NHS England Post Audit Review: University of East Anglia
This report provides an update on progress of the remote data sharing audit of University of East Anglia (UEA) in June 2023.
Audit summary
Purpose
This report provides an update on progress of the remote data sharing audit of University of East Anglia (UEA) between 19 June and 23 June 2023 against the requirements of::
- the data sharing framework contract (DSFC) CON-324412-Y0F4Z-v2.02
- the data sharing agreement (DSA) DARS-NIC- 79526-V8F2X-v2.7
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 |
| HES Critical Care | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 |
| HES Outpatients | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 |
| HES Accident and Emergency | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 |
| Civil Registration of Death Secondary Care Cut | Pseudonymised, Sensitive | Historic Data Request Latest Available |
The Controller is UEA. The At-Risk Registers Integrated into primary care to Stop Asthma crisis in the UK (ARRISA) UK study is performed by the Norwich Medical School and supported by the Norwich Clinical Trials Unit (NCTU) which sits within the School under the Faculty of Medicine and Health at UEA.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment of the supporting evidence supplied by the UEA in August 2023 to proactively address and resolve the agreement nonconformities, as well as some of the organisation nonconformities. It will be followed by a second post audit review that will address all remaining findings.
Post Audit Review Outcome
Based on the evidence provided by UEA, the Audit Team has closed all 6 agreement nonconformities, 2 organisation nonconformities, 2 observations and 1 point for follow up.
3 organisation nonconformities, 2 observations, 6 opportunities for improvement and 3 points for follow-up remain open and require further review by the Audit Team during the second post audit review. The UEA is therefore required to update its action plan to align with this post audit review report.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: High
Current risk statement: Low
Data recipient’s acceptance statement
UEA has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 6 agreement nonconformities, 5 organisation nonconformities, 4 observations, 6 opportunities for improvement and 4 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
The server holding the data provided by NHS England is not installed with the latest software updates. |
Access Control | The latest updates were installed on the server during the audit. | Agreement nonconformity | Closed |
| 2 |
There was no evidence to show that user permissions to the NHS England data had been reviewed on a regular basis. |
Access Control |
User permission reviews are scheduled to be performed annually, or whenever a change is made to permissions. The NCTU Information Asset Register (IAR) has been updated to record all user permission reviews, including each review date and name of reviewer. The Audit Team confirmed the latest user permissions review found no issues. The Audit Team also received a copy of the updated IAR. |
Agreement nonconformity | Closed |
| 3 |
Security assessments have never been performed on the infrastructure used to store data supplied by NHS England. |
Access Control |
A security assessment was performed in September 2023. The Audit Team reviewed the outcome of the assessment. The assessment found no critical, high or medium rated findings. |
Agreement nonconformity | Closed |
| 4 | NCTU has not included the data received under this DSA on an Information Asset Register (IAR). | Operational Management |
NCTU has updated its IAR to include the data received under this DSA. The Audit Team received a copy of the updated IAR |
Agreement nonconformity | Closed |
| 5 | NCTU have not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. Instead, a ROPA has been completed for the wider NCTU. | Operational Management |
NCTU have completed a ROPA for the data supplied under the DSA. The Audit Team received a copy of the completed ROPA. |
Agreement nonconformity | Closed |
| 6 | The Audit Team was unable to verify that the level of encryption applied to data in transit was in line with the requirements of the DSFC. However, UEA reported that transit is via a private network. | Information Transfer | The Audit Team verified the level of encryption applied to the data in transit is now in line with the requirements of the DSFC. | Agreement nonconformity | Closed |
| 7 | The server holding the data at rest was not encrypted in line with UEA policy. | Operational Management | The Audit Team verified the server holding the data at rest is now encrypted in line with UEA policy. |
Organisation nonconformity |
Closed |
| 8 | UEA network security vulnerabilities are not being remediated within the period defined within UEA policy. | Access Control | UEA advised that they are working towards remediating any network security vulnerabilities within the period defined in UEA Policy. UEA will provide a further update at the second post audit review. |
Organisation nonconformity |
Open |
| 9 | Password settings enforced for administrator accounts with access to data provided by NHS England were not in line with the requirements as outlined in UEA policy. | Access Control |
Password settings enforced for administrator accounts with access to data provided by NHS England are now in line with the requirements as outlined in UEA policy. The Audit Team received evidence to confirm this. |
Organisation nonconformity |
Closed |
| 10 | No annual review has been performed by UEA Information Compliance Team regarding incident reporting and handling as required by UEA policy. | Operational Management |
UEA advised guidance pages are kept under constant review and have been updated three times this year to date. UEA advised that a new Cyber Security Incident Management policy has been drafted and is pending approval. This policy will further clarify incident reporting and handling review processes. UEA will provide a further update at the second post audit review. |
Organisation nonconformity |
Open |
| 11 | No audit has been performed on UEA data processing practices as required by UEA policy. | Operational Management | UEA advised the Data Protection policy has been checked regularly but there have been no changes required since the last published version. The Data Protection Policy is currently under review and is pending amendments, Data Protection Officer input, change approval and sign-off. UEA will provide a further update at the second post audit review. |
Organisation nonconformity |
Open |
| 12 | UEA staff under honorary contract are not required to complete mandatory UEA annual data protection training. In order to comply with the DSFC, UEA should ensure that all staff under an honorary contract complete the UEA annual data protection training. | Operational Management | UEA’s People and Culture Division will consider methods to identify those that require further training. UEA will provide a further update at the second post audit review. | Observation | Open |
| 13 | The operating system of the server being used to store data provided by NHS England is approaching end of support. | Access Control | The Audit Team verified that the data provided by NHS England is now being stored on a server that has a supported operating system. | Observation | Closed |
| 14 | The current Data Protection Impact Assessment (DPIA) is yet to be finalised and provided to the DARS Team for review. | Operational Management |
The DPIA has been finalised and provided to the DARS Team for review. The Audit Team received a copy of this DPIA. |
Observation | Closed |
| 15 | A number of policies and procedures have not been reviewed within their expected timescales. The UEA and NCTU recognised that these reviews had been delayed due to the pandemic but were now tracking those that require updating. | Operational Management | UEA advised that these policies and procedures are currently under review. UEA will provide a further update at the second post audit review. | Observation | Open |
| 16 | NCTU should consider reducing the number of touchpoints of the data. | Information Transfer | UEA advised that an assessment is being performed to review whether it is possible to reduce the number of touchpoints. UEA will provide a further update at the second post audit review. | Opportunity for improvement | Open |
| 17 | UEA should reassess its use of built-in administrator accounts as recommended by Microsoft. | Access Control | UEA advised that use of built-in administrator accounts is being reassessed. UEA will provide a further update at the second post audit review. | Opportunity for improvement | Open |
| 18 | UEA and NCTU should consider documenting a formalised starters, leavers and movers process. | Operational Management | UEA will provide an update at the second post audit review. | Opportunity for improvement | Open |
| 19 | The UEA should consider documenting a centralised data destruction policy by combining existing information around data destruction into a single document. | Data Destruction | UEA will provide an update at the second post audit review. | Opportunity for improvement | Open |
| 20 | The UEA should consider expanding the data disposal information available on the staff intranet to include processes for electronic data disposal. | Data Destruction | UEA will provide an update at the second post audit review. | Opportunity for improvement | Open |
| 21 | The UEA should consider documenting the role and responsibilities of UEA Information Asset Owners (IAO) and offer specialist IAO training. | Operational Management | UEA advised that a working group is in place to review this. UEA will provide an update at the second post audit review. | Opportunity for improvement | Open |
| 22 | At the post audit review, the Audit Team will review tangible outputs from the study due to be completed in November 2023, including:
|
Use and Benefits | UEA advised that due to delays in ensuring agreement conformities are actioned prior to downloading data, they are not expecting anything to be published until Q3 or Q4 2024. UEA will provide an update at the second post audit review. | Follow-up | Open |
| 23 | At the post audit review, the Audit Team will request an update on the ongoing project to install supported operating systems. | Access Control | The Audit Team received an update on the project and confirmation that the server being used to store data supplied by NHS England is installed with a supported operating system. | Follow-up | Closed |
| 24 | At the post audit review, the Audit Team will review outputs from the working group that is in place to revise the UEA stance around how information assets are recorded and managed. | Operational Management | UEA advised that this is ongoing, and outputs are yet to be generated. UEA will provide an update at the second post audit review. | Follow-up | Open |
| 25 | At the post audit review, the Audit Team will review the UEA revised approach to risk recording, using the newly implemented risk recording software. | Risk Management | UEA advised that a Risk and Business Continuity Manager has been newly appointed and is undertaking a review. UEA will provide an update at the second post audit review. | Follow-up | Open |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 18 October 2023 2:10 pm