NHS Digital Post Audit Review: University Hospital Bristol NHS Foundation Trust and the University of Bristol
This report provides the formal closure of the remote data sharing audit of the University Hospital Bristol NHS Foundation Trust and the University of Bristol in February 2020.
Audit summary
Purpose
This report provides the formal closure of the data sharing audit of the University Hospital Bristol NHS Foundation Trust (UHBFT) and the University of Bristol (UoB) between 25 and 27 February 2020 against the requirements of:
- the data sharing framework contracts (DSFC):
- CON-313966-Y9B5S (UHBFT)
- CON-304765-H4P3X (UoB)
- the data sharing agreement (DSA) NIC-147901-2XMLG-v1.15
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) – Members and Postings Report | Identifiable, Sensitive | Historic held (August 2011 - April 2019) plus latest available |
| MRIS - Flagging Current Status Report | Identifiable, Sensitive | Historic held (August 2011 - April 2019) plus latest available |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | Historic held (August 2011 - April 2019) plus latest available |
| MRIS - Cause of Death Report | Identifiable, Sensitive | Historic held (August 2011 - April 2019) plus latest available |
The Joint Controllers are the UHBFT and the UoB.
In April 2020, the UHBFT merged with Weston Area Health NHS Trust to form University Hospitals Bristol and Weston NHS Foundation Trust. In this report, we will continue to reference the Trust as UHBFT.
Following a second post audit review published in February 2022, 1 agreement nonconformity, 1 opportunity for improvement and 1 point for follow-up remained open.
Further guidance on the terms used in this post audit review report can be found in version 3 of the NHS Digital Data Sharing Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the UHBFT between June and August 2022. There was also a video call with the UHBFT in June 2022.
Post audit review outcome
Based on the evidence provided by the UHBFT, the Audit Team has closed the nonconformity. Although no further action is required by the Audit Team, there is 1 opportunity for improvement and 1 point for follow-up still open, and the UHBFT should complete the actions against these findings.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit reviews.
Original Risk Statement - May 2020: High
Previous Risk Statement - April 2021: Medium
Previous Risk Statement - February 2022: Medium
Current Risk Statement: Low
Data recipient’s acceptance statement
The UHBFT and the UoB have reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 7 agreement nonconformities, 4 organisation nonconformities, 4 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
Findings 2 - 11, 13, 15 and 16 were closed as part of the previous post audits.
UHBFT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The UHBFT has not mitigated against identified critical and high findings from a security report in a timely manner. | Access Control |
A new security test was conducted in November 2021, and the UHBFT shared a summary report with the Audit Team in June 2022. The Audit Team discussed the findings during a video call in June 2022. The UHBFT has closed the majority of the findings and have a plan in place to address the remaining open findings. |
Agreement nonconformity | Closed |
| 2 | Data supplied by NHS Digital is being stored at a secondary location not declared on the DSA. This location is a data centre owned and located at the UHBFT. It should be noted that the primary location was declared in the DSA. | Information Transfer |
The DSA has been updated with a secondary storage location. A copy of the updated DSA was supplied to the Audit Team. |
Agreement nonconformity | Closed |
| 3 | There is no regular review of user access for the folder holding data supplied under the DSA. Furthermore, the Audit Team found that a legacy administration group had access to the folder for IT administration purposes, however it was no longer required. It should be noted that the files that contain the data are password protected, which is not known by the IT teams. |
Access Control |
The UHBFT stated that a system of regular checks has now been set up and a log maintained of when the checks took place and any issues identified. A copy of the log was provided to the Audit Team. A review of the admin groups and group members was carried out on 25 January 2021 by UHBFT to confirm that it met the IT operational requirements. No issues were identified. An email was supplied to the Audit Team to support this statement. |
Agreement nonconformity | Closed |
| 4 | The portable encrypted drive used to transfer data between the UHBFT and UoB was not listed on an equipment asset register. | Access Control | The UHBFT reported the portable encrypted drive has now been recorded on the IT asset register. A screenshot of the asset register with the encrypted drives used to transfer the data was supplied to the Audit Team. | Agreement nonconformity | Closed |
| 5 | The UHBFT has not carried out a formal risk assessment of the physical access controls at the Trust’s data centres. | Access Control | The Trust has completed a risk assessment which covers both UHBFT data centres. A copy of the risk assessment was supplied to the Audit Team. | Agreement nonconformity | Closed |
| 6 | The file storage system holding the data supplied under the DSA has not been patched since September 2019. There have been patches released by the manufacturer since that date however these have not been applied. There has been no risk assessment to determine whether these should be applied in line with Trust policy. | Access Control |
The file storage system has been updated and had the latest patch installed at the time of the interview. A screenshot was supplied to the Audit Team to support this. The Trust also plans to introduce an assessment process for patches. |
Organisation nonconformity | Closed |
| 7 | The desktop computers used to access data supplied by NHS Digital are not encrypted as required by Trust policy. | Access Control | The UHBFT stated the desktop computers, used by the Head and Neck 5000 team, had been encrypted. Screenshots of the Windows Bitlocker settings on the desktop computers were supplied to the Audit Team. | Organisation nonconformity | Closed |
| 8 | The Trust has a Training Needs Analysis for specialist information governance (IG) training; however, this is not being followed for Information Asset Owners (IAO) or Information Asset Administrators (IAA). The Audit Team noted that there was an entry in the Information Risk Register which identified this issue with a remedial action to develop bespoke training for these roles. | Operational Management |
The IAO and IAA have completed specialist role-based training using the NHS IAO Guidance handbook. The training was completed in November and December 2020. Training records for these roles were supplied to the Audit Team. The UHBFT reported that further bespoke training for these roles is still being arranged, however this has been delayed due to the Trust’s Covid-19 pandemic response. |
Organisation nonconformity | Closed |
| 9 | The Information Asset Register (IAR) is not being suitably updated. The IAR indicated that no Data Privacy Impact Assessment (DPIA) had been completed, however, a DPIA had been completed and approved by the Data Protection Officer (DPO) in January 2020. |
Operational Management | The UHBFT stated the IAR for Head and Neck 5000 has been updated and a regular quarterly system of checking the entry has been set up. A screenshot of the IAR which shows that the DPIA has been completed was supplied to the Audit Team. | Organisation nonconformity | Closed |
| 10 | The UHBFT should consider conducting regular reviews of who has access to the data centre, where data supplied under the DSA is held, and this review should be documented. Currently, this review is carried out on an ad-hoc basis and is not documented. | Access Control | A review of access was carried out by the UHBFT in October 2020, January 2021, and April 2021. This review is carried out every 3 months. A copy of the log to support the reviews and process notes were seen by the Audit Team during a video conference call in July 2021. | Opportunity for Improvement | Closed |
| 11 | The UHBFT should consider carrying out a sample check to confirm that the degauss process for Hard Disk Drives (HDD) has been successful. HDD are removed from end of life machines and then degaussed before they are provided to a disposal contractor for destruction. The Audit Team noted that there is no verification check to confirm that the degaussing has been successful. | Data Destruction |
The UHBFT reported that the HDD destruction process has changed, and the Trust no longer degauss HDDs. The Trust is now using wiping software to wipe the hard drives. A screen shot of the report was provided to the Audit Team. |
Opportunity for Improvement | Closed |
| 12 | The arrangement between the UoB and UHBFT as Joint Controller, was setup in the current DSA. Both parties should consider the guidance on Joint Controller arrangements available on the Information Commissioners Office website. | Operational Management |
A draft copy of the ‘Data Sharing and Governance Agreement – Controller to Controller’ was shared with the Audit Team in August 2022. The document is still under discussion, and needs to be signed off by both parties. |
Opportunity for Improvement | Open, but not for follow-up |
| 13 | The Trust should establish a mechanism that clearly demonstrates how the risks identified in the DPIA have been actioned and mitigated. | Operational Management | The UHBFT has updated the DPIA workbook which includes a more detailed risk section and details of mitigations. A copy of the UHBFT DPIA Workbook v2.0 was supplied to the Audit Team. | Opportunity for Improvement | Closed |
| 14 | The password policy documented in the Trust policy does not currently align with attributes enforced by the system, due to limitations within the system. There is ongoing work to address this including updating the documented password policy and supporting systems to allow system enforced changes. | Access Control |
The UHBFT shared the updated Active Directory system enforced password settings with the Audit Team. The UHBFT plan to update the Trust policy and the work is expected to be completed by the end of 2022. |
Follow-up | Open, but not for follow-up |
UoB
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 15 | The IAR does not include the data assets supplied under the DSA. | Operational Management | The data supplied under the DSA has been added to the local IAR while a wider approach is determined. A copy of the IAR was supplied to the Audit Team. | Agreement nonconformity | Closed |
| 16 | No DPIA screening has been completed for the data supplied under the DSA. | Operational Management | A DPIA for the Head and Neck 5000 study has been completed. A copy of the UoB DPIA was supplied to the Audit Team. | Agreement nonconformity | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 14 October 2022 9:44 am