NHS Digital Post Audit Review: University of Aberdeen
This report provides the formal closure of the remote data sharing audit of the University of Aberdeen in April 2021
Audit summary
This report provides the formal closure of the remote data sharing audit of the University of Aberdeen (UoA) between 19 and 23 April 2021 against the requirements of both:
- the data sharing framework contract (DSFC) CON-313306-V2W6S
- the data sharing agreement (DSA) DARS-NIC-322051-S8N9N-v2.4
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 2007/08 – 2010/11 |
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | October 2004 – June 2017 |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | October 2004 – June 2017 |
| HES – Admitted Patient Care | Identifiable, Non-sensitive | 2011/12 – 2019/20 |
| Demographics | Identifiable, Sensitive | Latest available release |
The UoA and the University of Oxford (UoO) are joint Controllers.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the UoA in December 2021.
Post audit review outcome
Based on the evidence provided by the UoA, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and the UoA.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
The UoA has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 2 agreement nonconformities, 5 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Data is being stored at locations not declared on the DSA. Both locations were UoA buildings. | Information Transfer | The UoA supplied the details of the two storage locations to the Data Access Request Service (DARS) team on 21 June 2021. The details have also been included in an ongoing application. |
Agreement nonconformity | Closed |
| 2 | 2 individuals with access to the data supplied by NHS Digital have not completed their annual Information Governance training. | Operational Management | The UoA confirmed that the 2 individuals have completed data protection training. The Audit Team were supplied with the training certificates for the 2 individuals showing the training was completed in May and June 2021. | Agreement nonconformity | Closed |
| 3 | The Controllers should either complete a Data Protection Impact Assessment (DPIA) or document the rational for not completing a DPIA. | Operational Management | The Controllers have jointly completed a DPIA screening questionnaire. The Controllers have concluded that a full DPIA is not required. A signed copy of the questionnaire was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 4 | The UoA should consider completing a Record of Processing Activities (ROPA) for the data provided, as recommended in the Information Commissioner’s Office (ICO) Accountability Framework. | Operational Management | The UoA has completed a ROPA and a high-level extract of the ROPA was supplied to the Audit Team. | Opportunity for improvement | Closed |
| 5 | The UoA should log all requests to add or remove user access to NHS Digital data via the Service Desk tool, rather than relying on email trails in personal mailboxes. | Access Control | The UoA are now using the Service Desk tool to log requests to add and remove a user’s access. An example of a request and the audit trail to support the request was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 6 | The System Level Security Policy (SLSP) should include document version control and be reviewed annually, or whenever a change is made to the system. | Operational Management | The SLSP was updated and approved in June 2021. The next review date is June 2022. Document control is now managed through the University’s Q-Pulse system. Screenshots of the SLSP version 5.0, which supports the above statement, was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 7 | The Audit Team suggested that all appropriate teams within the UoA review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant. | Operational Management | The UoA has produced a Research and Innovation Working Procedure for Managing NHS Digital Agreements. This procedure outlines details of the DSA and DSFC review process by internal stakeholders. A copy of the procedure, Version 1, was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 8 | At the post audit review, the Audit Team will review the University’s revised approach to risk management, regarding updates to the corporate risk register and the associated risk criteria. | Risk Management | The UoA has developed a new University Risk Management Framework and a new supporting Risk Register Template. These documents will allow a consistent approach to risk management across the University. Minutes from a meeting held on the 29 June 2021 to support the approval of the framework and the template were made available to the Audit Team. |
Follow-up | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 14 February 2022 11:43 am