NHS England Post Audit Review: IQVIA
This report provides the formal closure of IQVIA Limited and IQVIA Technology Services Limited in August 2022.
Audit summary
Purpose
This report provides the formal closure of IQVIA Limited and IQVIA Technology Services Limited (collectively referred to as IQVIA) between 9 and 16 August 2022 against the requirements of:
- the data sharing framework contracts (DSFC)
- CON-290392-M1B6L-v2.01 (IQVIA Limited)
- CON-315306-L9Z8S-v2.01 (IQVIA Technology Services Limited)
- the data sharing agreements (DSA) DARS-NIC-373563-N8Z9J-v9.7 and v10.7
- the organisation’s own policies, processes and procedures
These DSAs covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Emergency Care Data Set (ECDS) | Pseudo/Anonymised, Non-sensitive | 2018/19 to 2021/22_M11 |
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 2014/15 to 2021/22_M11 |
| HES Out-patients | Pseudo/Anonymised, Non-sensitive | 2014/15 to 2021/22_M11 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2014/15 to 2019/20_M12 |
| HES: Civil Registration (Deaths) bridge | Pseudo/Anonymised, Non-sensitive | Latest available |
| HES: Civil Registration (Deaths) Secondary Care Cut | Pseudo/Anonymised, Non-sensitive | Latest available |
| Summary Hospital-level Mortality Indicator | Pseudo/Anonymised, Non-sensitive | Nov 2017 – Dec 2021 |
| HES-ID to MPS-ID HES Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 2014/15 - 2019/20 |
| HES-ID to MPS-ID HES Out-patients | Pseudo/Anonymised, Non-sensitive | 2014/15 - 2019/20 |
The joint Controllers are IQVIA Limited and IQVIA Technology Services Limited.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
As the original audit took place before the merger of NHS Digital and NHS England, this report references both organisations as part of the post audit review.
Post audit review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by IQVIA on 17 April 2023.
Post audit review outcome
Based on the evidence provided by the IQVIA, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and IQVIA.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Medium
Current Risk Statement: Low
Data recipient’s acceptance statement
IQVIA has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 1 agreement nonconformity, 4 organisation nonconformities, 1 observation, 3 opportunities for improvement and 2 points for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The Certificate of Destructions (CoD) for November 2019, and to a lesser extent January 2019, contained inaccurate dates. The Audit Team suggested that the specific datasets being destroyed, i.e. the associated years, be included on future certificates. |
Data Destruction | The IQVIA CoD form template has been updated to reference the specific dataset being destroyed. IQVIA confirmed that all CoD provided from 2023 onwards will contain the correct information. A copy of the IQVIA data destruction process v2, which includes the data destruction form template, was provided to the Audit Team. |
Agreement nonconformity | Closed |
| 2 | The HES register contained the wrong information with respect to the relevant service designation for one of the applications reviewed as part of the audit. The Audit Team suggested that the service definitions in the DSA should be slightly improved to avoid ambiguity. |
Operational Management | The DSA has been updated to improve the service designations, and is currently awaiting approval by NHS England. The Audit Team will review the updated DSA when finalised. An updated ISEAC ToR v7 referencing the service designations was provided to the Audit Team. |
Organisation nonconformity | Closed |
| 3 | IQVIA to revise the risk assessment within the Data Protection Impact Assessment (DPIA) covering the data supplied against this DSA as some of the impact statements are incorrect. The DPIA was reviewed and updated during the audit. |
Operational Management | The DPIA was reviewed and updated during the audit. | Organisation nonconformity | Closed |
| 4 | IQVIA to remove the statement in the Record of Processing Activity (ROPA) with respect to honorary contracts. The ROPA was reviewed and updated during the audit. |
Operational Management | The ROPA was reviewed and updated during the audit. | Organisation nonconformity | Closed |
| 5 | Recommendations assigned by Independent Scientific Advisory Committee (ISEAC) to applications in 2020 were not consistent with those defined in the ISEAC Terms of Reference (ToR) current at that time. Consistent definitions were formalised in the ToR v6.0 published in May 2022. Also, the approval section at the end of a protocol only allows for a simple “Approved / Not approved” decision. |
Use and Benefits | IQVIA have updated the ISEAC ToR v7 and the ISEAC Checklist For Reviewers v3 to specify recommendations. A copy of the updated ToR v7 and Checklist For Reviewers v3 was provided to the Audit Team. It should be noted that the next version of the DSA for 2022/23 excludes the use of ISEAC as an approval mechanism for HES studies. |
Organisation nonconformity |
Closed |
| 6 | In the absence of an active agreement, IQVIA is to discuss with NHS Digital the level of processing that is permissible until a new agreement is signed. | Use and Benefits | IQVIA have liaised with NHS England and the permissible level of processing has been agreed. The new DSA will outline the level of processing. | Observation | Closed |
| 7 | The ISEAC documentation should be clearer as to how IQVIA may proceed with respect to the defined recommendations and whether a protocol not fully approved needs to be returned to the Chair for further review. | Use and Benefits | IQVIA have updated the ISEAC ToR v7 and the ISEAC Checklist for Reviewers v3 to specify recommendations and follow-up processes. A copy of the updated ToR v7 was provided to the Audit Team. It should be noted that the next version of the DSA will exclude the use of ISEAC as an approval mechanism for HES studies. |
Opportunity for improvement | Closed |
| 8 | ISEAC should be specific in its ToR as to what the Quorate includes. | Use and Benefits | IQVIA have updated the ISEAC ToR v7 to specify ISEAC is quorate with review responses submitted in accordance with the ISEAC Standard Operating Procedure v3 from at least five of its members including the Chair and/or the Deputy Chair. A copy of the updated ToR v7 and ISEAC SOP v3 was provided to the Audit Team. It should be noted that the next version of the DSA will exclude the use of ISEAC as an approval mechanism for HES studies. |
Opportunity for improvement | Closed |
| 9 | The HES terms and conditions as required by the DSA could be better referenced in the main body of IQVIA contracts with external organisations. | Operational Management |
IQVIA confirmed that the following wording has been added to section 9 of the contract template to be used for all future agreements: |
Opportunity for improvement | Closed |
| 10 | At the post audit review, the Audit Team will confirm that the issue with respect to only 2 months of data being available in the system logs has been resolved and will look at the latest logs. | Access Control |
IQVIA have reached agreement with DARS regarding the retention period. The new DSA will outline the updated retention period. |
Follow-up | Closed |
| 11 | At the post audit review, the Audit Team will check whether a CoD has been issued to DARS covering data falling outside of the declared 5 years retention period when the latest datasets have been supplied to IQVIA. | Data Destruction |
The DSA has been updated to include the following information: “Upon receipt of 20/21 annual refresh (AR) data for HES Outpatients, Admitted Patient Care and Emergency Care Dataset, data held for annual refresh 15/16 will be deleted. A Data Destruction Certificate will be submitted to NHS Digital for review within one month of receipt of 20/21 AR” The DSA is currently awaiting Advisory Group for Data (AGD) review. |
Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 31 August 2023 4:42 pm