NHS Digital Data Sharing Remote Audit: Clinical Trials Service Unit, Clinical Trial Follow-up Service at the University of Oxford
This report records the key findings of a remote data sharing audit of the Clinical Trials Service Unit, Clinical Trial Follow-up Service for the Early Breast Cancer Trialists' Collaborative Group within the Nuffield Department of Population Health at the University of Oxford in May 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Clinical Trials Service Unit, Clinical Trial Follow-up Service (CTSU-ctfs) for the Early Breast Cancer Trialists' Collaborative Group (EBCTCG) within the Nuffield Department of Population Health (NDPH) at the University of Oxford (UoO) between 16 and 20 May 2022. It provides an evaluation of how the CTSU-ctfs conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-319043-Y2R5H v2.01
- the data sharing agreement (DSA) DARS-NIC-148204-7B1XT-v7.9
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) – Members and Postings Report | Identifiable, Sensitive | August 1990 - November 2016 |
| MRIS – Flagging Current Status Report | Identifiable, Sensitive | August 1990 - November 2016 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | August 1990 - November 2016 |
| MRIS – Cause of Death Report | Identifiable, Sensitive | August 1990 - November 2016 |
The Controller is the UoO and all data are processed in the CTSU.
The EBCTCG was created in 1985 by researchers at the CTSU. The membership of EBCTCG consists of research groups which share their trial data for the purpose of meta-analyses that assess the benefits and risks of treatments for early breast cancer.
This report also considers whether the CTSU-ctfs conform to its own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions | Access Control - Limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The CTSU-ctfs has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The CTSU-ctfs will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the CTSU-ctfs to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 1 agreement nonconformity, 1 observation, 5 opportunities for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 |
An internal access review performed prior to the audit (March 2022) by CTSU-ctfs identified 2 members of staff that no longer required access to the raw data. At the time of audit these 2 user accounts were still active. These 2 members of staff are both substantive NDPH employees that are still employed by the University. No other such access reviews had been conducted prior to the March 2022 review. Access for these 2 members of staff was removed during the audit. |
Access Control |
DSFC, Schedule 2, Section A, Clause 4.1 NDPH, Information Governance Handbook, v3.0 CTSU-ctfs, Access Control Standard, v0.1 |
Agreement nonconformity |
| 2 | One member of staff is just outside of the 12-month data protection training window. This member of staff is an emeritus professor with no access to data. | Operational Management | NDPH, Information Governance Handbook, v3.0 | Observation |
| 3 | NDPH should consider updating its Information Asset Register (IAR) to record information assets by trial rather than by project. | Operational Management | Opportunity for improvement | |
| 4 | NDPH should consider providing specialist training that is available within the department to the Information Asset Owner (IAO). | Operational Management | Opportunity for improvement | |
| 5 | NDPH should reconsider its position around its use of local user administrator accounts. | Access Control | Opportunity for improvement | |
| 6 |
NDPH should consider automating encryption of connected unencrypted USB devices. |
Access Control | Opportunity for improvement | |
| 7 | NDPH should reword the statement in the Information Governance Handbook around reviews of firewall and system logs to reflect current practice. | Operational Management | Opportunity for improvement | |
| 8 | At the post audit review, the Audit Team will review the upcoming publication to check that an appropriate acknowledgement to NHS Digital as the source of data has been included, in line with the new process outlined within the CTSU-ctfs Data Management Standard Operating Procedure. | Use and Benefits | Follow-up |
Use of data
The CTSU-ctfs confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
The UoO confirmed that processing and storage location, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. This location conforms with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| UoO | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| NDPH | Disk (snapshot) | 6 days |
| NDPH | Disk (intermediate; raw data retained by CTSU-ctfs) | 28 days |
| NDPH | Disk (monthly; processed data only) | 500 days |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the CTSU-ctfs was able to clearly demonstrate the value the data supplied under this DSA has had towards benefitting the provision of health and social care in England. Specifically, EBCTCG reports have been published in major medical journals and by September 2020 the 23 published reports between 1985 to 2019 had been cited more than 27,000 times. Twelve of these reports, on ovarian ablation, chemotherapy, endocrine therapy (tamoxifen), surgery and radiotherapy, include the analysis of data provided by NHS Digital.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 26 July 2022 2:28 pm