NHS Digital Data Sharing Remote Audit: British Thoracic Society
This report records the key findings of a remote data sharing audit of the British Thoracic Society where the interviews were conducted in May 2022
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the British Thoracic Society (BTS) where the interviews were conducted between 23 and 31 May 2022. It provides an evaluation of how the BTS conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-243753-G7Y5H-v2.01
- the data sharing agreement (DSA) DARS-NIC-219944-G9X4V-v0.6
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 2018/19 - 2019/20_M10 |
| HES Critical Care | Pseudo/Anonymised, Non-sensitive | 2018/19 - 2019/20_M10 |
| Civil Registration (Deaths) - Secondary Care Cut | Pseudo/Anonymised, Non-sensitive | Latest available |
The Controller is the BTS and the Processors are Westcliff Solutions and the University of Nottingham (UoN).
The data provided by NHS Digital was linked with data collected by the BTS Adult Community Acquired Pneumonia (CAP) Audit 2018/19 to enable a more accurate analysis of a wider range of important outcome measures including mortality after discharge and readmission rates. The additional data also allowed further review on the presence of one or more additional conditions, whilst considering their current social class and living conditions, as these are known factors in increased risk of developing CAP.
The 2018/19 CAP audit was the sixth national CAP audit since 2009 and provides data on the treatment of patients hospitalised with CAP from over 120 participating hospital sites across the UK. The audit monitored performance of process of care measures against the BTS Guidelines for the management of patients with CAP 2009.
All of the expected analysis has been conducted, however, acceptance confirmation for a journal paper is still awaited. Once acceptance has been received, the supplied and processed data is expected to be deleted from its current locations.
This report also considers whether BTS and its Processors conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas | Information Transfer Access Control Data Use and Benefits Risk Management (the BTS and the UoN) Operational Management and Control (the BTS and the UoN) Data Destruction |
| Restrictions | Access control – reduced assessment with the BTS, Westcliff and the UoN, due to the nature of equipment being used to process the data supplied by NHS Digital and limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The BTS has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The BTS and its Processors will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with the BTS to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 4 agreement nonconformities, 4 organisation nonconformities, 1 observation, 5 opportunities for improvement and 1 point for follow-up raised as part of the audit.
BTS
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | Analysis of the data supplied by NHS Digital was undertaken by a PhD student at the UoN, whereas the DSA stated such analysis would be conducted by substantive employees of UoN. | Use and Benefits | DSA, Annex A, Clause 5b | Agreement nonconformity |
| 2 | Processing of the data supplied by NHS Digital is being done on equipment not declared in the DSA, along with the use of Microsoft as a backup solution who is not declared as a Processor in the DSA. | Use and Benefits | DSA, Annex A, Clauses 1c and 5a | Agreement nonconformity |
| 3 | The HES/ONS datasets are not recorded on the BTS Information Asset Register (IAR). The Audit Team also suggested additional fields that could be added to the register. | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity |
| 4 | The BTS was unable to provide written evidence for how it monitors compliance with its information governance policies. Where such activities are undertaken in the future, it is important that suitable and auditable evidence is maintained. | Operational Management | BTS, Information Governance Policy, v5.0, 1 June 2021, Clauses 1.14, 5.5 and 6.6 | Organisation nonconformity |
| 5 | Since the DSA was signed, several minor changes around the processing and storage of data have been made. The BTS should speak with the Data Access Request (DARS) team to establish whether the DSA should be revised to reflect these changes noting the data is expected to be deleted shortly, following acceptance of a journal paper. | Use and Benefits | DSA, Annex A, Clauses 2 and 5 | Observation |
| 6 | The BTS should ensure any future papers contain an acknowledgement to NHS Digital as being the source of the data. | Use and Benefits | Opportunity for improvement | |
| 7 | The BTS should ensure appropriate stakeholders review any new DSFC and DSA to ensure that they are fully aware of their responsibilities and are fully compliant. | Operational Management | Opportunity for improvement | |
| 8 | The BTS should add approval dates to future issues of its Data Protection Impact Assessments (DPIA). | Operational Management | Opportunity for improvement | |
| 9 | At the post audit review, the Audit Team will discuss the status of data deletion and, if appropriate, check that a Certificate of Destruction (CoD) has been completed by the BTS and sent to NHS Digital. Prior to destruction being undertaken, the BTS and UoN should agree on what evidence is to be collected to support the production of the CoD. | Data Destruction | Follow-up |
UoN
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 10 | The HES/ONS datasets are not recorded on a UoN (or School) IAR. As a result, the normal information governance reviews, considerations and processes were not enacted, for example, the completion of a DPIA or the need to handle any specific risks. | Operational Management |
DSFC, Schedule 2, Section A, Clause 3.2 UoN, Information Security Policy, Clause 7.2, August 2021 UoN, Handling Restricted Data Standards, Policy Area Clause 1, v1.0, April 2018 |
Agreement nonconformity |
| 11 | The desktop holding the data supplied by NHS Digital is not encrypted. | Access Control | UoN, Handling Restricted Data Standards, Policy Area Clause 5, v1.0, April 2018 | Organisation nonconformity |
| 12 |
The password requirements defined in the Access Control Standards were different to the technical controls being enforced through its systems. |
Access Control | UoN, Access Control Standards, Policy Area Clause 5, August 2021 | Organisation nonconformity |
Westcliff
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 13 | Westcliff to correct inaccurate statements in its documentation as part of the next annual review. | Operational Management |
Westcliff, Information Asset Register and Risk Assessment, May 2021, Pages 1, 3, 4 and 5 Westcliff, Data Protection Policy, May 2021, Page 1 Westcliff, Information Management and Record Keeping Policy, May 2021, Page 2 Westcliff, Information Governance Policy, May 2021, Pages 5, 7 and 9 Westcliff, Data Security, Access, Handling and Retention Policy, May 21, Pages 1, 3, 4, 5 and 7 |
Organisation nonconformity |
| 14 | Westcliff should assess whether the desktop machine used to temporarily extract identifiable data collected from other sources should be encrypted. | Access Control | Opportunity for improvement | |
| 15 | Westcliff should consider how data held electronically could be permanently deleted from its systems, should this be required. | Data Destruction | Opportunity for improvement |
Use of data
The BTS confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
The UoN confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| UoN | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UoN | Cloud | 93 days |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the BTS was able to clearly demonstrate the value the data supplied under this DSA has had towards benefitting the provision of health and social care in England.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 19 August 2022 12:47 pm