NHS Digital Data Sharing Remote Audit: Hull Health Trials Unit
This report records the key findings of a remote data sharing audit of the Hull Health Trials Unit at the University of Hull in July 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Hull Health Trials Unit (HHTU) at the University of Hull (UoH) where the interviews were conducted between 5 and 8 July 2022. It provides an evaluation of how the HHTU conforms to the requirements of both the:
- Conditional Approval letter, dated 6 September 2021
- Data Sharing Contract ODR2021_179
This contract initiated by Public Health England (PHE) was novated to NHS Digital on 7 October 2021.
This contract covers the provision of the following datasets, limited to those patients who met the study’s inclusion criteria:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| National Cancer Registration and Analysis Service (NCRAS) - AT_Patient_England | Pseudonymised | 2016 - 2017 |
| NCRAS - AT_Tumour_England | Pseudonymised | 2016 - 2017 |
| NCRAS - AT_Treatment_England | Pseudonymised | 2015 – 2018 (note 1) |
| NCRAS - AT_Pathway_England | Pseudonymised | 2016 – 2018 (note 1) |
| Hospital Episode Statistics (HES) Admitted Care data | Pseudonymised | 2015 – 2018 (note 1) |
| Diagnostic Imaging Data | Pseudonymised | 2015 – 2017 (note 1) |
Note 1: approximate date ranges, as the data includes records occurring in a period before and/or after a diagnostic date field in AT_Tumour_England.
The Controller is the UoH and the Processor is AIMES. All processing of the data is undertaken by the HHTU in the Data Safe Haven (DSH) which is owned and operated by AIMES.
Inequalities in cancer care and cancer survival continue to exist between different socio-demographic groups. Growing evidence shows that such inequalities are only partly explained by individual or cancer characteristics, such as the presence of other medical conditions or cancer stage. This study will access cancer registration data of all patients living in England who were diagnosed with colon or ovarian cancer between 2016-2017. This study will use cancer registration data collected by the NCRAS linked to Hospital Episode Statistics and NHS Digital datasets. The aims of the study will explore for the presence of inequalities in the diagnosis and treatment of patients with colon or ovarian cancer.
This report also considers whether the HHTU and its Processor conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions | Access control - limited visibility of physical controls Use and benefits – no outputs have yet been produced, Contract end date 5 Sept 2026 |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The HHTU has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The HHTU will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with the HHTU to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 4 organisation nonconformities, 1 observation, 11 opportunities for improvement and 1 point for follow-up raised as part of the audit.
HHTU
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | No Data Protection Impact Assessment (DPIA) or screening questionnaire has been completed for the study utilising the data provided under this Contract. | Operational Management | UoH, Information Governance and Assurance Policy, Clause 5 | Organisation nonconformity |
| 2 | A data classification has not been assigned to the data in accordance with the UoH Data Classification and Handling Policy. | Operational Management |
UoH, Information Governance and Assurance Policy, Clause 5 UoH, Data Classification and Handling Policy, v0.1 |
Organisation nonconformity |
| 3 | The HHTU risk register is to be aligned with the University’s risk management procedure. Currently, the UoH has given a grace period for established local risk registers to adopt the University’s defined template. | Risk Management | UoH, Risk Management Procedure | Observation |
| 4 | The DPIA for the DSH should be updated to reflect recent changes. Thereafter, the HHTU should review the DPIA on a regular basis, or when a change is made. | Operational Management | Opportunity for improvement | |
| 5 | The HHTU should determine whether it is feasible and practical to download data directly into the DSH rather than using an intermediatory laptop. | Information Transfer | Opportunity for improvement | |
| 6 | The HHTU should review its terminology with respect to specific roles and responsibilities to ensure consistency across its documentation. | Operational Management | Opportunity for improvement | |
| 7 | The HHTU should consider providing specialist role-based training where necessary, for example, Information Asset Owner (IAO). | Operational Management | Opportunity for improvement | |
| 8 | The HHTU should determine what additional reporting is available from AIMES, to enhance its own monitoring and audit activities. | Access Control | Opportunity for improvement | |
| 9 | The HHTU may wish to hold periodic formal service review meetings with AIMES. Such meetings should be documented. | Operational Management | Opportunity for improvement | |
| 10 | The HHTU should conduct formal reviews of the folder permission settings. It does, however, receive monthly records from AIMES which would allow it to observe some inappropriate activity. | Access Control | Opportunity for improvement | |
| 11 | The UoH may wish to review whether desktops being used for research should be encrypted prior to the organisation’s move to Windows 11 where such machines will be encrypted by default, if possible. | Access Control | Opportunity for improvement | |
| 12 |
The UoH may wish to make the risk management training presentation, or a variation, available to staff, and communicate its availability. The UoH may also wish to expand upon its risk appetite statement as part of its risk management documentation. |
Risk Management | Opportunity for improvement | |
| 13 | The HHTU should consider when a project is closed, whether personal folders within the DSH could be closed immediately, instead of being retained for a set period of time. | Operational Management | Opportunity for improvement | |
| 14 |
The Audit Team suggested that the HHTU ensures appropriate teams and stakeholders review any new contractual documentation to ensure that they are fully aware of their responsibilities and are fully compliant. For example, the NHS Digital contract is more specific regarding data in transit. |
Operational Management | Opportunity for improvement | |
| 15 | At the post audit review, the Audit Team will review the status of the research and the availability of any resulting publications. | Use and Benefits | Follow-up |
AIMES
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 16 | AIMES to delete one of its conflicting policies and review those policies that have not been reviewed for a while. It should also remove any redundant references from its policies as part of future reviews. | Operational Management |
AIMES, Event Logging and Monitoring Policy, v1.1 AIMES, Audit Procedure, v1.1 AIMES, Access Control List Policy, v1.1 AIMES, Patch Management Policy, v1.1 |
Organisation nonconformity |
| 17 | AIMES to either keep its review logs current or rescind their use. | Operational Management |
AIMES, Access Control List AIMES, Password Management review log AIMES, User Access Rights Schedule |
Organisation nonconformity |
Use of data
The HHTU confirmed that the datasets were only being processed and used for the purposes defined in the Contract and was only being linked with those datasets explicitly allowed in the Conditional Approval letter.
Data location
The HHTU and the Processor confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 23 of the Contract.
| Organisation | Territory of Use |
|---|---|
| HHTU | UK |
| AIMES | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| AIMES | Disk | 7 days |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the HHTU has elected to use an established DSH as the repository for its health data
- the AIMES DSH offering is certified to both ISO 27001 and Cyber Essentials plus.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 September 2022 4:20 pm