NHS England Data Sharing Remote Audit: Nuffield Department of Primary Care Health Sciences at the University of Oxford
This report records the key findings of a remote data sharing audit of the Nuffield Department of Primary Care Health Sciences at the University of Oxford in January 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Nuffield Department of Primary Care Health Sciences (NDPCHS) at the University of Oxford (UoO) between 16 and 20 January 2023. It provides an evaluation of how the NDPCHS conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-319043-Y2R5H-v2.01
- the data sharing agreement (DSA) NIC-382794-T3L3M-v6.7
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Emergency Care Data Set (ECDS) | Pseudo/Anonymised, Non-sensitive | 2020/21 – 2023/24_M03 |
| COVID-19 Vaccination Adverse Reactions | Pseudo/Anonymised, Non-sensitive | Latest Available |
| Hospital Episodes Statistics (HES)-ID to MPS-ID, HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2007/08 – 2019/20 |
| HES-ID to MPS-ID, HES Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 1997/98 – 2020/21 |
| HES-ID to MPS-ID HES Outpatients | Pseudo/Anonymised, Non-sensitive | 2003/04 – 2020/21 |
| COVID-19 Therapeutics Programme Data Set͛ | Pseudo/Anonymised, Non-sensitive | Latest Available |
| HES Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 1997/98 – 2023/24_M03 |
| HES Critical Care | Pseudo/Anonymised, Non-sensitive | 2008/09 – 2023/24_M03 |
| HES Outpatients | Pseudo/Anonymised, Non-sensitive | 2003/04 – 2023/24_M03 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2007/08 – 2019-20 |
| COVID-19 Hospitalization in England Surveillance System | Pseudo/Anonymised, Sensitive | Latest available, 07/2022 |
| COVID-19 Second Generation Surveillance System | Pseudo/Anonymised, Sensitive | Latest available, 07/2022 |
| COVID-19 Vaccination Status | Pseudo/Anonymised, Sensitive | Latest available |
| SUS plus - Admitted Patient Care (beta version) | Pseudo/Anonymised, Sensitive | Latest available |
| Covid-19 UK Non-hospital Antigen Testing Results (pillar 2) | Pseudo/Anonymised, Sensitive | Latest available |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | Latest available, 07/2022 |
| MSDS (Maternity Services Data Set) v1.5 | Pseudo/Anonymised, Sensitive | 04/2015 – 03/2019 |
The Controller is the UoO, and the Processors are the University of Nottingham and Dancing House Consulting.
The NDPCHS requires access to the above datasets for the purpose of providing a linked research database (QResearch database). The QResearch database consists of coded pseudonymised electronic health records from primary care patients registered with approximately 1,500 General Practices spread throughout the UK. The database has been used and continues to be used by a variety of research projects undertaken by UK universities, from reviewing the safety of antidepressant medicines to studying factors to predict variations in survival rates for cancer patients.
The NDPCHS is responsible for the management of the database and acting as the single point of access for UK universities applying to use the data in the QResearch database.
This report also considers whether the NDPCHS and its Processors conforms their own policies, processes, and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The NDPCHS has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
As the Audit Team has not identified any nonconformities or outstanding information, there is no requirement for the NDPCHS to produce a corrective action plan, therefore, no post audit review will be conducted by the Audit Team.
Findings
The following table identifies the 3 opportunities for improvement raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | The NDPCHS should consider removing duplicated administration accounts. | Access Control | Opportunity for improvement | |
| 2 | The NDPCHS should consider storing the encrypted backup tapes in a fire-proof safe. | Operational Management | Opportunity for improvement | |
| 3 | The NDPCHS should consider undertaking an independent risk assessment of the data centre. | Risk Management | Opportunity for improvement |
Use of data
The NDPCHS confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
The NDPCHS confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
| NDPCHS | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media Type | Period |
| NDPCHS | Tape | To meet contractual requirements |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the NDPCHS was able to clearly demonstrate the value of the data supplied under this DSA has had towards benefitting the provision of health and social care in England, specifically the analysis of the COVID-19 related data.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 May 2023 3:00 pm