NHS England Data Sharing Remote Audit: University College London
This report records the key findings of a remote data sharing audit of University College London in March and April 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of University College London (UCL) between 27 March and 3 April 2023. It provides an evaluation of how UCL and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC) CON-321538-B5D8B-v2.01
- the data sharing agreement (DSA) DARS-NIC-51342-V1M5W-v4.10 (expired in December 2022, though UCL had an ongoing application at the time of the audit)
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 1997/98 - 2021/22_M08 |
| HES - Critical Care | Identifiable, Non-sensitive | 2008/09 - 2021/22_M08 |
| HES - Outpatients | Identifiable, Non-sensitive | 2003/04 - 2021/22_M08 |
| HES – Accident and Emergency | Identifiable, Non-sensitive | 2007/08 - 2019/20_M12 |
| Emergency Care Data Set (ECDS) | Identifiable, Sensitive | 2020/21 - 2021/22_M08 |
The Controller is UCL and the Processors are the University of Essex (UoE) and Amazon Web Service (AWS). AWS provide cloud storage services to UCL.
The Centre for Longitudinal Studies (CLS) at UCL is an academic resource centre responsible for producing and disseminating data resources for the scientific community. This DSA covers data access granted to UCL for the purpose of the Next Steps study.
The UK Data Service (UKDS), hosted by the University of Essex, provides access to high-quality data to meet the data needs of researchers. The DSA allows UCL to onwardly share linked HES, ECDS and CLS information under a sub-licencing model to researchers via the UKDS Secure Lab.
Next Steps, previously known as the Longitudinal Study of Young People in England, follows the lives of around 16,000 people in England born in 1989-90. It is the largest and most detailed research study of its kind trying to understand the changing experiences of this generation. As such, Next Steps has already been highly valuable in informing policy decisions and in enhancing understanding of how specific Government policies can influence and shape the lives of young people.
Linking health data from HES to the Next Steps survey data has greatly increased the possibilities for using the cohort to study how health outcomes impact on the individual and aspects of their life such as work, relationships and family life and, likewise, how health outcomes relate to the individual behaviours and social or economic determinations of health behaviours such as drug and alcohol use, sexual health, diet and exercise.
The inclusion of HES data has also helped identify which cohort members have been admitted to or attended hospital, leading to a better understand how health conditions could be better treated or supported. ECDS data has been made available to UCL in October 2022 however it has not been processed or shared yet.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
UCL and UoE have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UCL and UoE will establish a corrective action plan to address each finding shown in the findings tables below. The Audit Team will validate this plan and the resultant actions at a post audit review with UCL and UoE to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 2 agreement nonconformities, 10 opportunities for improvement and 5 points for follow-up raised as part of the audit.
In addressing a finding, the data recipient must take account of any referenced supplementary notes.
CLS / UCL
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 |
Data are being processed and stored at locations not specified on the DSA. |
Information Transfer |
DSA, Annex A, Section 2 |
Agreement nonconformity |
| 2 |
The CLS has not included the obligations from the DSA and DSFC in its data processing agreement with UoE. |
Operational Management |
DSFC, Part 2, clause 4.1.6 |
Agreement nonconformity |
| 3 |
The CLS should consider adding a field in the application register to include details on outputs. |
Use and Benefits |
|
Opportunity for improvement |
| 4 |
The CLS should develop supporting documentation that makes it clear on the recommendations / outcomes that can be made by the Data Access Committee (DAC) whether an application not fully approved needs to be returned to DAC for further review. |
Operational Management | Opportunity for improvement | |
| 5 |
The CLS should consider improving the local risk register by including the status of risks, post mitigation risk scores, mitigation steps and risk review dates. |
Risk Management | Opportunity for improvement | |
| 6 | Meetings between the CLS and the UoE should be documented. The CLS should ensure that risks in relation to processing of the data by the UoE are formally documented. | Operational Management | Opportunity for improvement | |
| 7 |
The CLS should consider updating the Data Processing Impact Assessment (DPIA) and Record of Processing Activities (ROPA) which include a description of processing undertaken by the UoE, to include a sign off section for the UoE to confirm that it has reviewed the documents. |
Operational Management | Opportunity for improvement | |
| 8 | At the post audit review, the Audit Team will review the updated DSA to ensure the details on the role of the DAC have been correctly reflected. | Use and Benefits | Follow-up | |
| 9 | At the post audit review, the Audit Team will review the updated DSA to check that details have been included on where users can access the data. During the audit, the CLS stated that this is being addressed in the ongoing application. It was noted that CLS had confirmation from the DARS team in March 2022 that they could continue to work from home providing previous guidance was adhered to. |
Access Control | Follow-up | |
| 10 | At the post audit review, the Audit Team will review the progress made on addressing the vulnerabilities identified through the vulnerability scan. | Access Control | Follow-up |
UKDA / UoE
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 11 |
The risk register should be updated as some of the recorded review dates are not consistent with recent reviews. |
Risk Management | Opportunity for improvement | ||
| 12 | The UKDA should review and update the following documentation as they contain duplication of contents:
|
Operational Management | Opportunity for improvement | ||
| 13 | The UKDA should consider documenting the approach to patching and associated schedules. | Access Control | Opportunity for improvement | ||
| 14 | The UKDA should consider maintaining internal training records for data protection. | Operational Management | Opportunity for improvement | ||
| 15 | The UKDA should consider defining the dormant account process including the period of time after which inactive accounts are disabled. | Access Control | Opportunity for improvement | ||
| 16 | At the post audit review, the Audit Team will review the recent security report and any remediation plans put into place. | Access Control | Follow-up | ||
| 17 | At the post audit review, the Audit Team will review the work to implement Multi Factor Authentication (MFA) in place for Secure Labs. | Access Control | Follow-up |
Use of data
The CLS confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with the dataset explicitly allowed in the DSA.
Data location
The CLS and the UoE confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| CLS / UCL | UK |
| UKDA / UoE | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| CLS / UCL | Disk and Cloud | 90 days |
| UKDA / UoE | Disk | 90 days |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the CLS was able to clearly demonstrate the value the data supplied under this DSA has had towards benefitting the provision of health and social care in England.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 30 June 2023 11:32 am