NHS England Data Sharing Remote Audit: University of Sheffield

This report records the key findings of a remote data sharing audit of the School of Health and Related Research at the University of Sheffield in November 2022.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of the School of Health and Related Research (ScHARR) at the University of Sheffield (UoS) between 14 and 22 November 2022. It provides an evaluation of how ScHARR conforms to the requirements of both:

the data sharing framework contract (DSFC) CON-313198-X4C5P-v2.0
the data sharing agreement (DSA) DARS-NIC-377644-X9J4P-v1.2

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Hospital Episode Statistics (HES) Critical Care	Identifiable, Non-sensitive	2019/20 – 2020/21_M05
Emergency Care Data Set (ECDS)	Identifiable, Sensitive	2019/20 – 2020/21_M05
GPES Data for Pandemic Planning and Research (COVID-19)	Identifiable, Sensitive	Latest available 09/2020
HES Admitted Patient Care	Identifiable, Sensitive	2019/20 – 2020/21_M05
Demographics	Identifiable, Sensitive	Latest available
Civil Registration - Deaths	Identifiable, Sensitive	Latest available

The UoS is the Controller.

The Pandemic Respiratory Infection Emergency System Triage (PRIEST) study is a National Institute for Health Research (NIHR) funded project aimed at evaluating and optimising the triage of people using the emergency care system (111 and 999 calls, ambulance conveyance, or hospital emergency department) with suspected respiratory infections during the COVID-19 pandemic. In March 2020, the PRIEST study began recruiting patients with suspected COVID-19 attending Emergency Departments at participating NHS Trusts.

In this project, the research team analysed data from emergency department and pre-hospital assessment (by 111 and the ambulance service) and produced a risk-stratification tool to aid decision-making on whether patients should attend hospital, require hospital admission or be referred for high dependency or intensive care.

Historic GPES Data for Pandemic Planning and Research (GDPPR) data, HES data and demographic data was used to obtain more complete information for patients in the cohort on their premorbid status, particularly those with pre-existing medical conditions and routine medication use. These datasets provide information on potential risk factors for deterioration in COVID 19 and other acute respiratory illnesses which may not be comprehensively collected or recorded in an emergency treatment setting.

This report also considers whether ScHARR conforms to its own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type	Routine
Scope areas	Information Transfer Access Control Data Use and Benefits Risk Management Operational Management and Control Data Destruction
Restrictions	Access control - limited visibility of physical controls

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low

Current risk statement: Low

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality, and integrity, as appropriate.

Data recipient’s acceptance statement

ScHARR has reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

ScHARR will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with ScHARR to confirm the findings have been satisfactorily addressed.

Findings

The following table identifies the 1 agreement nonconformities, 1 organisation nonconformity and 1 opportunity for improvement raised as part of the audit.

Ref	Finding	Link to area	Clause	Designation
1	A third-party data centre, not declared on the DSA, is being used to store the data supplied under the DSA. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS England on request.	Information Transfer	DSA, Annex A, section 2b	Agreement nonconformity
2	From a small sample of records that were selected and examined in the equipment asset register, one was found to be inaccurate.	Access Control	ScHARR, Equipment Asset Register	Organisation nonconformity
3	Access reviews of folders and virtual machines (VMs) holding data supplied under this DSA that are conducted in addition to the annual review, should be documented.	Access Control		Opportunity for improvement

Ref

Finding

Link to area

Clause

Designation

A third-party data centre, not declared on the DSA, is being used to store the data supplied under the DSA.

It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS England on request.

Information Transfer

DSA, Annex A, section 2b

Agreement nonconformity

From a small sample of records that were selected and examined in the equipment asset register, one was found to be inaccurate.

Access Control

ScHARR, Equipment Asset Register

Organisation nonconformity

Access reviews of folders and virtual machines (VMs) holding data supplied under this DSA that are conducted in addition to the annual review, should be documented.

Access Control

Opportunity for improvement

Use of data

The UoS confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

The UoS confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.

Organisation	Territory of Use
UoS	England and Wales
Third-party organisation	England and Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation	Media type	Period
UoS	Disk	28 days
Third-party organisation	Disk	28 days

Good Practice

During the audit, the Audit Team noted the following area of good practice:

the value of the data supplied under this DSA was demonstrated through the projects they have undertaken with NHS organisations
a number of changes to working practice made following previous data sharing audits continue to be maintained.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 18 April 2023 9:01 am