NHS Digital Data Sharing Remote Audit: University of Manchester
This report records the key findings of a remote data sharing audit of the University of Manchester in February 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the University of Manchester (UoM) where the interviews were conducted between 21 and 25 February 2022. It provides an evaluation of how the UoM conforms to the requirements of:
- the data sharing framework contracts (DSFC)
- CON-326191-T0T6B (UoM)
- CON-240079-Q7Y0S (British Society for Rheumatology)
- the data sharing agreement (DSA) DARS-NIC-148353-G88Q7-v3.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) - Members and Posting report | Identifiable, Sensitive | January 2003 - March 2020 |
| MRIS - Flagging Current Status report | Identifiable, Sensitive | January 2003 - March 2020 |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | January 2003 - March 2020 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | January 2003 - March 2020 |
| Demographics | Identifiable, Sensitive | Latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available |
| Cancer Registration Data | Identifiable, Sensitive | Latest available |
The Joint Controllers are the UoM and the British Society for Rheumatology (BSR). All the data processing is undertaken by the UoM; the BSR does not have any access to the data. As a result, the audit focussed on the controls at the UoM.
The UoM uses the data from NHS Digital to enhance the data already captured in the BSR Biologics Register for Rheumatoid Arthritis (BSRBR-RA). This is a long-term observational study to monitor the safety of new biologic and targeted therapies prescribed for rheumatoid arthritis in routine healthcare, specifically to understand if these new drugs increase the risks of developing cancer or premature death above the expected risks in a population with similar disease characteristics not receiving these therapies.
This report also considers whether the UoM conforms to its own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The UoM has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The UoM will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with the UoM to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 4 agreement nonconformities, 1 organisation nonconformity, 1 observation, 4 opportunities for improvement and 1 point for follow-up raised as part of the audit.
UoM
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | There is no coherent Information Asset Register (IAR) to cover the data supplied under the DSA. Instead, information is spread across different documents. | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity |
| 2 | There was no evidence to show that user permissions to the network folder holding NHS Digital data had been reviewed on a regular basis, nor was there any evidence of privilege access reviews being conducted in accordance with UoM documentation. | Access Control |
DSFC, Schedule 2, Section A, Clause 4.1 UoM, Investigator Agreement for the use of Personnel Information and Confidential Data, July 2021 UoM, Password Technical Security Standard, v1.8, August 2021, clause 4.2.4 |
Agreement nonconformity |
| 3 | The UoM has not completed a Data Protection Impact Assessment (DPIA) for the Data Safe Haven. | Operational Management | DSFC, Schedule 3, General Data Protection Regulation (GDPR) | Agreement nonconformity |
| 4 | The UoM is not undertaking certain compliance checks prescribed in its documentation. | Operational Management | For example:
|
Organisation nonconformity |
| 5 | A number of policies and procedures have not been reviewed within their expected timescales. The UoM recognised that these reviews had been delayed due to the pandemic but were now tracking those that require updating. | Operational Management | For example:
|
Observation |
| 6 | The Audit Team suggested that the UoM review the naming convention for the Data Safe Haven platform and update relevant documentation where appropriate. | Operational Management | Opportunity for improvement | |
| 7 | The UoM may wish to increase the backup retention period for the data supplied by NHS Digital to 28 days and reflect this on any future certificate of destruction. | Operational Management | Opportunity for improvement | |
| 8 | The Audit Team suggested that Terms of Reference for the Data Safe Haven Operations Group be developed. | Operational Management | Opportunity for improvement | |
| 9 | As part of future reviews, the UoM should ensure certain statements in the Data Safe Haven System Level Security Policy (SLSP) and BSRBR-RA standard operating procedures are corrected. | Operational Management | Opportunity for improvement | |
| 10 | At the post audit review, the Audit Team will review the progress on closing the findings from the last security assessment. | Access Control | Follow-up |
BSR
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 11. | The BSR had not completed and submitted a Data Security Protection Toolkit (DSPT) assessment in the requested timeframe. | Operational Management | DSA, Annex A, Clause 1b | Agreement nonconformity |
Use of data
The UoM confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
The UoM confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| UoM | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UoM | Disk | 14 days |
Good Practice
During the audit, the Audit Team noted the following areas of good practice:
- the UoM and the Study Team have developed a wide-ranging set of documentation to facilitate governance of their practices
- the UoM was able to clearly demonstrate the value of the data supplied under this DSA has had towards benefitting the provision of health and social care in England.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 24 April 2022 4:41 pm