NHS England Post Audit Review: Cardiff University
This report provides the formal closure of the remote data sharing audit of the Centre for Trials Research at Cardiff University and its Processor in May 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the Centre for Trials Research (CTR) at Cardiff University and its Processor between 3 and 9 May 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-311457-N2L9D-v2.01
- the data sharing agreement (DSA) DARS-NIC-184980-J5B6C-v8.3
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) - Members and Postings Report | Identifiable, Sensitive | October 2006 - March 2017 |
| MRIS - Flagging Current Status Report | Identifiable, Sensitive | October 2006 - March 2017 |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | October 2006 - March 2017 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | October 2006 - March 2017 |
The Controller is Cardiff University and the Processor is the University of Birmingham Clinical Trails Unit (BCTU). The current DSA only permits the secure retention of the data, no other processing is allowed.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised of a desk-based assessment and video call of the action plan and supporting evidence supplied by the CTR and the BCTU between February and May 2023.
Post audit review outcome
Based on the evidence provided by the CTR and the BCTU, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Medium
Current Risk Statement: Low
Data recipient’s acceptance statement
The CTR and the BCTU have reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 7 agreement nonconformities, 4 organisation nonconformities, 1 opportunity for improvement and 1 point for follow-up raised as part of the original audit.
CTR
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The data storage locations specified on the DSA do not accurately reflect the current locations. | Information Transfer | Individual storage and processing locations are no longer included within a DSA. | Agreement nonconformity | Closed |
| 2 |
There was no evidence to show that user permissions to the NHS Digital data had been reviewed on a regular basis. |
Access Control |
The CTR stated that its relevant documentation was reviewed and updated following the audit and that there will be an internal review of user permissions every 6 months. The CTR provided a copy from a recently completed review (March 2023). |
Agreement nonconformity | Closed |
| 3 |
The asset register for the AML15 trial was not up to date and did not identify the Information Asset Owner (IAO). |
Operational Management |
The CTR Asset Register has been updated and now includes the IAO. A copy of the asset register was provided to the Audit Team. |
Agreement nonconformity | Closed |
| 4 |
The CTR had not reported a security incident relating to the hard copies of the data to the Data Access Request Service (DARS) team. The incident relates to irreversible damage to clinical trial records stored at its third-party offsite storage facility resulting from storm damage in February 2022. The CTR notified DARS of the incident during the audit and have reported it to the MHRA, and it was reported to the Charity Commission centrally through the Cardiff University Governance team. |
Operational Management | The CTR provided updated information relating to this incident to the DARS team on 9 June 2022. Furthermore, it confirmed that the incident did not include data sourced from NHS England. | Agreement nonconformity | Closed |
| 5 | One member of staff with access to the data supplied by NHS Digital had not received data protection training in the last 12 months. | Operational Management |
The CTR confirmed that the member of staff had completed their training and provided a screenshot as evidence to the Audit Team. |
Agreement nonconformity | Closed |
| 6 | Patching had not been consistently conducted in accordance with the patching document. | Access Control | The CTR provided screenshots of the latest patches applied to the CTR servers to the Audit Team. | Organisation nonconformity | Closed |
| 7 | Inconsistencies were found with respect to user permissions in the AML-15 Trial Activity Delegation log. | Access Control |
The CTR has updated the Trial Delegation log to include the appropriate personnel within the user permissions section. A copy of the updated delegation log was provided to the Audit Team. |
Organisation nonconformity | Closed |
| 8 | An issue regarding a physical security control around patient paper records located on site in CTR offices was found. | Access Control | The CTR declared that the paper records are now kept in a secure and restricted area. | Organisation nonconformity | Closed |
| 9 | Cardiff University should document its approach to conducting security assessments. | Access Control | The CTR provided documentation to the Audit Team regarding its approach to security assessments and confirmed that monthly assessments are now taking place. Furthermore, discussions are ongoing in terms of commissioning an independent third-party provider to undertake a security assessment. | Opportunity for improvement | Closed |
| 10 | At the post audit review, the Audit Team will look at evidence regarding the ONS data downloaded from NHS Digital in April 2017. | Information Transfer |
The CTR has subsequently reviewed its data flow diagram and other such supporting documentation and confirmed that it has been updated to more accurately reflect all touchpoints. A copy of the supporting document was provided to the Audit Team. |
Follow-up | Closed |
BCTU
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 11 | Software had not been recently patched | Access Control | The BCTU provided evidence to the Audit Team that the patching was up to date. | Agreement nonconformity | Closed |
| 12 | Security assessments have not been performed. | Access Control | The BCTU provided evidence of a recent security assessment and confirmed that these are now scheduled to be completed monthly. The most recent assessment did not have any critical or high findings. | Agreement nonconformity | Closed |
| 13 | The BCTU’s data asset register for the AML15 trial contained a number of blank fields. | Operational Management | The BCTU provided an extract from its data asset register which now shows that the blank fields have been completed. | Organisation nonconformity | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 July 2023 3:19 pm