NHS Digital Data Sharing Remote Audit: IQVIA
This report records the key findings of a remote data sharing audit of IQVIA Limited and IQVIA Technology Services Limited in August 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of IQVIA Limited and IQVIA Technology Services Limited (collectively referred to as IQVIA) where the interviews were conducted between 9 and 16 August 2022. It provides an evaluation of how IQVIA conforms to the requirements of:
- Data Sharing Framework Contracts (DSFCs):
- CON-290392-M1B6L-v2.01 (IQVIA Limited)
- CON-315306-L9Z8S-v2.01 (IQVIA Technology Services Limited)
- Data Sharing Agreements (DSAs): DARS-NIC-373563-N8Z9J-v9.7 and v10.7
These DSAs covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Emergency Care Data Set (ECDS) | Pseudo/Anonymised, Non-sensitive | 2018/19 to 2021/22_M11 |
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 2014/15 to 2021/22_M11 |
| HES Out-patients | Pseudo/Anonymised, Non-sensitive | 2014/15 to 2021/22_M11 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2014/15 to 2019/20_M12 |
| HES: Civil Registration (Deaths) bridge | Pseudo/Anonymised, Non-sensitive | Latest available |
| HES: Civil Registration (Deaths) Secondary Care Cut | Pseudo/Anonymised, Non-sensitive | Latest available |
| Summary Hospital-level Mortality Indicator | Pseudo/Anonymised, Non-sensitive | Nov 2017 – Dec 2021 |
| HES-ID to MPS-ID HES Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 2014/15 - 2019/20 |
| HES-ID to MPS-ID HES Out-patients | Pseudo/Anonymised, Non-sensitive | 2014/15 - 2019/20 |
The joint Controllers are IQVIA Limited and IQVIA Technology Services Limited.
The data allows IQVIA to provide services to improve healthcare for citizens and provide support services to healthcare providers to enable them to deliver better healthcare. This includes:
- the development of a suite of software tools and dashboards which enables authorised users to view metrics using tables, maps and charts
- undertaking bespoke statistical analyses to fulfil the requirements of specific projects.
This report also considers whether IQVIA conforms to its own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Heightened concern This heightened concern audit was conducted at the request of Data Access Request Service (DARS) to look at concerns around the role of the Independent Scientific Ethics Advisory Committee (ISEAC). |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
IQVIA has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
IQVIA will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with IQVIA to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 1 agreement nonconformity, 4 organisation nonconformities, 1 observation, 3 opportunities for improvement and 2 points for follow-up raised as part of the audit. During the audit, 2 of these findings were closed.
Note: findings identified that were comparable to those raised in the June 2022 audit of IQVIA have not been included in this report.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 |
The Certificate of Destructions (CoD) for November 2019, and to a lesser extent January 2019, contained inaccurate dates. The Audit Team suggested that the specific datasets being destroyed, i.e. the associated years, be included on future certificates. |
Data Destruction | NHS Digital, Certificate of Destruction, v1.1 | Agreement nonconformity |
| 2 |
The HES register contained the wrong information with respect to the relevant service designation for one of the applications reviewed as part of the audit. The Audit Team suggested that the service definitions in the DSA should be slightly improved to avoid ambiguity. |
Operational Management | IQVIA, HES Register | Organisation nonconformity |
| 3 |
IQVIA to revise the risk assessment within the Data Protection Impact Assessment (DPIA) covering the data supplied against this DSA as some of the impact statements are incorrect. The DPIA was reviewed and updated during the audit. |
Operational Management | IQVIA, DPIA, v2 | Organisation nonconformity |
| 4 |
IQVIA to remove the statement in the Record of Processing Activity (ROPA) with respect to honorary contracts. The ROPA was reviewed and updated during the audit. |
Operational Management | IQVIA, ROPA, July 2022 | Organisation nonconformity |
| 5 |
Recommendations assigned by ISEAC to applications in 2020 were not consistent with those defined in the ISEAC Terms of Reference (ToR) current at that time. Consistent definitions were formalised in the ToR v6.0 published in May 2022. Also, the approval section at the end of a protocol only allows for a simple 'Approved/Not approved' decision. |
Use and Benefits | ISEAC, ToR, v3 | Organisation nonconformity |
| 6 | In the absence of an active agreement, IQVIA is to discuss with NHS Digital the level of processing that is permissible until a new agreement is signed. | Use and Benefits | DSA, Annex A, Section 5 | Observation |
| 7 | The ISEAC documentation should be clearer as to how IQVIA may proceed with respect to the defined recommendations and whether a protocol not fully approved needs to be returned to the Chair for further review. | Use and Benefits | Opportunity for improvement | |
| 8 | ISEAC should be specific in its ToR as to what the Quorate includes. | Use and Benefits | Opportunity for improvement | |
| 9 | The HES terms and conditions as required by the DSA could be better referenced in the main body of IQVIA contracts with external organisations. | Operational Management | Opportunity for improvement | |
| 10 | At the post audit review, the Audit Team will confirm that the issue with respect to only 2 months of data being available in the system logs has been resolved and will look at the latest logs. | Access Control | IQVIA, System logs | Follow-up |
| 11 | At the post audit review, the Audit Team will check whether a CoD has been issued to DARS covering data falling outside of the declared 5 years retention period when the latest datasets have been supplied to IQVIA. | Data Destruction | IQVIA, DPIA, v2 | Follow-up |
Use of data
IQVIA confirmed that the datasets were only being processed and used for the purposes defined in the DSAs and were not being linked with another dataset.
Data location
IQVIA confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| IQVIA | England/Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| IQVIA | Disk | 90 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 23 November 2022 9:26 am