NHS Digital Post Audit Review: University of Leeds - Clinical Trials Research Unit
This report provides the formal closure of the remote data sharing audit of the Clinical Trials Research Unit within the Faculty of Medicine and Health at the University of Leeds in February 2022.
Audit summary
This report provides the formal closure of the remote data sharing audit of the Clinical Trials Research Unit (CTRU) within the Faculty of Medicine and Health at the University of Leeds (UoL) between 7 and 11 February 2022 against the requirements of both:
- the data sharing framework contract (DSFC) CON-315426-K3W7R
- the data sharing agreement (DSA) DARS-NIC-112910-R4X9X-v2.3
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-Sensitive | 2016/17 – 2020/21 |
| HES Civil Registration (Deaths) bridge | Identifiable, Non-Sensitive | Annually |
| Civil Registration (Deaths) Secondary Care Cut | Identifiable, Sensitive | Latest available |
The Controller is UoL.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the CTRU in October 2022.
Post audit review outcome
Based on the evidence provided by the CTRU, the Audit Team has closed the nonconformities and the observation. Although no further action is required by the Audit Team, there is 1 opportunity for improvement and 1 follow up item still open, and the CTRU should complete the actions against these findings.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
The CTRU has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 2 agreement nonconformities, 1 observation, 6 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Data are being stored at locations not declared within the DSA. | Information Transfer |
The DSA has been updated with the undeclared storage locations. A copy of the latest DSA, DARS-NIC-112910-R4X9X-v3.4, was supplied to the Audit Team. |
Agreement nonconformity | Closed |
| 2 | Security assessments have not been performed on the infrastructure holding the data supplied by NHS Digital. | Access Control |
A security assessment was carried out in May 2022 followed by a re-assessment in June 2022. There is an active ongoing plan to address the issues identified. A copy of the security assessment report was shared with the Audit Team. |
Agreement nonconformity | Closed |
| 3 | The Data Access Request Service (DARS) has requested the CTRU to amend its DSA application by 31 August 2022. In addition to the areas specified by DARS, the DSA should also be updated to:
|
Use and Benefits |
The DSA has been updated and the CTRU has confirmed that the points in the findings have been considered. The CTRU confirmed that remote processing is no longer taking place. A copy of the latest DSA, DARS-NIC-112910-R4X9X-v3.4, was supplied to the Audit Team. |
Observation |
Closed |
| 4 | The CTRU should reconsider changing its current password settings to be in line with published guidance. | Access Control |
The password settings and the guidance made available to end users have been updated. A screenshot of the password settings and guidance were provided to the Audit Team. |
Opportunity for improvement | Closed |
| 5 | The CTRU should update its documentation to clarify the type of validation testing that is performed. |
Access Control |
The CTRU Security Statement for File Storage document has been updated to clarify the type of validation testing that will be performed. A copy of the CTRU Security Statement for File Storage document version 2 was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 6 |
The CTRU should aim to achieve appropriate staff compliance with CTRU’s own data protection training within the next 12 months. The roll-out of the training had been impacted by the pandemic. Note: Users working within the CTRU must complete UoL corporate general information security training, which includes data protection, on an annual basis. This includes users with direct access to the data and it was confirmed all users with direct access to data have completed this UoL training within the past 12 months. |
Operational Management |
The CTRU reported that 99% of current staff completed the in-house data protection training by September 2022. The training is being rerun in December 2022 for those who were unable to attend the training first time around. |
Opportunity for improvement | Closed |
| 7 | The CTRU should add document version control on the Data Protection Impact Assessment (DPIA). Also, the CTRU should add a section to the DPIA that allows it to be signed off by appropriate personnel. | Operational Management |
The DPIA now includes version control and has been signed by a senior member of staff from the UoL. The CTRU stated that any future amendments to this document will also be reviewed by the Data Protection Officer. A copy of the DPIA was shared with the Audit Team. |
Opportunity for improvement | Closed |
| 8 | The CTRU should update the Terms of Reference for its Information Governance Committee meetings to include the frequency of the meetings. Minutes should also be taken in these meetings. | Operational Management |
The CTRU reported that the Information Governance (IG) committee had been discontinued. The CTRU stated that IG issues are now flagged to and assessed by the Quality Assurance department, and then escalated to relevant department heads, as required, depending on the nature of the incident. This is in line with CTRU Standard Operating Procedures and lines of management and reporting. |
Opportunity for improvement | Closed |
| 9 | The CTRU should follow the UoL corporate risk management methodology, including the use of UoL templates for risk grading and associated risk register format. Currently, the CRTU is using its own risk management processes. | Risk Management |
The CTRU confirmed that it is waiting for the UoL to update its risk management processes. The CTRU will continue to use its own risk processes until the UoL releases a new risk management process. |
Opportunity for improvement | Open, but not for follow-up |
| 10 | At the post audit review, the Audit Team will review evidence of the new approach to managing technical controls around port control. | Access Control |
It was reported that a new solution, including port control, being implemented by the UoL has been delayed. However, the CTRU is deploying local group policies which provide similar functionality. This roll out should be completed by the end of 2022. |
Follow-up | Open, but not for follow-up |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 13 December 2022 6:39 pm