NHS England Data Sharing Remote Audit: University of Glasgow
This report records the key findings of a remote data sharing audit of the University of Glasgow and the Nottingham University Hospitals NHS Trust in December 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the University of Glasgow (UoG) and the Nottingham University Hospitals NHS Trust (NUH) between 12 and 15 December 2022. It provides an evaluation of how the UoG and the NUH conform to the requirements of:
- the data sharing framework contracts (DSFC):
- CON-329582-W2T4D-v2.01 (UoG)
- CON-303563-Q4S3W-v2.01 (NUM)
- the data sharing agreement (DSA) DARS-NIC-72626-V4P9B-v4.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES): Civil Registration (Deaths) bridge | Pseudo/Anonymised, Non-sensitive | Latest Available 02/2022 |
| HES Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 2004/05 - 2019/20 |
| HES Critical Care | Pseudo/Anonymised, Non-sensitive | 2008/09 - 2019/20 |
| HES Outpatients | Pseudo/Anonymised, Non-sensitive | 2003/04 - 2004/05 2017/18 - 2019/20 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2008/09 - 2019/20 |
| Diagnostic Imaging Dataset | Pseudo/Anonymised, Non-sensitive | 2012/13 - 2019/20 |
| Bridge file: HES to Diagnostic Imaging Dataset | Pseudo/Anonymised, Non-sensitive | Latest Available 02/2022 |
| Medical Research Information Service (MRIS) - Flagging Current Status Report | Identifiable, Sensitive | Latest available |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | Latest available |
| MRIS - Cause of Death Report | Identifiable, Sensitive | Latest available |
| Demographics | Pseudo/Anonymised, Sensitive | Latest Available 03/2022 |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | Latest Available 03/2022 |
| Cancer Registration Data | Pseudo/Anonymised, Sensitive | Latest Available 03/2022 |
The joint Controllers are the UoG and the NUH. The NUH does not store or process any data supplied under this DSA.
The DSA relates to a research study on a sub-group of hepatitis C virus (HCV) infected individuals with cirrhosis (the STOP-HCV Cirrhosis Cohort) in the HCV Research UK cohort. To enhance the study, the number of patients was expanded to include data from a further 2500 individuals provided by HCV Research UK. HCV Research UK is a consortium of clinicians and scientists with particular interest in HCV that was funded by the Medical Research Foundation to establish a national cohort to facilitate research into all aspects of this infection. STOP-HCV was a Medical Research Council funded study, underpinned by clinical data and samples provided by HCV Research UK, that focussed on developing stratification models to enhance clinical decisions on treatment options to cure infection and understand mechanisms of disease that may affect treatment outcome. The UoG and the HUH were critical partners for HCV Research UK and both were members of the STOP-HCV consortium. The NUH is the clinical sponsor of both HCV Research UK and the STOP-HCV Cirrhosis study and oversees the ethical execution of these studies.
The data requested under this agreement is disseminated to and stored at the Robertson Centre for Biostatistics (RCB) at the UoG.
This report also considers whether the UoG, the NUH and the RCB conform to their own policies, processes and procedures, as appropriate.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
As the RCB is responsible for the storage and processing of data, the audit focussed primarily on the RCB.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The UoG, the NUH and the RCB have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The UoG, the NUH and the RCB will establish a corrective action plan to address each finding shown in the findings tables below. The Audit Team will validate this plan and the resultant actions at a post audit review with the UoG, the NUH and the RCB to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 9 agreement nonconformities, 1 organisation nonconformity, 1 observation, 3 opportunities for improvement and 1 point for follow-up raised as part of the audit.
In addressing a finding, the data recipient must take account of any referenced supplementary notes.
UoG and NUH
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 |
The UoG and the NUH should review their joint Controller arrangement in anticipation of the next iteration of the DSA. |
Access Control | Opportunity for improvement |
RCB
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 2 |
Data are being stored at a location that is not declared on the DSA. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS England on request. |
Access Control | DSA, Annex A, section 2b | Agreement nonconformity | |
| 3 |
Weekly backup tapes stored offsite at a third-party location are not encrypted. The RCB enabled encryption during the audit. |
Access Control | DSFC, Schedule 2, Section A, Clause 4.7 | Agreement nonconformity | |
| 4 | The network attached storage device is running an unsupported operating system. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity | |
| 5 | The RCB has not included the data received under this DSA on an Information Asset Register (IAR), nor has the RCB clearly identified the Information Asset Owner (IAO). | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity | |
| 6 | The RCB has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. Instead, information specific to the DSA datasets is spread across different documents. | Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) | Agreement nonconformity | |
| 7 | A Data Protection Impact Assessment (DPIA) or screening questionnaire has not been completed for the study utilising the data provided under this DSA. | Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) | Agreement nonconformity | |
| 8 | Data in transit between the processing and storage locations is not encrypted as required by the DSFC. However, the RCB reported that transit is limited to a private network with all associated equipment owned by the RCB. | Information Transfer | DSFC, Schedule 2, Section A, Clause 4.6 | Agreement nonconformity | 1 |
| 9 | Recent publications in relation to the study did not include sufficient acknowledgement to the source of the data as required by the DSFC. | Use and Benefits | DSFC, Part 2: Terms and Conditions, Clause 3.13 | Agreement nonconformity | |
| 10 | A security assessment has not been performed on the safe haven infrastructure. RCB stated that it intends to conduct an assessment early in 2023. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity | |
| 11 | On transferring the downloaded data from the PC to the network attached storage device, the data was logically deleted from the PC rather than using the secure deletion process documented in the Data Archival and Removal procedure. | Information Transfer | UoG, Data Archival and Removal procedure v5, section 5.2 | Organisation nonconformity | |
| 12 | The RCB’s overall approach to risk classification is not consistent with the UoG Information Risk Classifications document. | Risk Management | UoG, Information Risk Classifications, v1.03 | Observation | |
| 13 | The RCB Information Security Management policy should record the timescales for reporting security incidents to data providers. | Operational Management | Opportunity for improvement | ||
| 14 | The RCB should update its training policy to check that affiliate status employees have undertaken appropriate information governance/data protection training during the year. | Operational Management | Opportunity for improvement | ||
| 15 | At the post audit review, the Audit Team will follow up the results of the user account review expected to take place in January 2023. | Access Control | Follow-up |
Supplementary notes
The following note refers to the tables above and provides additional commentary on the linked finding.
Note 1.
One option to progress this finding, is for a risk assessment to be completed. The risk assessment shall assess the threats to and the vulnerabilities of the un-encrypted connection and identify the mitigating controls in place. This assessment shall be signed off by the organisation’s Senior Information Risk Officer (or equivalent). If the risk is considered acceptable and all aspects of the connection are inside the area of direct control by the Auditee, then the link need not be encrypted. NHS England reserves the right to review this assessment.
Use of data
The RCB confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
The RCB confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| UoG / RCB | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UoG/RCB | Tape | 1 year |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the value of the data supplied under this DSA was demonstrated through the projects they have undertaken with NHS organisations.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 April 2023 4:23 pm