NHS England Data Sharing Remote Audit: GRAIL LLC
This report records the key findings of a remote data sharing audit of GRAIL LLC in October 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of GRAIL LLC between 2 and 6 October 2023. It provides an evaluation of how GRAIL Bio UK Ltd and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC) CON-440011-T3F5R-v2.02 (GRAIL Bio UK Ltd)
- the data sharing agreement (DSA) DARS-NIC-604851-W0M3S-v5.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
NDRS Linked Cancer Waiting Times (Treatments only) |
Anonymised/Pseudonymised | Latest Available |
| NDRS Linked DIDs | Anonymised/Pseudonymised | Latest Available |
| NDRS Linked HES APC | Anonymised/Pseudonymised | Latest Available |
| NDRS Cancer Registry | Anonymised/Pseudonymised | Latest Available |
| NDRS Rapid Cancer Registrations | Anonymised/Pseudonymised | Latest Available |
| Emergency Care Data Set (ECDS) | Anonymised/Pseudonymised | 2021/22 – 2025/26 M12 |
| NDRS Linked HES Outpatients | Anonymised/Pseudonymised | Latest Available |
The University of Oxford (UoO) and GRAIL Bio UK Ltd are joint controllers. The processors are GRAIL Limited Liability Company (GRAIL LLC), Amazon Web Services (AWS) UK and AWS, Inc (USA). This audit focussed on GRAIL LLC and AWS USA.
The UoO and GRAIL LLC have access to pseudonymised record-level data linked against a cohort of individually consented patients recruited to SYMPLIFY, a study designed to assess GRAIL’s Galleri multi-cancer early detection (MCED) test in individuals referred with signs and symptoms of cancer. GRAIL LLC receive pseudonymised record-level NHS England data from the UoO. AWS USA supply IT infrastructure for GRAIL LLC and are therefore listed as data processors. AWS USA supply support to the system, but do not access data.
Enrolled participants consent to the transfer of their pseudonymised health data to GRAIL LLC in the US, for purposes permitted by the study participant consent form. There are 6,240 consenting SYMPLIFY participants.
As the audit was conducted remotely, the Audit Team was unable to review or assess the physical environment.
The findings are based on evidence and information provided during the interviews or supplied after.
The interviews during the audit were conducted through video conferencing. This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
GRAIL LLC has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
GRAIL LLC will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with GRAIL LLC to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 1 observation, 2 opportunities for improvement and 3 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | GRAIL LLC to amend its Data Sharing Agreement (DSA) prior to the data being processed in the new system in Q1 2024. The Data Protection Impact Assessment (DPIA) and Record of Processing Activities (ROPA) for the data provided by NHS England will also need to be reviewed and updated to be in line with any changes to data processing activities. | Access Control | DSA Appendix A, Section 5b | Observation |
| 2 | GRAIL LLC should consider reducing the number of touchpoints of the data. | Information Transfer | Opportunity for improvement | |
| 3 | GRAIL LLC should consider documenting the processes for electronic data deletion from cloud services. | Data Destruction | Opportunity for improvement | |
| 4 | At the post audit review, the Audit Team will review tangible outputs from the study which is expected to be completed by Q2 2024. | Use and Benefits | Follow-up | |
| 5 | At the post audit review, the Audit Team will review GRAIL LLC’s revised approach to data management and retention. | Operational Management | Follow-up | |
| 6 | At the post audit review, the Audit Team will review the revised strategy for managing governance, risk and compliance that will allow GRAIL LLC to further strengthen its current manual risk management processes. | Risk Management | Follow-up |
Use of data
GRAIL LLC and AWS USA confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
GRAIL LLC and AWS USA confirmed that processing and storage locations, including disaster recovery and backups of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
|
GRAIL LLC |
Worldwide |
| AWS | US West |
Note: under this agreement NHS England record-level data may only be securely shared with GRAIL LLC and AWS USA for the purposes stated in Section 5 of this agreement. No other jurisdictions are permitted.
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| AWS US West | Cloud | 35 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 28 November 2023 1:17 pm