NHS England Data Sharing Remote Audit: Imperial College London
This report records the key findings of a remote data sharing audit of Imperial College London in January 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Imperial College London (ICL) between 9 and 13 January 2023. It provides an evaluation of how ICL conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-312177-J7P3H-v2.01
- the data sharing agreement (DSA) DARS-NIC-370843-R6V8T-v4.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period | |
|---|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 1997/98 – 2020/21 | |
| HES Outpatients | Identifiable, Non-sensitive | 2003/04 – 2020/21 | |
| HES Critical Care | Identifiable, Sensitive | 2008/09 – 2020/21 | |
| HES Accident and Emergency | Identifiable, Sensitive | 2007/08 – 2019/20 | |
| Emergency Care Data Set (ECDS) | Identifiable, Sensitive | 2020/21 – 2021/22_M02 | |
| Medical Research Information Service (MRIS) - List Cleaning Report | Identifiable, Sensitive | December 2015 – July 2016 | |
| MRIS - Flagging Current Status Report | Identifiable, Sensitive | December 2015 – July 2016 | |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | December 2015 – July 2016 | |
| MRIS - Cause of Death Report | Identifiable, Sensitive | December 2015 – July 2016 | |
| Demographics | Identifiable, Sensitive | Latest Available 07/2021 | |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest Available 07/2021 | |
| Cancer Registration Data | Identifiable, Sensitive |
Latest Available 07/2021 |
The Controller is ICL.
The international cohort study of mobile phone use and health (COSMOS) is a longitudinal research study which has recruited approximately 305,000 adult mobile phone users across Europe (UK, Sweden, the Netherlands, Denmark, Finland, and France), since it started recruiting in 2009. The aim of the study is to investigate whether there is a link between long-term use of mobile phones (and other wireless technologies) and human health. Approximately one third of the international cohort has been recruited within the UK.
To achieve the scientific aims of the COSMOS study, pooled analysis of data from the participating countries is considered essential by the research partners. Pooling the data will provide the required statistical power for meaningful analysis of the associated health outcome events. However, only pseudonymised subsets of individual-level data without direct identifiers will be shared (subject to a sub-licensing agreement) with the collaborating partners performing a pre-defined specific analysis on a specific topic or health outcome. At the time of the audit no sub-licensing agreement had been finalised by ICL.
This report also considers whether ICL conform to its own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
ICL has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
ICL will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with the ICL to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 1 agreement nonconformity, 1 organisation nonconformity, 6 opportunities for improvement and 7 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 |
Data are being stored at a location, within England, not declared in the DSA. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data are being processed and stored and to make this list available to NHS England on request. |
Information Transfer | DSA, Annex A, Section 2b | Agreement nonconformity |
| 2 | Information Security Management Forum meetings, scheduled for every 6 months, have not been held for at least a year. | Operational Management | ICL, SE_GEN101, Management system review meetings, v10, 27 June 2022, Section 5.2 | Organisation nonconformity |
| 3 | ICL should maintain a formal audit trail when a study cohort member requests his/her data be removed from the study including details of the destruction of data. | Operational Management | Opportunity for improvement | |
| 4 | ICL should have the third-party include a textual statement of the scope of any security assessment in the associated report. | Access Control | Opportunity for improvement | |
| 5 | ICL should ensure any screenshots of dialogue boxes captured during the electronic destruction of data include Windows’ date and time display. | Data Destruction | Opportunity for improvement | |
| 6 | If the current support role is split between personnel, then ICL should consider whether some form of ticketing system may help manage the various types of requests. | Operational Management | Opportunity for improvement | |
| 7 | ICL may wish to review the roles and responsibilities, or their specific wording, of the Information Asset Owner (IAO) to ensure they can be suitably discharged or delegated. | Operational Management | Opportunity for improvement | |
| 8 | At present a Data Protection Impact Assessment (DPIA) has not been produced as there is a view that such content is satisfied through a combination of other documents, for example the research approval and the information asset register. ICL should formalise its position with respect to DPIAs and as part of this activity determine whether there is sufficient coverage. | Operational Management | Opportunity for improvement | |
| 9 | At the post audit review, the Audit Team will review how the support function has been resourced due to imminent staff changes. | Operational Management | Follow-up | |
| 10 | At the post audit review, the Audit Team will review the mechanism by which database access is requested and thereafter managed, including confirmation by the IAO that access is still required. | Access Control | Follow-up | |
| 11 | At the post audit review, the Audit Team will review the process by which pseudonymised datasets are extracted and supplied to other research organisations under the sub-licencing clause. | Use and Benefits | Follow-up | |
| 12 | At the post audit review, the Audit Team will establish whether any recent research papers have been published, including those created by other researchers utilising data provided under the sub-licencing clause. | Use and Benefits | Follow-up | |
| 13 | At the post audit review, the Audit Team will review any new training material with respect to risk management for users of the designated platform. | Risk Management | Follow-up | |
| 14 | At the post audit review, the Audit Team will review any new training material specific for IAOs. | Operational Management | Follow-up | |
| 15 | At the post audit review, the Audit Team will review the actions taken to address the findings raised in the recent security assessment. | Access Control | Follow-up |
Use of data
ICL confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
ICL confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of Use |
| ICL | UK and EEA |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media Type | Period |
| ICL | Tape | 90 days |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- ICL is using a defined segregated network, which is certified to ISO 27001, to hold and analyse the data.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 20 March 2023 1:33 pm