital are only accessible to approved users within the ECSG in the Department of Health Sciences at the UoY.
HES, mortality and cancer data were supplied by NHS Digital for the purpose of a research study referred to as the Yorkshire and Humberside Haematology Network Register (YHHN) Comparison Cohort. YHHN is a collaboration between researchers at the UoY and the Joint Haematology Network Site Specific Group for the West Yorkshire and Humber, Coast & Vale Clinical Alliances.
The YHHN region comprises the population served by the West Yorkshire and Humber, Coast & Vale Clinical Cancer Alliances. There are 14 hospitals within the YHHN, and these hospitals comprise the five multi-disciplinary teams that oversee the management of patients diagnosed with haematological malignancies in the Network.
This report also considers whether the ECSG and the UoY conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions | Access control - limited visibility of physical controls |
As HUTH does not receive, process or store the data, the audit focussed on the controls maintained by the UoY and the ECSG.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium – Low.
Current risk statement: Medium
This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.
Data recipient’s acceptance statement
The UoY has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The UoY will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the UoY to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 2 agreement nonconformities, 1 organisation nonconformity, 1 observation, 12 opportunities for improvement and 2 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 | Validation testing of required security controls has been conducted on an infrequent basis with some aspects of testing not carried out. | Access control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity | |
| 2 | A security appliance did not contain the latest patches. | Access control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity | |
| 3 | The ECSG should review its approach to risk management and ensure that it is consistent with the UoY Risk Management Policy. | Risk management | UoY, Risk Management Policy, Section 7.3 | Organisation nonconformity | |
| 4 | The ECSG should take appropriate action to resolve the vulnerability identified in the vulnerability scan conducted in June 2021. | Access control | DSFC, Schedule 2, Section A, Clause 1.1 | Observation | |
| 5 | The ECSG should consider updating section 2 of the DSA and declare the full processing and storage addresses. It should be noted that these locations have been declared in section 5b of the DSA. | Operational management | Opportunity for improvement | ||
| 6 | The UoY should consider providing risk management training, to ensure that all relevant staff are aware of the processes for raising, recording and monitoring risks. | Risk management | Opportunity for improvement | ||
| 7 | The ECSG information asset register (IAR) should be developed to be in line with the UoY IAR. The IAR should also be updated to reference specific datasets, data sensitivity classification, Information Asset Owner (IAO), Information Asset Administrator(s), download date, deletion date and details of any joint Controllers. The IAR should also take into account requirements from the research and governance section of the UoY Health Sciences data security policy. | Operational management | Opportunity for improvement | ||
| 8 | The UoY should consider including details of the next review date on policies and procedures as part of its document management control. | Operational management | Opportunity for improvement | ||
| 9 | The ECSG should review the Data Protection Impact Assessment (DPIA) annually, or when a change is made. The document should also be subject to document version control. | Operational management | Opportunity for improvement | ||
| 10 | The ECSG System Level Security Policy (SLSP) should be subject to document version control. | Operational management | Opportunity for improvement | ||
| 11 | The ECSG should consider implementing further technical controls to identify changes to Active Directory (AD) administration groups. | Access control | Opportunity for improvement | ||
| 12 | The ECSG should reassess its use of built-in administrator accounts. | Access control | Opportunity for improvement | ||
| 13 | The UoY should expand its current data destruction policy to include physical equipment destruction. | Data destruction | Opportunity for improvement | ||
| 14 | The UoY should develop a vulnerability assessment policy. The policy should specify the frequency of vulnerability scans and penetration tests to be performed. | Access control | Opportunity for improvement | ||
| 15 | The UoY should consider including further information within its Patching Policy regarding application-level patching. | Access control | Opportunity for improvement | ||
| 16 | The ECSG should consider a periodic independent review to ensure that ECSG systems and infrastructure are in compliance with both local and corporate level policies/ procedures. The findings from any review should be shared with the IAO. | Operational management | Opportunity for improvement | ||
| 17 | At the post audit review, the Audit Team will review the Record of Processing Activities (ROPA), which is currently being drafted by the UoY. | Operational management | Follow-up | ||
| 18 | At the post audit review, the Audit Team will review:
|
Operational management | Follow-up |
Supplementary notes
No notes
Use of data
The UoY confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
The UoY confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| UoY | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UoY | Disk | 5 weeks |
| UoY | Tape | 6 years |
Good practice
During the audit, the Audit Team noted the following area of good practice:
- the ECSG was able to clearly demonstrate the value the data supplied under this DSA has had towards the delivery of patient care, across 14 hospitals
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 4 March 2022 2:18 pm