NHS Digital Post Audit Review: University of York
This report provides the formal closure of the remote data sharing audit of the Epidemiology and Cancer Statistics Group at the University of York in June 2021
Audit summary
This report provides the formal closure of the remote data sharing audit of the Epidemiology and Cancer Statistics Group (ECSG) at the University of York (UoY) between 2 and 9 June 2021 against the requirements of both:
- the data sharing framework contract (DSFC) CON-314909-S3P2M
- the data sharing agreement (DSA) DARS-NIC-06759-X5V7P-v5.12
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) – Critical Care | Pseudo/Anonymised, Non-sensitive | 2008/09 – 2022/23 |
| HES – Admitted Patient Care | Pseudo/Anonymised, Sensitive | 1997/98 – 2022/23 |
| HES – Outpatients | Pseudo/Anonymised, Sensitive | 2003/04 – 2019/20_M12 |
| HES – Accident and Emergency | Pseudo/Anonymised, Sensitive | 2007/08 – 2015/16 |
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | August 2009 – March 2020 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | August 2009 – March 2020 |
| MRIS – Cause of Death Report | Identifiable, Sensitive | August 2009 – March 2020 |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available release |
| Emergency Care Data Set (ECDS) | Pseudo/Anonymised, Sensitive | 2020/21 – 2022/23 |
| Demographics | Pseudo/Anonymised, Sensitive | Latest available release |
| Cancer Registration Data | Pseudo/Anonymised, Sensitive | Latest available release |
The joint Controllers are the UoY and the Hull University Teaching Hospitals (HUTH) NHS Trust and the Processor is the UoY. Although the research was commissioned by the HUTH, it does not receive, process or store the data.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the UoY between December 2021 and April 2022.
Post audit review outcome
Based on the evidence provided by the UoY, the audit team has closed the nonconformities and the observation. Although no further action is required by the audit team, there are 6 opportunities for improvement and 1 point for follow up still open, and the UoY should complete the actions against these findings.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Medium
Current risk statement: Low
Data recipient’s acceptance statement
The UoY has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 2 agreement nonconformities, 1 organisation nonconformity, 1 observation, 12 opportunities for improvement and 2 points for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Validation testing of required security controls has been conducted on an infrequent basis with some aspects of testing not carried out. | Access control |
The ECSG reported that it is now performing validation testing on a weekly basis. A screenshot of a report and the date it was produced were supplied to the Audit Team. The ECSG also confirmed that a detailed validation test had been conducted in November 2021, along with a retest in March 2022. The report for this detailed test was seen during a video call and an extract of the retest report was shared with the Audit Team in April 2022. |
Agreement nonconformity | Closed |
| 2 | A security appliance did not contain the latest patches. | Access control |
The UoY reported that a new security appliance has been implemented, and has the latest recommended patch installed in line with UoY policy. Any new patches are assessed against policy and installed based on business need and security. A screenshot of the patches on the new security appliance was supplied to the Audit Team. |
Agreement nonconformity | Closed |
| 3 | The ECSG should review its approach to risk management and ensure that it is consistent with the UoY Risk Management Policy. | Risk management |
An online risk management presentation followed by a question-and-answer session was delivered to ECSG staff by the UoY Risk Management team in October 2021. The presentation focussed on the UoY Risk Management Policy to help ensure that the approach in ECSG is consistent with UoY corporate requirements. The presentation slides were supplied to the Audit Team. |
Organisation nonconformity | Closed |
| 4 | The ECSG should take appropriate action to resolve the vulnerability identified in the vulnerability scan conducted in June 2021. | Access control |
The ECSG confirmed that the vulnerability identified in the scan conducted in June 2021 had been resolved. A screenshot of the latest scan was supplied to the Audit Team. It indicated that no vulnerabilities were picked up apart from those classed as ‘for information’. |
Observation | Closed |
| 5 | The ECSG should consider updating section 2 of the DSA and declare the full processing and storage addresses. It should be noted that these locations have been declared in section 5b of the DSA. | Operational management |
The ECSG reported that it had discussed and provided the addresses to the Data Access Request Service (DARS) team. It has been agreed that the full addresses in section 2 of the DSA will be updated at the next renewal. The ECSG supplied an email dated 28 September 2021 to support the communication with the DARS team. |
Opportunity for improvement | Open, but not for follow-up |
| 6 | The UoY should consider providing risk management training, to ensure that all relevant staff are aware of the processes for raising, recording and monitoring risks. | Risk management |
An online risk management presentation followed by a question-and-answer session was delivered to ECSG staff in October 2021. Further training is planned in 2022. The slides to support the training was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 7 | The ECSG information asset register (IAR) should be developed to be in line with the UoY IAR. The IAR should also be updated to reference specific datasets, data sensitivity classification, Information Asset Owner (IAO), Information Asset Administrator(s), download date, deletion date and details of any joint Controllers. The IAR should also take into account requirements from the research and governance section of the UoY Health Sciences data security policy. | Operational management |
The ECSG has updated the IAR in line with the recommendations in the finding. A copy of the ECSG Data Asset Register extract spreadsheet was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 8 | The UoY should consider including details of the next review date on policies and procedures as part of its document management control. | Operational management | The UoY reported it is still considering the suggestion in the finding. | Opportunity for improvement | Open, but not for follow-up |
| 9 | The ECSG should review the Data Protection Impact Assessment (DPIA) annually, or when a change is made. The document should also be subject to document version control. | Operational management |
The ECSG has updated the DPIA and it now includes document version control along with an annual review date. A copy of the DPIA version 2.0 was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 10 | The ECSG System Level Security Policy (SLSP) should be subject to document version control. | Operational management |
The SLSP has been updated and now includes document version control. A screenshot of the document cover page of the SLSP Version 1.1.1 was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 11 | The ECSG should consider implementing further technical controls to identify changes to Active Directory (AD) administration groups. | Access control |
The ECSG reported that any new groups or changes to existing AD group memberships are now fully audited, and reports are produced. A screenshot of the audit reports and extracts from the report were supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 12 | The ECSG should reassess its use of built-in administrator accounts. | Access control | The ECSG reported that it had assessed the use of built-in administrator accounts. | Opportunity for improvement | Closed |
| 13 | The UoY should expand its current data destruction policy to include physical equipment destruction. | Data destruction | The UoY reported it is still considering the suggestion in the finding. | Opportunity for improvement | Open, but not for follow-up |
| 14 | The UoY should develop a vulnerability assessment policy. The policy should specify the frequency of vulnerability scans and penetration tests to be performed. | Access control | The UoY reported it is still considering the suggestion in the finding. | Opportunity for improvement | Open, but not for follow-up |
| 15 | The UoY should consider including further information within its Patching Policy regarding application-level patching. | Access control | The UoY reported it is still considering the suggestion in the finding. | Opportunity for improvement | Open, but not for follow-up |
| 16 | The ECSG should consider a periodic independent review to ensure that ECSG systems and infrastructure are in compliance with both local and corporate level policies/ procedures. The findings from any review should be shared with the IAO. | Operational management | The ECSG reported that funding for such activities is not a permitted cost within research grants, however, should the opportunity arise, the ECSG will undertake such a review. | Opportunity for improvement | Open, but not for follow-up |
| 17 | At the post audit review, the Audit Team will review the Record of Processing Activities (ROPA), which is currently being drafted by the UoY. | Operational management | A copy of the ROPA was supplied to the Audit Team. | Follow-up | Closed |
| 18 | At the post audit review, the Audit Team will review:
|
Operational management |
A signed agreement between the UoY and the HUTH is in place, dated 21 May 2021. A copy of the agreement was seen by the Audit Team. The Audit Team was informed that HUTH has also drafted its own DPIA and added NHS Digital datasets to its IAR. However, evidence to support these have not been seen by the Audit Team. |
Follow-up | Open but not to be followed up |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 17 May 2022 12:21 pm