NHS Digital Data Sharing Remote Audit: Cardiff University
This report records the key findings of a remote data sharing audit of the Centre for Trials Research at Cardiff University in May 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Centre for Trials Research (CTR) at Cardiff University where the interviews were conducted between 3 and 9 May 2022. It provides an evaluation of how Cardiff University conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-311457-N2L9D-v2.01
- the data sharing agreement (DSA) DARS-NIC-184980-J5B6C-v8.3
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) - Members and Postings Report | Identifiable, Sensitive | October 2006 - March 2017 |
| MRIS – Flagging Current Status Report | Identifiable, Sensitive | October 2006 - March 2017 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | October 2006 - March 2017 |
| MRIS – Cause of Death Report | Identifiable, Sensitive | October 2006 - March 2017 |
The Controller is Cardiff University, and the Processors are Cardiff University and the University of Birmingham. The current DSA only permits the secure retention of the data, no other processing is allowed.
Mortality and cancer data were supplied for the purpose of a research study referred to as 'AML15 – MRC working parties on leukaemia in adults & children acute myeloid leukaemia trial 15'. The University of Birmingham's Clinical Trials Unit (BCTU) were delegated the responsibility of managing the main trial database and received the data on behalf of the sponsor, Cardiff University, from the Office of National Statistics (ONS) and subsequently the Health and Social Care Information Centre. The data was received in paper format and then transferred manually to the trial database after verification checks against data received from other sources.
The trial closed in 2009 and the DSA is in place to cover retention of the data to comply with ongoing regulatory requirements from both the Research Ethics Committee and the Medicines and Healthcare products Regulatory Agency (MHRA) for oversight of trial participants. Paper records were transferred to the CTR from BCTU in 2011 and a copy of the database relating to the trial was subsequently transferred to the CTR in 2020.
This report also considers whether Cardiff University, as sponsor, and the University of Birmingham conforms to their own policies, processes, and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Focused |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
Cardiff University as sponsor, the CTR and the BCTU have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The CTR and the BCTU will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with the Auditee to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identifies the 7 agreement nonconformities, 4 organisation nonconformities, 1 opportunity for improvement, and 1 point for follow-up raised as part of the audit.
Whilst the audit only considered Information Transfer, Access Control and Data Destruction within its scope, the Audit Team did note some findings around the handling of the data and the discharge of these functions which are better classified to different scope areas.
CTR
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | The data storage locations specified on the DSA do not accurately reflect the current locations. | Information Transfer | DSA, Annex A, clause 2b | Agreement nonconformity |
| 2 | There was no evidence to show that user permissions to the NHS Digital data had been reviewed on a regular basis. | Access Control |
DSA, Clause 7.1 DSFC, Schedule 2, Section A, Clause 4.1 |
Agreement nonconformity |
| 3 | The asset register for the AML15 trial was not up to date and did not identify the Information Asset Owner (IAO). | Operational Management |
DSFC, Schedule 2, Section A, Clause 3.2 |
Agreement nonconformity |
| 4 |
The CTR had not reported a security incident relating to the hard copies of the data to the Data Access Request Service (DARS) team. The incident relates to irreversible damage to clinical trial records stored at its third-party offsite storage facility resulting from storm damage in February 2022. The CTR notified DARS of the incident during the audit and have reported it to the MHRA, and it was reported to the Charity Commission centrally through the Cardiff University Governance team. |
Operational Management |
DSFC, Part 2, Clause 4.1.8 |
Agreement nonconformity |
| 5 | One member of staff with access to the data supplied by NHS Digital had not received data protection training in the last 12 months. | Operational Management | DSFC, Schedule 2, Section A, Clause 1.2 | Agreement nonconformity |
| 6 | Patching had not been consistently conducted in accordance with the patching document. | Access Control | Cardiff University, Database Software Patching Policy, Guiding Principles section | Organisation nonconformity |
| 7 | Inconsistencies were found with respect to user permissions in the AML-15 Trial Activity Delegation log. | Access Control | CTR, AML 15 Trial Activity Delegation Log | Organisation nonconformity |
| 8 | An issue regarding a physical security control around patient paper records located on site in CTR offices was found. | Access Control | CTR, General Data Protection Regulation Policy, POL/007/2 V4 | Organisation nonconformity |
| 9 | Cardiff University should document its approach to conducting security assessments. | Access Control | Opportunity for improvement | |
| 10 | At the post audit review, the Audit Team will look at evidence regarding the ONS data downloaded from NHS Digital in April 2017. | Information Transfer | Follow-up |
BCTU
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 11 | Software had not been recently patched. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 |
Agreement nonconformity |
| 12 | Security assessments have not been performed. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 |
Agreement nonconformity |
| 13 | BCTU’s data asset register for the AML15 trial contained a number of blank fields. | Operational Management | BCTU Data Asset Register | Organisation nonconformity |
Use of data
The CTR confirmed that the dataset was only being processed and used for the purposes defined in the DSA and was only being linked with those datasets explicitly allowed in the DSA.
Data location
The CTR confirmed that the dataset was only being processed and used for the purposes defined in the DSA and was only being linked with those datasets explicitly allowed in the DSA.
| Organisation | Territory of use |
|---|---|
| CTR | England / Wales |
| BCTU | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| CTR | Disk | 30 days |
| BCTU | Tape | 10 Years |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the CTR was able to demonstrate the value of the data supplied under this DSA has had towards benefitting the provision of health and social care in England and Wales.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 September 2022 4:11 pm