Post audit review: Clinical Practice Research Datalink
This report provides the formal closure of the remote data sharing audit of Clinical Practice Research Datalink in June 2018.
Audit summary
This report provides an update of the data sharing audit of Clinical Practice Research Datalink (CPRD) at Medicines and Healthcare products Regulatory Agency (MHRA) on 12 and 13 June 2018 against the requirements of both:
- the data sharing framework contracts (DSFC): CON-323906-Z3V7K
- the data sharing agreement (DSA) NIC-15625-T8K6L-v1.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Mental Health Minimum Data Set | Pseudo/Anonymised, non-sensitive | 2006-2007 through to 2013-2014 (to 08/2014) |
| Mental Health and Learning Disabilities Data Set | Pseudo/Anonymised, non-sensitive | 2014-2015 (From 08/2014) 2015-2016 (Up to M9) |
| Hospital Episode Statistics Admitted Patient Care | Pseudo/Anonymised, non-sensitive | 1997-1998 through to 2017-2018 (Up to M10) |
| Hospital Episode Statistics Critical Care | Pseudo/Anonymised, non-sensitive | 2007-2008 through to 2017-2018 (Up to M10) |
| Hospital Episode Statistics Outpatients | Pseudo/Anonymised, non-sensitive | 2003-2004 through to 2017-2018 (Up to M10) |
| Hospital Episode Statistics Accident and Emergency | Pseudo/Anonymised, non-sensitive | 2007-2008 through to 2017-2018 (Up to M10) |
| Diagnostic Imaging Dataset | Pseudo/Anonymised, non-sensitive | 2012-2013 through to 2017-2018 (Up to M9) |
| Patient Reported Outcome Measures (Linkable to HES) | Pseudo/Anonymised, non-sensitive | 2009-2010 through to 2017-2018 |
| Bridge file: Hospital Episode Statistics to Mortality Data from the Office of National Statistics | Pseudo/Anonymised, non-sensitive | |
| Bridge file: Hospital Episode Statistics to Mental Health Minimum Data Set | Pseudo/Anonymised, non-sensitive | |
| Bridge file: Hospital Episode Statistics to Diagnostic Imaging Dataset | Pseudo/Anonymised, non-sensitive | |
| Office for National Statistics Mortality Data | Identifiable, sensitive (Date of Death) | Linked records (As available at time of delivery) |
| Mental Health Services Data Set - Service Users | Pseudo/Anonymised, non-sensitive | Future data as available |
| Mental Health Services Data Set - Community | Pseudo/Anonymised, non-sensitive | Future data as available |
| Mental Health Services Data Set - Currencies | Pseudo/Anonymised, non-sensitive | Future data as available |
| Mental Health Services Data Set - Inpatients | Pseudo/Anonymised, non-sensitive | Future data as available |
The Controller and the Data Processor is CPRD.
Following an initial post audit review conducted in December 2019, 1 agreement nonconformity and 1 observation remained open.
Further guidance on the terms used in this post audit review report can be found in version 2 of the NHS Digital Data Sharing Audit Guide.
Post audit review
This post audit review comprised of an assessment of the action plan and supporting evidence supplied by CPRD between June and July 2021. It also involved video conference sessions which allowed evidence held on CPRD’s systems to be interactively viewed.
Post audit review outcome
Based on the evidence provided by CPRD, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and CPRD.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.
Original risk statement: Medium
Previous risk statement: Medium
Current risk statement: Low
Data recipient’s acceptance statement
CPRD has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 4 agreement conformities, 4 organisation nonconformities and 12 observations raised as part of the original audit.
Findings 2 to 10 and 12 to 20 were closed as part of the post audit review conducted in December 2019.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Validation testing of required security controls has not been conducted. This is a known issue and is recorded on both the CPRD and MHRA risk registers. | Access control |
CPRD provided evidence to confirm that it had conducted an external validation test in February 2021 following a major upgrade to its servers. Whilst the test identified several issues relating to the systems within scope of the test, CPRD showed it was addressing the findings and had closed the majority of the key findings. |
Agreement nonconformity | Closed |
| 2 | The Secure Electronic File Transfer (SEFT) username and password supplied by NHS Digital are shared between three members of the CPRD team. Similarly, a common login account is used on the desktop used to download NHS Digital data. | Access control |
CPRD declared that the password is now only kept by the recipient of the data and is not shared between members. Furthermore, data is now downloaded directly to the servers. The CPRD Standard Operating Process (SOP) states that the coordinator is responsible for data delivery and only one person has the password. |
Agreement nonconformity | Closed |
| 3 | The portable external USB device used to transfer downloaded NHS Digital data between different networks is not encrypted. The device also holds data from different sources rather than just NHS Digital data. This shared device therefore increases the risk of inappropriate access to NHS Digital data. | Information transfer |
CPRD declared the portable device is no longer used to transfer data supplied by NHS Digital and the disk was fully reformatted and encrypted before being repurposed within CPRD. A screenshot of the encryption settings for the portable device was supplied to the Audit Team. The Audit Team recommends that if a similar situation arises in the future, that a certificate of destruction is generated for audit purposes and CPRD should consider using specialist erasure software as an alternative to reformatting. |
Agreement nonconformity | Closed |
| 4 | The statement in the DSA defining the encryption applied to transmitted files is incorrect. Either the actual password length used to encrypt the files should be increased to comply with the statement in the DSA or the statement corrected in the DSA. | Information transfer | CPRD stated that the password length has been increased to conform with the DSA and provided a screenshot of the updated configuration to the Audit Team. | Agreement nonconformity | Closed |
| 5 | The System Level Security Policy (SLSP) has not been revised for over six years even though it is meant to be reviewed annually. | Operational management | CPRD provided a copy of the updated SLSP which was reviewed and approved in January 2019. | Organisation nonconformity | Closed |
| 6 | Some MHRA and CPRD documents have exceeded their defined review periods. Furthermore, the management control information, including headers, needs to be corrected in some documents. For example:
|
Operational management | CPRD provided updated and approved versions of the below:
|
Organisation nonconformity | Closed |
| 7 | Not all of the recorded IT logs are proactively reviewed as required by the SLSP. It was recognised that whilst logs are being kept these were used reactively. However, the contracted third-party IT support company stated it was looking with CPRD at introducing additional monitoring. | Access control |
CPRD stated it was starting to use specialist software (as part of a pilot phase) to monitor and analyse the performance of both the CPRD and MHRA networks and servers. The SLSP has been updated to reflect current practice and will be further revised once the specialist software has been commissioned in an official capacity. |
Organisation nonconformity | Closed |
| 8 | The Information Security Policy refers several times to an Information Security Management System (ISMS). However, the Audit Team could find no evidence of a tangible ISMS nor could auditees define what the ISMS was. | Operational management | CPRD stated the MHRA ISMS is a collection of documents and processes rather than a single document. CPRD provided a diagram outlining the documents forming the ISMS and screenshots from its intranet which defined the ISMS and the status of current documentation. One of these pages states the ISMS was being evolved based on the requirements of ISO 27001. | Organisation nonconformity | Closed |
| 9 | No Privacy Impact Assessment has been completed by CPRD for the supplied NHS Digital data. In its recent guidance the Information Commissioner’s Office (ICO) states “information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR”. As a result, CPRD should consider completing a Data Protection Impact Assessment (DPIA) for the supplied data along with new GDPR requirements around information transfers. | Risk management | CPRD provided a copy of its DPIA checklist that was completed for the data supplied by NHS Digital. From the DPIA checklist, CPRD concluded that a full DPIA was not required. | Observation | Closed |
| 10 | CPRD to consider revising its data destruction certificate template to require the data recipient to be more definitive as to what has been destroyed. The examples seen by the Audit Team do not necessarily present a complete picture of what has been carried out, for example no reference to backups were made in the supplied information and the level of deletion (e.g. folders wiped). | Data destruction | CPRD has approved a revised certificate of destruction which largely replicates the latest NHS Digital certificate. | Observation | Closed |
| 11 | CPRD has not conducted any audits of its data recipients as permitted under its own sub-licence contract. | Operational management |
CPRD has developed a client-based audit questionnaire and was establishing an audit schedule where 6 audits per year would be undertaken. CPRD stated that it had completed a recent audit with a client and are in the process of completing an audit with another client. CPRD provided a screenshot of the completed audit on its system that is being used to track the audit findings. During the video session, CPRD showed what level of information that was collect from clients and the level of detail that was collated during the audit. CPRD also indicated that it was planning to publish an executive summary of the audit on its public facing website. |
Observation | Closed |
| 12 | CPRD should consider what additional information governance / data protection provision is requested from a data recipient for staff that will have access to supplied data as part of CPRD’s application review process. | Operational management | CPRD stated that it had reviewed the form that data recipients need to submit and for the purpose of handling data had concluded the form was adequate. | Observation | Closed |
| 13 | At the end of the licence period CPRD has started to send the data recipient an email to ask whether the organisation wishes to extend the contract period or to remind it to return a completed data destruction certificate. Within this email CPRD should ask for copies of presentations / publications or if not currently available then a revised plan for when such documentation is to be available. The requirement to supply such documentation is already a CPRD contractual term. | Operational management |
CPRD provided a copy of a redacted email sent to a data recipient which asked for links to any resulting publications. CPRD also provided screenshots to demonstrate that once CPRD had received notification of data destruction, a request will be sent for copies of publications. |
Observation | Closed |
| 14 | At present, data recipients are not proactively and repeatably chased for data destruction certificates, though improvements around this have started to be made (see finding 13). | Data destruction |
CPRD stated it had introduced measures to provide automated alerts if a data recipient had not responded to a request for certificate of destruction. Initially a reminder is sent after 3 months and the system continues to generate alerts every 3 months. CPRD reported this process was working, but any failure to provide a certificate would be considered a breach of the agreement and would be escalated as such. CPRD provided a copy of a redacted email sent to a data recipient reminding the organisation that the data destruction protocols had not been met and that a data destruction certificate had to be provided within 14 working days. CPRD provided a screenshot of the deletion reminders sent and a copy of the email templates used to follow up requests for destruction. |
Observation | Closed |
| 15 | The majority of the defined fields in the CPRD Information Asset Register (IAR) were blank. There has been a new piece of work around GDPR which has looked at this area and there is a recognition within the organisation that a new IAR is required. | Operational management | CPRD provided an extract of its IAR which includes data supplied by NHS Digital. | Observation | Closed |
| 16 | Internal audit / compliance assessments of CPRD have been infrequent and those conducted have had a limited scope. The Audit Team suggests CPRD undertakes further internal audit / compliance checks. | Operational management |
CPRD provided a copy of a report for an audit conducted by the Government Internal Audit Agency (GIAA) in November 2018. The overall rating in the report was substantial and one low priority recommendation being made. CPRD stated this recommendation had been addressed. CPRD stated that such GIAA audits will be conducted on an annual basis. |
Observation | Closed |
| 17 | The lock of the safe holding the external transfer drive has not been changed for a while, nor is there any intent to do so given it is not part of the future move. The mechanism to secure the external drive at the new premises needs to be appropriate. | Access control | CPRD stated the external drive is no longer used to transfer data (see finding 19). Furthermore, there is no safe in the new offices. | Observation | Closed |
| 18 | CPRD plans to develop a leavers checklist to ensure a standard process is followed. The organisation already has a starter checklist. | Operational management | CPRD has produced a new leavers checklist. A copy of the checklist was provided to the Audit Team. | Observation | Closed |
| 19 | Data downloaded from NHS Digital is being retained on the unencrypted external drive due to limited capacity on the current processing environment. CPRD stated that the need to provide additional space has been acknowledged and would be implemented soon. A commitment was made by CPRD to remove these files once the additional capacity had been implemented and the existing data transferred to it. | Information transfer |
CPRD declared the portable device is no longer used to transfer data supplied by NHS Digital and the disk was fully reformatted and encrypted before being repurposed within CPRD. A screenshot of the encryption settings for the portable device was supplied to the Audit Team. The Audit Team recommends that if a similar situation arises in the future, that a certificate of destruction is generated for audit purposes and CPRD should consider using specialist erasure software as an alternative to reformatting. |
Observation | Closed |
| 20 | The CPRD laptops are not subject to port control due to the need for the external transfer drive, whereas MHRA devices were reported as being subject to port control. The Audit Team suggested that automated encryption of connected unencrypted USB devices, or a white/black list, be implemented due to the removal of port control. | Access control | CPRD reported that CPRD laptops are MHRA devices and therefore are subject to port control. The external drive is no longer being used to transfer data (see finding 19). | Observation | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 18 August 2021 9:56 am