NHS England Post Audit Review: Northumbria Healthcare NHS Foundation Trust
This report provides the formal closure of the remote data sharing audit of Northumbria Healthcare NHS Foundation Trust (The Trust) in June 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Northumbria Healthcare NHS Foundation Trust (The Trust) on 6 and 29 June 2022 against the requirements of both:
- the data sharing framework contract (DSFC) CON-267591-M5B9R-v2.02
- the data sharing agreement (DSA) DARS-NIC-249035-R2Z5Y-v0.7
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-Sensitive | 2016/17 – 2018/19 |
| HES Critical Care | Identifiable, Non-Sensitive | 2016/17 – 2018/19 |
| HES Accident and Emergency | Identifiable, Non-Sensitive | 2016/17 – 2018/19 |
| Civil Registration (Deaths) – Secondary Care Cut | Identifiable, Sensitive | Historic Data Request |
| HES: Civil Registration (Deaths) bridge | Identifiable, Sensitive | Historic Data Request |
The Controller is The Trust and is using Microsoft UK Limited as a Processor for cloud storage.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS England Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by The Trust between February and August 2023.
Note: as this desk-based review took place after the merger of NHS Digital and NHS England, this report may reference both organisations.
Post Audit Review Outcome
Subsequent to the audit in June 2022, The Trust has decided not to renew the DSA when it expires and will destroy the data held. The provision of certificates of destruction have been tracked by the Data Access Request Service (DARS) team as part of their normal process.
Note: the findings classified as “No longer applicable” in this report may be subject to further review by NHS England if The Trust submits a new application.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low
Original risk statement: Medium
Current risk statement: Low
Data recipient’s acceptance statement
The Trust has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 7 agreement nonconformities, 2 observations, 3 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The data storage locations specified on the DSA do not accurately reflect the current locations. | Information Transfer | A request for the DSA to be updated has been submitted to the DARS team. However, The Trust declared it was not going to renew the agreement when it expired. | Agreement nonconformity | Closed |
| 2 | An undeclared third-party cloud provider (Microsoft UK) is being used to store the data supplied by NHS Digital. | Information Transfer | A request for the DSA to be updated has been submitted to the DARs team. However, The Trust declared it no longer required the data and was not going to renew the agreement when it expired. | Agreement nonconformity | Closed |
| 3 | The Audit Team was informed the data supplied by NHS Digital was downloaded onto a Trust laptop. This laptop was returned to the Research Department when the researcher left the Trust. The Trust could not locate the laptop therefore the level of encryption could not be determined and it was not clear if the laptop was still in use or had been disposed of. | Information Transfer | The research team have a pool of laptops, one of which will have been used for the research study. The Trust reported that all Trust laptops are encrypted. | Agreement nonconformity | No longer applicable |
| 4 | Permissions to the folder holding NHS Digital data on the Trust’s network need to be modified to restrict access to delegated members of the NIVO Study Team. | Permissions to the folder have been reviewed and restricted to the delegated member for the Non-Invasive Ventilation Outcomes study (NIVO) Study Team. A copy of this review has been seen by the Audit Team. | Agreement nonconformity | Closed | |
| 5 | There was no evidence to show that user permissions to the NHS Digital data had been reviewed on a regular basis. | Access Control | Permissions to the folder have been reviewed and restricted to the delegated member for the NIVO Study Team. A copy of this review has been seen by the Audit Team. | Agreement nonconformity | Closed |
| 6 |
The Trust’s Information Asset Register (IAR) does not contain an entry for the data supplied under this DSA. The Trust reported there is a Caldicott Information Asset Register which does have an entry for NHS Digital Data, however, no evidence was provided to support this. |
Operational Management | A screenshot for the Caldicott Approval Form was made available to the Audit Team and shows the record of NHS England data. However, The Trust declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by DARS confirming the destruction of the data. | Agreement nonconformity | Closed |
| 7 | Data in transit is not encrypted as required by the DSFC, however, the Trust reported that transit is via a private network. | Information Transfer |
Data flowing to Microsoft Azure is encrypted in transit. However, The Trust declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by DARS confirming the destruction of the data. |
Agreement nonconformity | Closed |
| 8 | The DSA requires staff that access the data to be substantive employees of the Trust. The Trust should inform DARS of its intention to allow one researcher who left the Trust in March 2020 to process the data through a ‘research passport’. | Operational Management | The Trust has provided a copy of the Honorary Contract template to the Audit Team. However, The Trust declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by DARS confirming the destruction of the data | Observation | Closed |
| 9 | The Trust should either complete a Data Protection Impact Assessment (DPIA) or document the rational for not completing a DPIA prior to any processing. | Operational Management | The Trust has confirmed DPIAs are used for new or changed systems or services, but they are not used for research studies as a general rule. Research studies are documented via the Caldicott form and if any concerns are picked up as part of that process a DPIA would be considered. The Audit Team has seen a copy of the Caldicott form for the data it holds from NHS England for this research project. | Observation | Closed |
| 10 | The Information Asset Owner (IAO) should consider completing specialist IAO training. | Operational Management | A review of IAOs was undertaken and there are plans to rollout training to all Band 8s or above. The Audit Team has seen a document which sets out the training for IAOs. | Opportunity for improvement | Closed |
| 11 | The Trust should ensure appropriate teams and stakeholders review any new DSFC and DSA so the parties are fully aware of their responsibilities and are fully compliant. | Operational Management | The Trust declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by DARS confirming the destruction of the data | Opportunity for improvement | Closed |
| 12 | The Research and Development department should consider completing a Record of Processing Activities (ROPA) for the data provided, as recommended in the Information Commissioner’s Office (ICO) Accountability Framework. | Operational Management | The Trust declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by DARS confirming the destruction of the data | Opportunity for improvement | Closed |
| 13 | At the post audit review, the Audit Team will look at:
|
Operational Management | The Trust declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by DARS confirming the destruction of the data | Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 18 October 2023 2:09 pm