NHS Digital Data Sharing Remote Audit: University College London
This report records the key findings of a remote data sharing audit of the University College London in September 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the University College London (UCL) where the interviews were conducted between 22 and 27 September 2022. It provides an evaluation of how UCL conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-321538-B5D8B-v2.02
- the data sharing agreement (DSA) DARS-NIC-381078-Y9C5K-v7.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Electronic Prescribing and Medicines Administration (EPMA) data in Secondary Care for COVID-19 | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| National Institute for Cardiovascular Outcomes Research (NICOR) Myocardial Ischaemia National Audit Project v10.3.2 | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| NICOR Heart Failure V5.0 | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| NICOR National Audit of Percutaneous Coronary Interventions (NAPCI) V5.6.6 | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| COVID-19 ICNARC Case Mix Programme for Adult Critical Care | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| TRE Secondary Care Data | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| Uncurated Low Latency Hospital Data Sets – Critical Care | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| Civil Registration - Deaths | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| COVID-19 Hospitalization in England Surveillance System | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| GPES Data for Pandemic Planning and Research (COVID-19) | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| Medicines dispensed in Primary Care (NHSBSA data) | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| Sentinel Stroke National Audit Programme (SSNAP) | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| Uncurated Low Latency Hospital Data Sets - Admitted Patient Care | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| Hospital Episode Statistics (HES) Admitted Patient Care | Anonymised/Pseudonymised, Non-sensitive | 1989/90 - 2023/24_M05 |
| HES Critical Care | Anonymised/Pseudonymised, Non-sensitive | 2013/14 - 2023/24_M05 |
| HES Outpatients | Anonymised/Pseudonymised, Non-sensitive | 2019/20 - 2023/24_M05 |
| HES Accident and Emergency | Anonymised/Pseudonymised, Non-sensitive | 2007/08 – 2019/20 |
| COVID-19 Second Generation Surveillance System | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| Covid-19 UK Nonhospital Antigen Testing Results (Pillar 2) | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| Covid-19 UK Nonhospital Antibody Testing Results (Pillar 3) | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| COVID-19 Vaccination Status | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| COVID-19 Vaccination Adverse Reactions | Anonymised/Pseudonymised, Non-sensitive | Latest available |
| Improving Access to Psychological Therapies Data Set | Anonymised/Pseudonymised, Non-sensitive | 2012/13 – 2022/23 |
Within the DSA, UCL is one of several joint Controllers. UCL is, however, Controller for the study audited.
CVD-COVID-UK, co-ordinated by the British Heart Foundation (BHF) Data Science Centre (DSC), is one of the NIHR-BHF Cardiovascular Partnership’s National Flagship Projects. CVD-COVID-UK aims to understand the relationship between COVID-19 and cardiovascular diseases such as heart attack, heart failure, stroke, and blood clots in the lungs through analyses of de-identified, pseudonymised, linked, nationally collated healthcare data sources in trusted research environments (TREs) across the four nations of the UK.
Building on CVD-COVID-UK, the BHF DSC has broadened the scope of the programme to all COVID-related research (currently using data in NHS Digital’s TRE for England only). This is known as COVID-IMPACT and it will help to support research projects from the wider community, including for the Data & Connectivity National Core Study.
Through this DSA, researchers from the various joint Controllers can seek to undertake COVID-19 related analyses. The particular study for this audit was Study CCU038, being conducted by UCL.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Audit Guide version 1.
Audit Type and Scope
| Audit type | Focused A focused audit was carried out due to the research utilising NHS Digital’s TRE. |
|---|---|
| Scope areas |
Access Control |
| Restrictions |
This audit did not look at the process by which individual studies are assessed and managed by the BHF. |
Overall Risk Statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data Recipient’s Acceptance Statement
UCL has reviewed this report and confirmed that it is accurate.
Data Recipient’s Action Plan
UCL will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with UCL to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 1 agreement nonconformity, 1 opportunity for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | The named researcher accessing the TRE for the selected study was not a substantive employee of UCL. | Use and Benefits |
DSA, Annex A, Clause 5a |
Agreement nonconformity |
| 2 | The DSA, along with future versions, should be made available within the documentation set maintained on the BHF research platform for the researchers, so users are aware of their obligations and responsibilities. | Operational Management | Opportunity for improvement | |
| 3 | At the post audit review, the Audit Team will review the published deliverable(s) from the study. | Use and Benefits |
|
Follow-up |
Use of data
UCL confirmed that the datasets provided in the TRE were only being processed and used for the purposes defined in the DSA.
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- overall, the CVD-COVID-UK / COVID-IMPACT studies are contributing to health and social care
- documentation from completed studies - including protocols, code and outputs - are made available in the public domain.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 23 November 2022 9:27 am