NHS England Data Sharing Remote Audit: Liverpool University Hospitals NHS Foundation Trust
This report records the key findings of a remote data sharing audit of Liverpool University Hospitals NHS Foundation Trust and the Liverpool Clinical Trials Centre at the University of Liverpool where the interviews were conducted in March 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Liverpool University Hospitals NHS Foundation Trust (LUHFT) and the Liverpool Clinical Trials Centre (LCTC) at the University of Liverpool (UoL) where the interviews were conducted between 13 and 21 March 2023. It provides an evaluation of how the LUHFT and the LCTC conform to the requirements of:
- the data sharing framework contracts (DSFC)
- CON-313262-W1P4R-v2.01 - LUHFT
- CON-312559-T8H2T-v2.01 - UoL
- the data sharing agreement (DSA) DARS-NIC-161422-Q0K1M-v4.3
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 2017/18 - 2022/23_M12 |
| Diagnostic Imaging Dataset (DID) | Identifiable, Non-sensitive | 2017/18 - 2022/23_M12 |
| HES Statistics Critical Care | Pseudo/Anonymised, Non-sensitive | 2017/18 - 2022/23_M12 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2017/18 - 2019/20 |
| HES Outpatients | Pseudo/Anonymised, Sensitive | 2017/18 - 2022/23_M12 |
| Medical Research Information Service (MRIS) - Bespoke | Non-sensitive | Latest available |
| Civil Registration (Deaths) - Secondary Care Cut | Pseudo/Anonymised, Sensitive | Latest available |
| HES / Civil Registration (Deaths) bridge | Pseudo/Anonymised, Non-sensitive | Latest available |
| Bridge file: HES to DID | Identifiable, Non-sensitive | 2017/18 - 2022/23_M12 |
| Emergency Care Data Set (ECDS) | Pseudo/Anonymised, Non-sensitive | 2020/21_M06 - 2022/23_M12 |
The joint Controllers are the LUHFT and the UoL.
The LUHFT and the UoL require the data for use in a study titled “A Risk-adjusted and Anatomically Stratified Cohort Comparison Study of Open Surgery, Endovascular Techniques and Medical Management for Juxtarenal Aortic Aneurysms: The UK COMPlex AneurySm Study (UK-COMPASS)”.
Abdominal aortic aneurysm (AAA) is a common condition where the aorta, the largest artery, begins to bulge abnormally. Usually this expands over years and can eventually burst, causing fatal internal bleeding. When an emergency life-saving operation is possible, they have a high failure rate. A planned AAA repair operation prevents a burst aneurysm. The aim of the study is to answer the question: “What are the clinical and cost-effectiveness of strategies for the management of juxtarenal AAA?”.
This report also considers whether the LUHFT and the LCTC conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS England Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The LUHFT and the LCTC have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The LUHFT and the LCTC will establish a corrective action plan to address each finding shown in the findings tables below. The Audit Team will validate this plan and the resultant actions at a post audit review with the LUHFT and the LCTC to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 4 agreement nonconformities, 1 observation, 5 opportunities for improvement and 4 points for follow-up raised as part of the audit.
In addressing a finding, the data recipient must take account of any referenced supplementary notes.
LUHFT
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 | The Information Asset Register (IAR) contained some incorrect information which needs to be amended. | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity | |
| 2 |
The LUHFT should agree with the Data Access Request Service (DARS) as to who is to receive the Secure Electronic File Transfer (SEFT) login credentials. |
Access Control | SEFT email instructions | Observation | |
| 3 | A Data Protection Impact Assessment (DPIA) or screening questionnaire should be completed for the study utilising the data provided under this DSA. | Operational Management | Opportunity for improvement | ||
| 4 | The LUHFT should consider carrying out a risk assessment on the laptops used to access and process the data, should further data be shared by the LCTC, as there is a risk that temporary files could be cached on the machines. | Access Control | Opportunity for improvement | ||
| 5 | The LUHFT should ensure that all stakeholders have sight of future DSA and DSFC to ensure that they are all fully aware of their responsibilities and are fully compliant. | Operational Management | Opportunity for improvement | ||
| 6 | At the post audit review the Audit Team will review any specialist training undertaken by the Data Protection Officer. | Operational Management | Follow-up |
LCTC / UoL
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 7 | There was no evidence to show that access to the locations holding data supplied under this DSA is reviewed on a regular basis. | Access Control | DSA, section 7.1 | Agreement nonconformity | |
| 8 |
The data are being stored at University of Liverpool locations not declared in the DSA. During the audit the LCTC recognised and recorded the missing locations. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Data Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS Digital on request. |
Information Transfer | DSA, Annex A, Section 2b | Agreement nonconformity | |
| 9 | Data in transit between UoL data centres is not encrypted as required by the DSFC. The LCTC reported that the transit is via dark fibre. | Information Transfer | DSFC, Schedule 2, Section A, clause 4.6 | Agreement nonconformity | 1 |
| 10 | The UoL should consider carrying out a risk assessment on the laptops used to access and process the data as there is a risk that temporary files could be cached on the machines. | Access Control | Opportunity for improvement | ||
| 11 | The LCTC / UoL should ensure that all stakeholders have sight of future DSA and DSFC to ensure that they are all fully aware of their responsibilities and are fully compliant. | Operational Management | Opportunity for improvement | ||
| 12 | At the post audit review the Audit Team will review the incident report associated with data being held on an encrypted USB memory stick. | Information Transfer | Follow-up | ||
| 13 | At the post audit review the Audit Team will review the security assessments undertaken for the LCTC infrastructure. | Access Control | Follow-up | ||
| 14 | At the post audit review the Audit Team will clarify the retention period for data held on backup tape. | Information Transfer | Follow-up |
Supplementary notes
The following note refers to the tables above and provides additional commentary on the linked finding.
Note 1. One option to progress this finding, is for a risk assessment to be completed. The risk assessment shall assess the threats to and the vulnerabilities of the un-encrypted connection and identify the mitigating controls in place. This assessment shall be signed off by the organisation’s Senior Information Risk Officer (or equivalent). If the risk is considered acceptable and all aspects of the connection are inside the area of direct control by the Auditee, then the link need not be encrypted. NHS England reserves the right to review this assessment.
Use of data
The LUHFT and the LCTC confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
The LUHFT and the LCTC confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| LUHFT | England / Wales |
| LCTC | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| LUHFT | Disk | 6 months |
| LCTC | Disk |
1-3 years depending on data type, research data 5 years If asked to destroy the data in a shorter period then the backups will be retrieved, and the files removed from LCTC backups. |
| LCTC | Tape | See finding 14 |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the planned work clearly indicated that the research using the data would benefit health and social care.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 May 2023 2:41 pm