Post Review Audit: Warwick Clinical Trials Unit, University of Warwick
This report provides the formal closure of the remote data sharing audit of the Warwick Clinical Trials Unit at the University of Warwick in November 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the Warwick Clinical Trials Unit (WCTU) at the University of Warwick (UoW) on 11 and 18 November 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-326212-T5G8P-v2.01
- the data sharing agreement (DSA) DARS-NIC-351810-N3G6N-v1.8
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) - List Cleaning Report | Identifiable, Sensitive | March 2016 to June 2016 |
| Demographics | Identifiable, Sensitive | Latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available |
The Controller is UoW.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by UoW.
Post Audit Review Outcome
Based on the evidence provided by the UoW, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and UoW.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
UoW has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 4 observations, 1 opportunity for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Some security assessments have not been performed. | Access Control | UoW declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by the Data Access Request Service (DARS) confirming the destruction of the data. | Observation | Closed |
| 2 | If the WCTU obtains further data under this DSA, then it must ensure that a formal record is kept of all storage and processing locations. | Information Transfer | UoW declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by the Data Access Request Service (DARS) confirming the destruction of the data. | Observation | Closed |
| 3 | The WCTU is to complete a Record of Processing Activities (ROPA) for the data supplied under any future DSA. | Operational Management | UoW declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by the Data Access Request Service (DARS) confirming the destruction of the data. | Observation | Closed |
| 4 | The Information Asset Owner (IAO) needs to review all designated Standard Operating Process (SOP) documents as defined by the UoW Procedure. | Operational Management | UoW declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by the Data Access Request Service (DARS) confirming the destruction of the data. | Observation | Closed |
| 5 | The UoW should undertake a training needs analysis for the role of Data Protection Officer (DPO) and determine whether any specialist training is required. | Operational Management | UoW declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by the Data Access Request Service (DARS) confirming the destruction of the data. | Opportunity for improvement | Closed |
| 6 | At the post audit review, the Audit Team will review evidence of the actions taken from the ongoing University-wide training needs analysis exercise currently being performed. | Operational Management | UoW declared it was not going to renew the agreement when it expired. A Data Destruction Certificate has been received by the Data Access Request Service (DARS) confirming the destruction of the data. | Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 19 October 2023 2:27 pm