NHS England Post Audit Review: Oxford University Hospitals NHS Foundation Trust
This report provides the formal closure of the remote data sharing audit of Oxford University Hospitals NHS Foundation Trust in August 2021.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Oxford University Hospitals NHS Foundation Trust (OUHNHSFT) between 23 and 27 August 2021 against the requirements of both:
- the data sharing framework contract (DSFC) CON-312001-X8W1Y-v2.01
- the data sharing agreement (DSA) DARS-NIC-135294-P7L0F-v2.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | September 2018 to March 2020 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | September 2018 to March 2020 |
| MRIS – Cause of Death Report | Identifiable, Sensitive | September 2018 to March 2020 |
| Demographics | Pseudo/ Anonymised, Sensitive | Latest Available |
| Civil Registration - Deaths | Pseudo/ Anonymised, Sensitive | Latest Available |
The Controller is OUHNHSFT, and the Processor is the Nuffield Department of Primary Care Health Sciences (NDPCHS) within the Medical Sciences Division (MSD) at the University of Oxford (UoO).
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS England Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by OUHNHSFT between May and December 2022. During the post audit review the Audit Team held a video call in June 2022, where NDPCHS demonstrated the access location for staff training and awareness courses. Note, this desk-based review took place just before the merger of NHS Digital and NHS England. Therefore, this report references both organisations.
Post audit review outcome
Based on the evidence provided, the Audit Team has closed all the findings except for 1 opportunity for improvement. Although no further action is required by the Audit Team, the NDPCHS should complete the action against this finding.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Medium
Current Risk Statement: Low
Data recipient’s acceptance statement
OUHNHSFT and NDPCHS have reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 2 agreement nonconformities, 1 organisation nonconformity, 3 observations, 10 opportunities for improvement as part of the original audit.
OUHNHSFT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Data are being used stored at locations not declared on the DSA | Information transfer | The Audit Team confirmed via the Data Access Request Service (DARS) management system that the missing locations have been included in the latest in progress application (DARS-NIC-135294-P7L0F-v3.5). | Agreement nonconformity | Closed |
| 2 | OUHNHSFT’s Data Security and Protection Toolkit (DSPT) submission is currently not fully met. A special condition stated in the DSA requires this to be rectified within the specified timeframe. | Operational Management | The Audit Team confirmed that OUHNHSFT achieved 21/22 Standards Met for its DSPT submission in June 2022. | Observation | Closed |
| 3 | OUHNHSFT should consider whether a formal data processing agreement between the Controller and the Processor is required. | Operational management |
OUHNHSFT has considered the finding and decided on this occasion not to have a formal agreement in place. However, OUHNHSFT has produced a data access agreement template that will be used in the future where personal data is shared. A copy of the template agreement was shared with the Audit Team. |
Opportunity for improvement | Closed |
| 4 | OUHNHSFT should consider defining the standard operating process for assessing when a Data Protection Assessment (DPIA) is required. | Operational management | OUHNHSFT provided a copy of the Research and Development Governance Standard Operating Procedures to the Audit Team, which now includes the process for when a DPIA is required. | Opportunity for improvement | Closed |
NDPCHS
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 5 | NDPCHS does not maintain an up-to-date equipment asset register for equipment associated with data supplied by NHS Digital. | Operational Management | NDPCHS has conducted an inventory of existing equipment assets and provided evidence to the Audit Team. | Agreement nonconformity | Closed |
| 6 | NDPCHS is not adhering to key sections within UoO Risk Management Policy. | Risk Management | A newly drafted IG Risk Management Policy was shared with the Audit Team. The IG Risk Register now adheres to the policy. | Organisation nonconformity | Closed |
| 7 | An access control review recently performed by NDPCHS did not challenge one account as having access to data supplied by NHS Digital. Through discussions it was identified that this person no longer required access and although the account was active, the person was technically unable to access the data. | Access Control |
NDPCHS revoked access to the user account in September 2021. Evidence was supplied to the Audit Team to support the action taken. |
Observation | Closed |
| 8 | The journal paper that was recently published in relation to the study described in the DSA did not include a sufficient acknowledgement to the source of the data as required by the DSFC. It is important that an appropriate acknowledgement is included in future publications, including those currently in draft. | Use and Benefits | NDPCHS provided the Audit Team with its latest research publishing guidance. The guidance document provides researchers with the wording to use on all future publications where data supplied by NHS Digital is used. | Observation | Closed |
| 9 | NDPCHS should undertake a risk assessment of the networking infrastructure between storage locations. | Risk Management |
NDPCHS has undertaken a risk assessment and concluded that the networking infrastructure between the storage locations poses a low risk, and no further action is required. A copy of the risk assessment was shared with the Audit Team. |
Opportunity for improvement | Closed |
| 10 | NDPCHS should consider providing risk management training, to ensure staff are aware of the processes for raising, recording, and monitoring risks. | Operational Management |
NDPCHS shared with the Audit Team its Information Governance Risk Management Policy v1.0 which was developed following the audit. It also shared the training slides which provides an update to risk management. During the post audit review the Audit Team held a Microsoft Teams call, where NDPCHS demonstrated the access location for staff training and awareness courses. |
Opportunity for improvement | Closed |
| 11 | NDPCHS should update the Information Asset Register (IAR) in relation to the Information Asset Owner for the data supplied by NHS Digital. | Operational Management | NDPCHS provided the Audit Team with the updated IAR which included details on the Information Asset Owner for the data supplied by NHS Digital. | Opportunity for improvement | Closed |
| 12 | NDPCHS should determine whether it has collected sufficient information to constitute a Record of Processing Activities (ROPA) for the data provided, as required by General Data Protection Regulations (GDPR). NDPCHS may also wish to define ROPA in its Privacy by Design Policy especially for those instances when it is not acting as Controller and therefore not completing a Data Protection Impact Assessment (DPIA). | Operational Management | NDPCHS has produced a ROPA for the processing of data supplied by NHS Digital. A copy of the ROPA was provided to the Audit Team. | Opportunity for improvement | Closed |
| 13 | The MSD should consider whether in future penetration test reports, the scope could be better defined in terms of inclusions and exclusions. | Access Control | The MSD IT team confirmed that for future penetration testing, the scope will be defined better in terms of inclusions and exclusions. | Opportunity for improvement | Open, but not for follow-up |
| 14 | NDPCHS should consider providing specialist training. For example, Senior Information Risk Officer (SIRO) and Information Asset Owner (IAO) training. | Operational Management | The SIRO has completed specialist SIRO training. The Audit Team was supplied with an attendance certificate and training slides to support this action. | Opportunity for improvement | Closed |
| 15 | NDPCHS should consider adding a footnote in its IT Asset Management policy to state that any removable storage devices which hold data provided by NHSD Digital must be included in the equipment asset register. | Operational Management | NDPCHS provided an updated copy of the Equipment Asset Management Standard Operating Procedure (SOP) to the Audit Team. The SOP included the additional wording suggested by the Audit Team. | Opportunity for improvement | Closed |
| 16 | The Audit Team suggested that all appropriate teams and stakeholders review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant. | Operational Management | NDPCHS shared with the Audit Team a document which provides an overview of the current contract administration process. This process now includes several steps for improving access to all agreements linked to department research projects. | Opportunity for improvement | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 20 May 2023 3:25 pm