NHS England Data Sharing Remote Audit: Barts Health NHS Trust
This report records the key findings of a remote data sharing audit of Barts Health NHS Trust and Queen Mary University of London (QMUoL) June 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Barts Health NHS Trust (Barts) and Queen Mary University of London (QMUoL) between 5 June and 9 June 2023. It provides an evaluation of how Barts and QMUoL conform to the requirements of:
- the data sharing framework contracts (DSFC)
- CON-325985-Y5F4B-v2.02 (Barts)
- CON-315125-P6G9X-v2.02 (QMUoL)
- the data sharing agreement (DSA) DARS-NIC-291938-R6V3V-v4.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| MRIS-Cohort Event Notification Report | Identifiable, Sensitive | Historic Held (February 2013 – March 2020) |
| MRIS-Cause of Death Report | Identifiable, Sensitive | Historic Held (February 2013 – March 2020) |
| Demographics | Identifiable, Sensitive | Latest Available 03/2022 |
| MRIS- Members and Postings Report | Identifiable, Sensitive | Historic Held (February 2013 – March 2020) |
| MRIS-Flagging Current Status Report | Identifiable, Sensitive | Historic Held (February 2013 – March 2020) |
The joint Controllers are Barts and the QMUoL and the Processor is Barts.
The Diabetes Alliance for Research in England (DARE) study was established in order to understand the cause of diabetes and its complications such as heart disease, diabetic eye disease and diabetic kidney disease, and to improve treatment and prevention of these important illnesses.
This research study is a nationwide collaboration between patients and professionals to provide a platform to enable further study into the causes and complications of diabetes. The study was originally established by the Royal Devon and Exeter Hospital in 2007 and was later rolled out nationwide through the clinical research networks in order to achieve recruitment targets. This agreement relates to the North East London Diabetes Research Network region of the study only, and is led by Barts Health NHS Trust, in collaboration with Queen Mary University of London, with whom they also share a research facility.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS England Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: High
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
Barts and QMUoL has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
Barts will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with Barts to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 5 agreement nonconformities, 1 organisation nonconformity, 1 observation, and 4 opportunities for improvement raised as part of the audit. During the audit 1 of these findings was closed.
Barts
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 |
User permissions to the network folder holding NHS England data were not restricted to the users that were authorised to access the data. |
Access Control |
DSA, Section 7.1 |
Agreement nonconformity |
| 2 |
The Audit Team were unable to verify if technical controls were in place to record access to the NHS England data. |
Access Control | DSA, Section 7.1 DSFC Schedule 2, Section A, Clause 4.3 |
Agreement nonconformity |
| 3 |
Data are being stored at two locations within England that have been not declared in the DSA. |
Access Control |
DSA, Annex A, Section 2b |
Agreement nonconformity |
| 4 | The Trust’s Information Asset Register (IAR) does not contain an entry for the data supplied under this DSA. | Access Control | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity |
| 5 | A DPIA template had been completed by the IAO for the study in February 2023, but it had not been reviewed by the Information Governance Lead and the Data Protection Officer (DPO). | Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) | Agreement nonconformity |
| 6 | Retention periods have not been defined for the data supplied under the DSFC in line with the Barts Health Records Management Policy. | Operational Management | COR/POL/124/2021/001 Health Records Management Policy, Section 8.1 COR/POL/063/2022-001 Records Retention and Disposal, Section 8 |
Organisation nonconformity |
| 7 | The Audit Team suggest that “Data suppliers” is added to the potential parties to contact in the event of a data breach in their Information Governance Incident Handling Procedure. This will ensure that the notification requirement in Part 2 section 4.1.8 of the DSFC is not overlooked in the event of a breach. | Operational Management | DSFC, Part 2, section 4.1.8 | Observation |
| 8 | The Audit Team suggest that a risk assessment is performed on the security controls of the Diabetes Database. | Access Control | Opportunity for improvement | |
| 9 | A number of the configuration and operational documents provided to the Audit Team need to be reviewed and updated. | Operational Management | Opportunity for improvement | |
| 10 | The Information Asset Owner (IAO) should consider completing specialist IAO training. | Operational Management | Opportunity for improvement | |
| 11 | Barts should consider reducing the number of touchpoints of the data and updating relevant documentation about the download process to reflect any changes. | Information Transfer | Opportunity for improvement |
Use of data
Barts confirmed that the datasets were only being processed and used for the purposes defined in the DSA and only being linked with those datasets explicitly allowed in the DSA.
Data location
Barts confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| Barts | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Barts | Disk | 730 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 31 August 2023 4:34 pm