NHS England Data Sharing Remote Audit: University of East Anglia
This report records the key findings of a remote data sharing audit of University of East Anglia in June 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of University of East Anglia (UEA) between 19 June and 23 June 2023. It provides an evaluation of how UEA conform to the requirements of:
- the data sharing framework contract (DSFC) CON-324412-Y0F4Z-v2.02
- the data sharing agreement (DSA) DARS-NIC- 79526-V8F2X-v2.7
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 |
| HES Critical Care | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 |
| HES Outpatients | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 |
| HES Accident and Emergency | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 |
| Civil Registration of Death Secondary Care Cut | Pseudonymised, Sensitive | Historic Data Request Latest Available |
The Controller is UEA.
The University of East Anglia require pseudonymised secondary care data (hospital admissions, Accident and Emergency (A&E), outpatient and critical care data, and mortality data), for a selected cohort of previously identified patients for the At-Risk Registers Integrated into primary care to Stop Asthma crisis in the UK (ARRISA-UK) study. The study is performed by the Norwich Clinical Trials Unit (NCTU) which sits within the Norwich School of Medicine under the faculty of Medicine and Health at UEA.
Excellent drugs are available for asthma and clear advice on prescribing them should allow asthma to be controlled in most patients. It is known that certain asthma patients are at greater risk of being admitted or dying than others and that targeting intensive support and care to these patients improves their health. The purpose of the study is to determine whether flagging the electronic health records of people identified as being at risk of asthma attacks and training staff on the action to take when seeing the flag reduces asthma related crisis events (defined as hospital admissions, A&E attendances and deaths) over a 12 month period.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS England Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: High
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality, and integrity, as appropriate.
Data recipient’s acceptance statement
UEA has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UEA will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with UEA to confirm the findings have been satisfactorily addressed.
Findings
The following table identifies the 6 agreement nonconformities, 5 organisation nonconformities, 4 observations, 6 opportunities for improvement and 4 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 |
The server holding the data provided by NHS England is not installed with the latest software updates. |
Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity |
| 2 |
There was no evidence to show that user permissions to the NHS England data had been reviewed on a regular basis. |
Access Control | DSFC, Schedule 2, Section A, Clause 4.3 | Agreement nonconformity |
| 3 |
Security assessments have never been performed on the infrastructure used to store data supplied by NHS England. |
Access Control |
DSFC, Schedule 2, Section A, Clause 1.1 |
Agreement nonconformity |
| 4 | NCTU has not included the data received under this DSA on an Information Asset Register (IAR). | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity |
| 5 | NCTU have not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. Instead, a ROPA has been completed for the wider NCTU. | Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) | Agreement nonconformity |
| 6 | The Audit Team was unable to verify that the level of encryption applied to data in transit was in line with the requirements of the DSFC. However, UEA reported that transit is via a private network. | Information Transfer | DSFC, Schedule 2, Section A, Clause 4.6 | Agreement nonconformity |
| 7 | The server holding the data at rest was not encrypted in line with UEA policy. | Operational Management | UEA ITCS GISP v5.7, Section 18.2 |
Organisation nonconformity |
| 8 | UEA network security vulnerabilities are not being remediated within the period defined within UEA policy. | Access Control | UEA ITCS GISP v5.7, Section 10.3 |
Organisation nonconformity |
| 9 | Password settings enforced for administrator accounts with access to data provided by NHS England were not in line with the requirements as outlined in UEA policy. | Access Control | UEA ITCS GISP v5.7, Section 5 |
Organisation nonconformity |
| 10 | No annual review has been performed by UEA Information Compliance Team regarding incident reporting and handling as required by UEA policy. | Operational Management | UEA ITCS GISP V5.7, Section 5 |
Organisation nonconformity |
| 11 | No audit has been performed on UEA data processing practices as required by UEA policy. | Operational Management | UEA Data Protection Policy v4, Section 4.4 |
Organisation nonconformity |
| 12 | UEA staff under honorary contract are not required to complete mandatory UEA annual data protection training. In order to comply with the DSFC, UEA should ensure that all staff under an honorary contract complete the UEA annual data protection training. | Operational Management | DSFC, Schedule 2, Section A, Clause 1.2.2 | Observation |
| 13 | The operating system of the server being used to store data provided by NHS England is approaching end of support. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Observation |
| 14 | The current Data Protection Impact Assessment (DPIA) is yet to be finalised and provided to the DARS Team for review. | Operational Management | DSFC, Schedule 3, General Data Protection Regulation (GDPR) | Observation |
| 15 | A number of policies and procedures have not been reviewed within their expected timescales. The UEA and NCTU recognised that these reviews had been delayed due to the pandemic but were now tracking those that require updating. | Operational Management | For example:
|
Observation |
| 16 | NCTU should consider reducing the number of touchpoints of the data. | Information Transfer | Opportunity for improvement | |
| 17 | UEA should reassess its use of built-in administrator accounts as recommended by Microsoft. | Access Control | Opportunity for improvement | |
| 18 | UEA and NCTU should consider documenting a formalised starters, leavers and movers process. | Operational Management | Opportunity for improvement | |
| 19 | The UEA should consider documenting a centralised data destruction policy by combining existing information around data destruction into a single document. | Data Destruction | Opportunity for improvement | |
| 20 | The UEA should consider expanding the data disposal information available on the staff intranet to include processes for electronic data disposal. | Data Destruction | Opportunity for improvement | |
| 21 | The UEA should consider documenting the role and responsibilities of UEA Information Asset Owners (IAO) and offer specialist IAO training. | Operational Management | Opportunity for improvement | |
| 22 | At the post audit review, the Audit Team will review tangible outputs from the study due to be completed in November 2023, including:
|
Use and Benefits | Follow-up | |
| 23 | At the post audit review, the Audit Team will request an update on the ongoing project to install supported operating systems. | Access Control | Follow-up | |
| 24 | At the post audit review, the Audit Team will review outputs from the working group that is in place to revise the UEA stance around how information assets are recorded and managed. | Operational Management | Follow-up | |
| 25 | At the post audit review, the Audit Team will review the UEA revised approach to risk recording, using the newly implemented risk recording software. | Risk Management | Follow-up |
Use of data
UEA confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
UEA confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| UEA | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UEA | Disk | 30 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 31 August 2023 3:00 pm