NHS Digital Data Sharing Remote Audit: Northumbria Healthcare NHS Foundation Trust
This report records the key findings of a remote data sharing audit of Northumbria Healthcare NHS Foundation Trust in June 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Northumbria Healthcare NHS Foundation Trust (The Trust) between 6 and 29 June 2022. It provides an evaluation of how the Trust conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-267591-M5B9R-v2.02
- the data sharing agreement (DSA) DARS-NIC-249035-R2Z5Y-v0.7
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-Sensitive | 2016/17 – 2018/19 |
| HES Critical Care | Identifiable, Non-Sensitive | 2016/17 – 2018/19 |
| HES Accident and Emergency | Identifiable, Non-Sensitive | 2016/17 – 2018/19 |
| Civil Registration (Deaths) – Secondary Care Cut | Identifiable, Sensitive | Historic Data Request |
| HES: Civil Registration (Deaths) bridge | Identifiable, Sensitive | Historic Data Request |
The Controller is the Trust and is using Microsoft UK Limited (undeclared on the DSA) as a Processor for cloud storage.
The NIVO (Non-Invasive Ventilation Outcomes) Study, is a 10-centre prospective trial led by the Trust, assessing outcomes in hospital and after discharge in patients who are ventilated for exacerbations of chronic obstructive pulmonary disease (COPD). The research team at the Trust is currently deriving a predictive tool, using indices that are readily available and designed to be easy to apply at the bedside, to predict inpatient mortality in exacerbations of COPD requiring assisted ventilation. A cohort of 844 patients is tracked by the NIVO study and the datasets for HES and mortality will allow assessment of the definitive cause of death in patients who have been treated with non-invasive ventilation for COPD, facilitating the ability to draw accurate conclusions about disease progression and prognosis.
The Trust has downloaded the data, however, no further processing has taken place. The Trust advised that due to the length of time it took to process the application (over 1 year), the contract for the research fellow expired before the data was received and the subsequent Coronavirus pressures affected the availability of the researchers to analyse the data.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The Trust has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The Trust will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the Trust to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 7 agreement nonconformities, 2 observations, 3 opportunities for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 | The data storage locations specified on the DSA do not accurately reflect the current locations. | Information Transfer | DSA, Annex A, Clause 2b | Agreement nonconformity | |
| 2 | An undeclared third-party cloud provider (Microsoft UK) is being used to store the data supplied by NHS Digital. | Information Transfer | DSA, Annex A, Clause 1c | Agreement nonconformity | |
| 3 | The Audit Team was informed the data supplied by NHS Digital was downloaded onto a Trust laptop. This laptop was returned to the Research Department when the researcher left the Trust. The Trust could not locate the laptop therefore the level of encryption could not be determined and it was not clear if the laptop was still in use or had been disposed of. | Information Transfer | DSFC, Part 2, Schedule 2, Section A, Clause 4.7 | Agreement nonconformity | |
| 4 | Permissions to the folder holding NHS Digital data on the Trust’s network need to be modified to restrict access to delegated members of the NIVO Study Team. |
DSFC, Part 2, Clause 5.4.6 DSFC, Schedule 2, Section A, Clause 4.1 |
Agreement nonconformity | ||
| 5 | There was no evidence to show that user permissions to the NHS Digital data had been reviewed on a regular basis. | Access Control | DSFC, Schedule 2, Section A, Clause 4.1 | Agreement nonconformity | |
| 6 |
The Trust’s Information Asset Register (IAR) does not contain an entry for the data supplied under this DSA. The Trust reported there is a Caldicott Information Asset Register which does have an entry for NHS Digital Data, however, no evidence was provided to support this. |
Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity | |
| 7 | Data in transit is not encrypted as required by the DSFC, however, the Trust reported that transit is via a private network. | Information Transfer | DSFC, Schedule 2, Section A, Clause 4.6 | Agreement nonconformity | 1 |
| 8 | The DSA requires staff that access the data to be substantive employees of the Trust. The Trust should inform DARS of its intention to allow one researcher who left the Trust in March 2020 to process the data through a ‘research passport’. | Operational Management | DSA, Annex A, Clause 5a | Observation | |
| 9 | The Trust should either complete a Data Protection Impact Assessment (DPIA) or document the rational for not completing a DPIA prior to any processing. | Operational Management | Data Protection Policy v04, section 6.12 | Observation | |
| 10 | The Information Asset Owner (IAO) should consider completing specialist IAO training. | Operational Management | Opportunity for improvement | ||
| 11 | The Trust should ensure appropriate teams and stakeholders review any new DSFC and DSA so the parties are fully aware of their responsibilities and are fully compliant. | Operational Management | Opportunity for improvement | ||
| 12 | The Research and Development department should consider completing a Record of Processing Activities (ROPA) for the data provided, as recommended in the Information Commissioner’s Office (ICO) Accountability Framework. | Operational Management | Opportunity for improvement | ||
| 13 | At the post audit review, the Audit Team will look at:
|
Operational Management | Follow-up |
Supplementary notes
The following note refers to the table above and provide additional commentary on the linked finding.
Note 1. One option to progress this finding, is for a risk assessment to be completed. The risk assessment shall assess the threats to and the vulnerabilities of the un-encrypted connection and identify the mitigating controls in place. This assessment shall be signed off by the organisation’s Senior Information Risk Officer (or equivalent). If the risk is considered acceptable and all aspects of the connection are inside the area of direct control by the Auditee, then the link need not be encrypted. NHS Digital reserves the right to review this assessment.
Use of data
The Trust confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
The Trust confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Media type |
|---|---|
| Northumbria Healthcare NHS Foundation Trust | England/Wales |
| Microsoft UK (Undeclared) | England/Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Microsoft UK | Disk | 5 weeks |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 September 2022 4:23 pm