NHS England Post Audit Review: Genomics England
This report provides the formal closure of the remote data sharing audit of Genomics England Limited (GE) March 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Genomics England Limited (GE) between 7 and 14 March 2022 against the requirements of
- the data sharing framework contract (DSFC) CON-368648-M3S4Z v2.01
- the data sharing agreement (DSA) DARS-NIC-12784-R8W7V-v8.6
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Bridge file: Hospital Episode Statistics (HES) to Mental Health Minimum Data Set | Pseudo/Anonymised, Non-sensitive | Historic Data Request |
| Bridge file: HES to Diagnostic Imaging Dataset | Pseudo/Anonymised, Non-sensitive | Historic Data Request |
| HES Critical Care | Identifiable, Non-sensitive | 2008/09 - 2021/22_M10 |
| Diagnostic Imaging Dataset | Identifiable, Non-sensitive | 2008/09 - 2019/20_M13 |
| Emergency Care Data Set (ECDS) | Identifiable, Sensitive | 2017/18 - 2020/21_M10 |
| Mental Health Minimum Data Set | Identifiable, Sensitive | 2006/07 - 2014/15 |
| Mental Health and Learning Disabilities Data Set | Identifiable, Sensitive | 2014/15 - 2015/16 |
| Medical Research Information Service (MRIS) - Members and Postings Report | Identifiable, Sensitive | May 2016 - March 2020 |
| HES Admitted Patient Care | Identifiable, Sensitive | 1989/90 - 2021/22_M10 |
| HES Outpatients | Identifiable, Sensitive | 2003/04 - 2021/22_M10 |
| HES Accident and Emergency | Identifiable, Sensitive | 2007/08 - 2019/20_M12 |
| MRIS - Flagging Current Status Report | Identifiable, Sensitive | May 2016 - March 2020 |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | May 2016 - March 2020 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | May 2016 - March 2020 |
| MRIS - List Cleaning Report | Identifiable, Sensitive | May 2016 - March 2020 |
| Patient Reported Outcome Measures (Linkable to HES) | Identifiable, Sensitive | 2009/10 - 2019/20_M13 |
| Mental Health Services Data Set | Identifiable, Sensitive | 2016/17 - 2020/21 |
| Demographics | Identifiable, Sensitive | Latest Available |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest Available |
| Cancer Registration Data | Identifiable, Sensitive | Latest Available |
The Controller is GE and the Processors are Amazon Web Services (AWS), UKCloud Limited, Lifebit Biotech Limited (Lifebit) and Microsoft UK (undeclared on DSA). AWS, UKCloud Limited and Microsoft UK do not have access to the data and only provide cloud hosting services.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment and video calls of the action plan and supporting evidence supplied by GE between June 2023 and August 2023.
Post Audit Review Outcome
Based on the evidence provided by GE, the Audit Team has closed the nonconformities and points for follow-up.
Please note that 1 opportunity for improvement has been classified as “No longer applicable” and this finding may be subject to further review by NHS England if GE submits a new application.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Updated Risk Statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Medium
Current Risk Statement: Low
Findings
The following table identifies the 6 agreement nonconformities, 5 opportunities for improvement and 6 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Patient Reported Outcome Measures (PROMS) data has been shared with commercial organisations which is prohibited by the DSA. | Use and Benefits | The PROMS data has been removed from the research environment and the process will not include PROMS data in future releases. GE provided copies of the destruction certificates that were given to DARS relating to the deletion of the data provided under this DSA. | Agreement nonconformity | Closed |
| 2 | Data are being stored within secure cloud-based UK data centres whose locations were not declared on the DSA. | Information Transfer | The DSA has been updated to reference locations. DARS-NIC-12784-R8W7V-v12.5 shows the revised processing and storage locations. |
Agreement nonconformity |
Closed |
| 3 | The Audit Team found two users employed by Lifebit, that were selected from a sample, had not completed data protection training in the last 12 months. | Operational Management | GE provided a report of the Lifebit training records to show that all Lifebit employees that work with GE had completed Cyber Security and GDPR training in the last 12 months. All new Lifebit employees working with data supplied under the DSA will receive the GE Protection and Information Security training on induction, then Lifebit’s own data protection training will be undertaken annually. GE will review Lifebit training records to ensure staff are compliant | Agreement nonconformity | Closed |
| 4 | Dormant accounts are not being managed in line with the requirements of the DSFC. Also, there is no regular review of access to the data via GE user accounts and privileged accounts. | Access Control | GE has performed a review of dormant accounts and deactivated those no longer required. GE have moved to Okta identity management to provide access to the AWS hosted research environment and have documented a review process to identify and delete dormant accounts. | Agreement nonconformity | Closed |
| 5 | There is no comprehensive Information Asset Register (IAR) to cover the data supplied under the DSA. Instead, information is spread across different documents. | Operational Management | DGE have created an IAR using the Information Commissioner’s Office (ICO) template. A copy of the IAR was provided to the Audit Team for review. GE are looking to further strengthen their information asset and risk management processes by procuring CoreStream risk management software to assist them in identifying, assessing and controlling risks to their business operationsSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity | Closed |
| 6 | The DSA needs to:
|
Use and Benefits | These points have all been added to the DSA and the updated sections 2c, 5a and 5b of DARS-NIC-12784-R8W7V-v12.5 have been populated with this information | Agreement nonconformity | Closed |
| 7 | Publications that are prepared using data provided by NHS Digital should recognise the source of the data as being from NHS Digital, where possible. | Use and Benefits | GE will add wording to their publication approval standards to ensure that researchers add an acknowledgement to NHS England in publications prepared using data provided under the DSA before the GE Research Management team approve them. No publications have been created since the original audit | Opportunity for improvement | No longer applicable |
| 8 | GE should consider implementing multi-factor authentication for all third-party accounts. | Access Control | GE have moved to Okta identity management to provide access to the AWS hosted research environment and are using it to provide multi-factor authentication for third-party accounts. | Opportunity for improvement | Closed |
| 9 | GE should perform a risk assessment to ensure any derived risk is acceptable or managed through the availability of user owned datasets, which can be uploaded to a private location on AWS. | Risk Management | GE have performed a risk assessment. Their Senior Information Risk Owner (SIRO) has provided an assurance statement outlining the controls and mitigations considered during the assessment, along with their decision on the risk. The risk has been recorded in the latest revision of the Data Protection Impact Assessment (DPIA) for the 100k Project. | Opportunity for improvement | Closed |
| 10 | GE should include the sub-licensing process in its future internal audit programme to ensure it is fully compliant with the requirements of the DSFC, DSA and also GE’s own policies and procedures. For example, the application process, the approval process, the use of accounts, the Airlock process and any outputs. | Operational Management | The SIRO and Director of Assurance have examined the controls in place for the application processes. They are satisfied by the level of due diligence applied to each application and the controls in place for the Airlock process to identify where handling of data may contravene a sub licensing agreement. The SIRO has provided an assurance statement to the Audit Team to detail the review and its outcome. | Opportunity for improvement | Closed |
| 11 | GE should update the Data Protection Framework and remove the reference to the De-identification Policy which has been archived. | Operational Management | The reference to the De-identification Policy has now been removed from the Data Protection Framework document. | Opportunity for improvement | Closed |
| 12 | At the post audit review, the Audit Team will:
|
Operational Management | The IAO and IAA have been identified and recorded in the IAR. A copy of the IAR was provided to the Audit Team for review. A training needs analysis has been performed and identified relevant data protection training for the specialist roles. Training was provided for these roles in January 2023 | Follow-up | Closed |
| 13 | At the post audit review, the Audit Team will look at the implementation by GE to reduce the number of touchpoints of the data. The work has been commissioned by GE for better handling of the data and ultimately the destruction of the data. | Information Transfer | GE have revised the data flow to remove touchpoints for identifiable data on local user machines and SharePoint as it is released into the research environment. No data was processed in this environment whilst the work was being completed. The Audit Team were provided with documentation supporting the new data flow and process. | Follow-up | Closed |
| 14 | At the post audit review, the Audit Team will check that the latest sub-licensing agreements (GeCIP and Data Access Agreement) have been provided to NHS Digital for review. The last time these agreements were supplied to DARS was in 2019. | Operational Management | The documentation was provided to DARS in July 2022. | Follow-up | Closed |
| 15 | At the post audit review, the Audit Team will review evidence that the latest revision to the Data Protection Impact Assessment (DPIA) has been reviewed and approved. | Operational Management | GE provided a copy of the DPIA and correspondence to confirm that it had been reviewed and approved by the SIRO, DPO and Caldicott Guardian. | Follow-up | Closed |
| 16 | At the post audit review, the Audit Team will check a certificate of destruction (CoD) has been completed by GE to cover the data held at a cloud provider, and the CoD has been approved by NHS Digital. | Data Destruction | CoDs have been provided to show that data has been deleted from equipment held on the cloud hosted equipment of the previous provider. | Follow-up | Closed |
| 17 | At the post audit review, the Audit Team will review the most recent validation report and supporting action plan. | Access Control | The validation report and action plan were provided and reviewed with the SIRO. | Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 30 October 2023 1:44 pm