NHS Digital Data Sharing Remote Audit: Warwick Clinical Trials Unit, University of Warwick
This report records the key findings of a remote data sharing audit of the Warwick Clinical Trials Unit at the University of Warwick in November 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Warwick Clinical Trials Unit (WCTU) at the University of Warwick (UoW) between 11 and 18 November 2022. It provides an evaluation of how the WCTU conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-326212-T5G8P-v2.01
- the data sharing agreement (DSA) DARS-NIC-351810-N3G6N-v1.8
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) - List Cleaning Report | Identifiable, Sensitive | March 2016 to June 2016 |
| Demographics | Identifiable, Sensitive | Latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available |
The Controller is UoW.
The WCTU required Civil Registration Mortality and Demographics data for the purposes of the Out-of-Hospital Cardiac Arrest Outcomes (OHCAO) project.
Improving patient outcomes from out-of-hospital cardiac arrest (OHCA) is a significant public health issue in the UK and a key priority for the NHS. Every year there are 40,000 OHCAs where resuscitation is commenced or continued by paramedics. Typically, less than 10% of OHCA patients survive to hospital discharge.
The British Heart Foundation (BHF) and the Resuscitation Council UK (RCUK) have funded the development (and continued management) of the OHCAO registry which records data from ambulance services on all emergency medical services resuscitation attempted OHCA patients. The OHCAO registry is hosted and managed by the WCTU.
The WCTU is not currently storing any data provided by NHS Digital, however, the agreement is still active. The data was deleted in 2017 and a certificate of destruction was provided to NHS Digital.
This report also considers whether WCTU conforms to its own policies, processes, and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The WCTU has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
If the WCTU elects to extend the current DSA or receives further data, then it will need to establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the WCTU to confirm the findings have been satisfactorily addressed. The post audit review would also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 4 observations, 1 opportunity for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | Some security assessments have not been performed. | Access Control |
DSFC, Schedule 2, Section A, Clause 1.1 |
Observation |
| 2 | If the WCTU obtains further data under this DSA, then it must ensure that a formal record is kept of all storage and processing locations. | Information Transfer | DSA, Annex A, Sections 2a and 2b | Observation |
| 3 | The WCTU is to complete a Record of Processing Activities (ROPA) for the data supplied under any future DSA. | Operational Management |
DSFC, Schedule 3, UK General Data Protection Regulation (GDPR) |
Observation |
| 4 | The Information Asset Owner (IAO) needs to review all designated Standard Operating Process (SOP) documents as defined by the UoW Procedure. | Operational Management | UoW Standard Operating Procedure 24 – Essential Training and Training Records | Observation |
| 5 | The UoW should undertake a training needs analysis for the role of Data Protection Officer (DPO) and determine whether any specialist training is required. | Operational Management | Opportunity for improvement | |
| 6 | At the post audit review, the Audit Team will review evidence of the actions taken from the ongoing University-wide training needs analysis exercise currently being performed. | Operational Management | Follow-up |
Use of data
No data is currently held.
Data location
No data is currently held.
Backup retention
No data is currently held.
Good Practice
During the audit, the Audit Team noted the following areas of good practice:
- the WCTU was able to clearly demonstrate the value the data supplied under this DSA has had towards benefitting the provision of health and social care in England, specifically the analysis of OHCAs
- the WCTU has maintained working practices that were implemented following a previous data sharing audit.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 January 2023 9:52 am