NHS Digital Data Sharing Remote Audit: Belfast Health and Social Care Trust

This report records the key findings of a remote data sharing audit of Belfast Health and Social Care Trust in March 2022

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of Belfast Health and Social Care Trust (BHSCT) between 21 and 29 March 2022. It provides an evaluation of how BHSCT conforms to the requirements of both:

the data sharing framework contract (DSFC) CON-304112-D2Q8H
the data sharing agreement (DSA) DARS-NIC-10029-G5R2H-v0.2

This DSA covers the provision of the following dataset:

Dataset	Classification of data	Dataset period
MRIS-Personal Demographics Service	Pseudo/Anonymised, Sensitive	Historic Data Request

The Controller is BHSCT and the Processor is the Health and Social Care Business Services Organisation (HSC BSO).

The HARP2 study was a clinical trial which ran from 2010 to 2016. The aim of the HARP2 study was to test the hypothesis that treatment with the drug Simvastatin would be of therapeutic value in patients with acute lung injury (ALI) or acute respiratory distress syndrome (ARDS). The study had two distinct objectives:

to conduct a randomised, double-blind, placebo-controlled phase 2 trial of Simvastatin for the treatment of ALI / ARDS
to understand the biological mechanisms by which Simvastatin treatment might work in patients with ARDS.

The data were originally disseminated under a previous agreement DARS-NIC-155413 (MR1294) which covered the period from 5 February 2013 to 4 February 2018. The current agreement (24 January 2022 to 30 April 2022) allows the retention of this data but no additional processing.

The Northern Ireland Clinical Trials Unit (NICTU), hosted by BHSCT, needs to retain access to fulfil its retention policy of up to 15 years after the end of the trial (this would be 19 June 2031).

This report also considers whether BHSCT and its Processor conforms to their own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type	Heightened Concern A heightened concern audit was carried as a result of the data provided by NHS Digital being shared with other organisations without being aggregated. BHSCT declared in its recent application that it had onwardly shared pseudonymised information about trial participants with six organisations between 2015 and 2018.
Scope areas	Information transfer Access control Data use and benefits Risk management Operational management and control Data destruction
Restrictions	Access control - limited visibility of physical controls

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low

Current risk statement: High

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.

Data recipient’s acceptance statement

BHSCT has reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

BHSCT will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the BHSCT to confirm the findings have been satisfactorily addressed.

Findings

The following table identifies the 10 agreement nonconformities, 3 organisation nonconformities, 4 observations and 5 opportunities for improvement raised as part of the audit.

BHSCT / NICTU

Ref	Finding	Link to area	Clause	Designation
1	Data had been onwardly shared with 6 external research organisations without being aggregated which was not allowed by the DSA. Data had also been shared outside of the stated territory of use (UK).	Information Transfer	DSFC, Part 2, Clause 4.1.4 DSA, Annex A, Section 2c	Agreement nonconformity
2	The storage locations in the DSA do not reflect the actual addresses where the data is stored.	Information Transfer	DSA, Annex A, Section 2b	Agreement nonconformity
3	All staff with access to the NHS Digital data have not received data protection training in the last 12 months.	Operational Management	DSFC, Schedule 2, Section A, Clause 1.2.2	Agreement nonconformity
4	Security assessments have not been performed.	Access Control	DSFC, Schedule 2, Section A, Clause 1.1	Agreement nonconformity
5	Accounts for a small number of staff that had left or no longer require access had not been disabled or deleted.	Access Control	DSA, Clause 7.1 DSFC, Schedule 2, Section A, Clause 4.1	Agreement nonconformity
6	The Information Asset Register (IAR) does not include an entry for the data supplied by NHS Digital.	Operational Management	DSFC, Schedule 2 Section A, Clause 3.2	Agreement nonconformity
7	A Data Protection Impact Assessment (DPIA) has not been undertaken by BHSCT for the NHS Digital data. It is BHSCT’s practice to complete at least the DPIA screening checklist to assess if a full DPIA is required.	Operational Management	BHSCT, Conducting Data Protection Impact Assessments (DPIA) – Section 2 - 2.9	Organisation nonconformity
8	The minimum password length for an application was not in line with the Health and Social Care (Northern Ireland) (HSCNI) Accounts and Passwords All User Standard policy.	Access Control	HSCNI, 1.11 Accounts and Passwords All User Standard, User Passwords, Password Strength, Page 6	Organisation nonconformity
9	The Information Asset Owner (IAO) had not completed a specialist training refresher course in line with BHSCT requirements.	Operational Management	BHSCT, IG Training Plan V3.0, page 1	Organisation nonconformity
10	The 6 external organisations that were previously supplied with the data have not been asked to refrain from processing the data or to delete the data.	Data Destruction		Observation
11	A Record of Processing Activity (ROPA) had not been completed for the HARP2 trial. If the ability to process data is reinstated in a future DSA, then a ROPA needs to be completed.	Operational Management		Observation
12	Data supplied by NHS Digital had been processed on unencrypted machines where if the application crashed, then temporary files would be cached on the machine’s local drive. This potential situation would need to be assessed prior to any future processing.	Information Transfer		Observation
13	BHSCT has still to agree its System Level Security Policy (SLSP) with the Data Access Request Service (DARS) team by the end of April 2022.	Operational Management		Observation
14	BHSCT should consider developing a standard operating procedure or enhance an existing procedure to support the electronic deletion of data to ensure that specific requirements of the DSFC are carried out.	Data Destruction		Opportunity for improvement
15	BHSCT should update its Data Transfer Procedure to seek permission of the data owner before sending data to other recipients.	Operational Management		Opportunity for improvement
16	BHSCT should seek clarification from its service provider as to how the hosted infrastructure is segregated and that appropriate controls have been applied.	Operational Management		Opportunity for improvement
17	The DSFC and DSA should be shared with key support teams to ensure that they are aware of their responsibilities and obligations.	Operational Management		Opportunity for improvement

HSC BSO

Ref	Finding	Link to area	Clause	Designation
18	Software had not been recently patched.	Access Control	DSFC, Schedule 2, Section A, Clause 1.1	Agreement nonconformity
19	Shared logins for some accounts were in use. The nature and number of administration accounts also requires review.	Access Control	DSFC, Schedule 2, Section A, Clause 4.1	Agreement nonconformity
20	The servers are not recorded on the IT Asset Management system.	Access Control	DSFC, Schedule 2, Section A, Clause 4.7	Agreement nonconformity
21	Security assessments have not been performed.	Access Control	DSFC, Schedule 2, Section A, Clause 1.1	Agreement nonconformity
22	A risk assessment should be performed to identify risks associated with the current configuration of the hosted environment.	Operational Management		Opportunity for improvement

Use of data

BHSCT confirmed that the dataset only being processed and used for the purposes defined in the DSA and was not being linked with another dataset.

Data location

BHSCT confirmed that processing and storage locations, including disaster recovery and backups, of the dataset was limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation	Territory of use
BHSCT / NICTU	UK
HSC BSO	UK

Backup retention

The duration for which data may be retained on backup media is:

Organisation	Media type	Period
BHSCT / NICTU	Disk	1 Year
HSC BSO	Disk	28 days

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the audit team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 15 June 2022 10:13 am