Skip to main content

NHS Digital Data Sharing Remote Audit: IQVIA Limited

This report records the key findings of a remote data sharing audit of IQVIA Limited in June 2022

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of IQVIA Limited between 20 and 30 June 2022. It provides an evaluation of how IQVIA conforms to the requirements of:

  • the data sharing framework contract (DSFC) CON-290392-M1B6L-v2.01
  • the data sharing agreements (DSA) DARS-NIC-13925-Q7R2D v7.6, v9.2 and v10.3

These DSAs covers the provision of the following datasets:

Dataset Classification of data Dataset period
Emergency Care Data Set (ECDS) Pseudo/Anonymised, Non-sensitive 2017/18 - 2020/21_Q04
Hospital Episode Statistics (HES) Critical Care Pseudo/Anonymised, Non-sensitive 2008/09 - 2020/21_Q04
HES Statistics Accident and Emergency  Pseudo/Anonymised, Non-sensitive 2007/08 - 2020/21_M12
HES Admitted Patient Care Pseudo/Anonymised, Non-sensitive 2005/06 - 2020/21_Q04
HES Outpatients Pseudo/Anonymised, Non-sensitive 2005/06 - 2020/21_Q04

 

The Controller is IQVIA.

IQVIA produces a longitudinal research database, Hospital Treatment Insights (HTI). This database contains unique information on diagnosis, treatment and drug usage by pharmacy and HES data with identifiers removed.  

This report also considers whether IQVIA conform to its own policies, processes and procedures. 

The interviews during the audit were conducted through video conferencing. 

 This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type Heightened concern
This heightened concern audit was conducted at the request of DARS to look at the process by which research applications, from external organisations that utilise the HTI database, are managed. At the time of the audit IQVIA were only allowed to retain data and no processing was allowed.
Scope areas

Information transfer
Access control
Data use and benefits
Risk management
Operational management and control
Data destruction
Restrictions

Access control - limited visibility of physical controls

The latest active DSA is version 10.3, however, the audit focussed primarily on v7.6 and v9.2. 

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low

Current risk statement: Medium

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.

Data recipient’s acceptance statement

IQVIA has reviewed this report and confirmed that it is accurate. 

Data recipient’s action plan

IQVIA will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with IQVIA to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.

Findings

The following table identifies the 2 agreement nonconformities, 1 observation, 5 opportunities for improvement and 2 points for follow-up raised as part of the audit. 

In addressing a finding, the data recipient must take account of any referenced supplementary notes.

Ref Finding Link to area Clause Designation Notes
1 IQVIA’s Independent Scientific Ethical Advisory Committee (ISEAC) did not meet requirements as outlined within the ISEAC Terms of Reference (ToR) v3, including:
  • although IQVIA provided an agenda for the 2018 Annual General Meeting (AGM), the Audit Team was unable to confirm the AGM was held as no minutes were available. Furthermore, no AGMs were held in 2019 and 2020 at the direction of the ISEAC Chair
  • no annual report was produced by ISEAC between 2018 and 2020
  • the annual review of ISEAC ToR had not been conducted in 2019 and 2020
  • no ISEAC Standard Operating Procedures (SOPs) were in place prior to 2021. 
 Use and Benefits

DSA v7.6 and v9.2, Annex A, Section 5a

ISEAC, Terms of Reference, v3, 3 March 2018

 Agreement nonconformity  
2 IQVIA to ensure that all stakeholders have sight of the DSA, especially the ISEAC committee who should review the DSA when changes are made. For example, a protocol was approved to support a PhD study, which was not permitted by the DSA.  Use and Benefits DSA v7.6, Annex A, Section 5d Agreement nonconformity  
3 IQVIA to agree with DARS a suitable timeframe for maintaining a record of exports for monitoring and audit purposes. IQVIA could not provide any auditable trail of exports from its research environment prior to July 2021. It should be noted that the generated logs from the system installed in July 2021 are only retained 12 months which is generally shorter than the research projects being conducted.  Access Control

DSA v7.6 Annex A, Section 5b

IQVIA, Overview of the IQVIA UK Information Security Management System, v30.1, May 2022, Clause 3.3.1

 Observation 1
4 IQVIA should update the protocol to include:
  • who is involved in the research including details of users accessing and processing the data
  • the responsibility of each party
  • the clause specified in the DSA around contracts with external organisations
  • a statement that the work is a joint collaboration between IQVIA and a third-party and any direct outputs must include reference to this.
 Operational Management   Opportunity for improvement  
5 IQVIA should consider making it easier for the public to locate publications that have been produced using HTI data, for example, by including a HTI data category on its bibliography. IQVIA should also declare on its website which protocols have been approved by ISEAC and the date of their approval. Use and Benefits   Opportunity for improvement  
6 IQVIA should update the processing section of the Record of Processing Activities (ROPA), dated May 2022, to remove University College London as a Processor. Operational Management   Opportunity for improvement  
7 IQVIA should include the ISEAC and HTI processes in its future internal audit programme to ensure it is fully compliant with the requirements of the DSFC, DSA and IQVIA’s own policies and procedures. Operational Management   Opportunity for improvement  
8 IQVIA should ensure that future honorary contracts are signed by a representative of IQVIA. The honorary contract template had previously been approved by the Data Access Advisory Group. Operational Management   Opportunity for improvement  
9 At the post audit review, the Audit Team will review evidence of the outputs for the 4 protocols approved between January 2018 and December 2020 that are in progress. Use and Benefits   Follow-up  
10 At the post audit review, the Audit Team will confirm whether the information requested in the special conditions in v10.3 of the DSA has been provided to DARS. This is subject to IQVIA being allowed to restart processing data. Use and Benefits   Follow-up  

Supplementary notes

The following note refers to the table above and provides additional commentary on the linked finding.

Note 1.  In addition to any reporting via a system tool, IQVIA should consider developing a data export register. This register should log:

  • the name and reference number of the protocol
  • the name of the person making the request and the date of request
  • the name of the approver and decision made
  • a reference to the output file and date of export
  • a field to confirm that small number suppression has been applied to the exported file.

Use of data

IQVIA confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset. 

Data location

IQVIA confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
IQVIA England / Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
IQVIA Disk 90 days

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 4 October 2022 1:01 pm