NHS England Data Sharing Remote Audit: National Centre for Social Research
This report records the key findings of a remote data sharing audit of the National Centre for Social Research in April 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the National Centre for Social Research (NatCen) between 24 April and 28 April 2023. It provides an evaluation of how NatCen conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-322640-S9V7X-v2.01
- the data sharing agreement (DSA) DARS-NIC-311182-N0L1Y-v7.2
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics Admitted Patient Care (HES APC) |
Identifiable, Non-sensitive | 1997/98 – 2017/18_M09 |
HES Critical Care |
Identifiable, Non-sensitive | 2008/09 – 2017/18_M09 |
| HES Outpatients | Identifiable, Non-sensitive | 2003/04 - 2017/18_M09 |
| HES Accident and Emergency | Identifiable, Non-sensitive | 2007/08 - 2017/18_M09 |
| Medical Research Information Service (MRIS) – Members and Postings Report | Identifiable, Sensitive | July 1998 - May 2018 |
| MRIS – Flagging Current Status Report | Identifiable, Sensitive | July 1998 - May 2018 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | July 1998 - May 2018 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | July 1998 - May 2018 |
The Controller is NatCen.
The data provided by NHS England is linked by NatCen to the survey data from the English Longitudinal Survey of Ageing (ELSA). The primary objective of ELSA is to collect longitudinal data on health, disability, economics, and social participation and networks, from a broad-based sample of the English population aged 50 and older. This includes a unique coverage of biomedical, genetic, performance and psychosocial measures. Since its inception in 2002, the study has provided valuable insights into a range of social, health and economic issues.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality, and integrity, as appropriate.
Data recipient’s acceptance statement
NatCen has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
NatCen will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with NatCen to confirm the findings have been satisfactorily addressed.
Findings
The following table identifies the 3 agreement nonconformities, 1 observation, 3 opportunities for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 |
The data are being processed and stored at locations not declared in the DSA. All the locations are within England. |
Information Transfer | DSA, Annex A, Sections 2a and 2b | Agreement nonconformity |
| 2 | NatCen has not included the data received under this DSA on an Information Asset Register (IAR), nor has NatCen clearly identified the Information Asset Owner (IAO). | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity |
| 3 |
NatCen has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. Instead, information specific to the DSA datasets is spread across different documents. |
Operational Management |
DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) |
Agreement nonconformity |
| 4 | The operating system of the server being used to store data provided by NHS England is approaching end of support. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Observation |
| 5 | A Data Protection Impact Assessment (DPIA) or screening questionnaire should be completed for the study utilising the data provided under this DSA. | Operational Management | Opportunity for improvement | |
| 6 | The NatCen Patch Management Policy does not reflect current practice for the patching schedule for servers. This document should be reviewed and updated to reflect that NatCen patch on a more frequent basis than defined in the policy. | Access Control | Opportunity for improvement | |
| 7 | NatCen to consider providing specialist IAO training to all Research Directors undertaking that role. | Operational Management | Opportunity for improvement | |
| 8 | At the post audit review, the Audit Team will review evidence of the outcome of the security exercise scheduled to be performed in 2023. | Access Control | Follow-up |
Use of data
NatCen confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with the dataset explicitly allowed in the DSA.
Data location
NatCen confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| NatCen | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| NatCen | Disk | 12 months |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 July 2023 3:13 pm