Audit Review: Clinical Trial Service Unit, Clinical Trial Follow-Up Service at University of Oxford
This report provides the formal closure of the remote data sharing audit of the Clinical Trials Service Unit, Clinical Trial Follow-up Service for the Early Breast Cancer Trialists’ Collaborative Group within the Nuffield Department of Population Health at the University of Oxford in May 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the Clinical Trials Service Unit, Clinical Trial Follow-up Service (CTSU-ctfs) for the Early Breast Cancer Trialists’ Collaborative Group (EBCTCG) within the Nuffield Department of Population Health (NDPH) at the University of Oxford (UoO) between16 and 20 May 2022 against the requirements of both:
- the data sharing framework contract (DSFC) CON-319043-Y2R5H-v2.01
- the data sharing agreement (DSA) DARS-NIC-148204-7B1XT-v7.9
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) – Members and Postings Report | Identifiable, Sensitive | August 1990 – November 2016 |
| MRIS – Flagging Current Status Report | Identifiable, Sensitive | August 1990 – November 2016 |
|
MRIS – Cohort Event Notification Report |
Identifiable, Sensitive | August 1990 – November 2016 |
| MRIS – Cause of Death Report | Identifiable, Sensitive | August 1990 – November 2016 |
The Controller is the UoO.
This report also considers whether the CTSU-ctfs conform to its own policies, processes and procedures.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by the CTSU-ctfs in January 2023. Note, this desk-based assessment took place just before the merger of NHS Digital and NHS England. Therefore, this report references both organisations.
Post audit review outcome
Based on the evidence provided by the CTSU-ctfs, the Audit Team has closed the nonconformities, observation and opportunities for improvements. Although no further action is required by the Audit Team, there is 1 follow-up item still open, and the CTSU-ctfs should complete the action against this finding.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
The CTSU-ctfs has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 1 agreement nonconformity, 1 observation, 5 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
An internal access review performed prior to the audit (March 2022) by CTSU-ctfs identified 2 members of staff that no longer required access to the raw data. At the time of audit these 2 user accounts were still active. These 2 members of staff are both substantive NDPH employees that are still employed by the University. No other such access reviews had been conducted prior to the March 2022 review. Access for these 2 members of staff was removed during the audit. |
Access Control |
Access for these 2 members of staff was removed during the audit. The CTSU-ctfs stated access to the data is now reviewed every 6 months. The Audit Team was provided with copies of the reviews conducted in January and July 2022. |
Agreement nonconformity | Closed |
| 2 | One member of staff is just outside of the 12-month data protection training window. This member of staff is an emeritus professor with no access to data. |
Operational Management | This member of staff does not have access to project data and does not require training. His inclusion in the list of staff with data access and need for training at the time of the audit in May 2022 was an administrative oversight, which has now been resolved. The training co-ordinator at NDPH confirmed the member of staff no longer has a training account. | Observation | Closed |
| 3 | NDPH should consider updating its Information Asset Register (IAR) to record information assets by trial rather than by project. | Operational Management | NDPH shared an updated version of the IAR which now includes details of each trial that had data supplied by NHS Digital. | Opportunity for improvement | Closed |
| 4 | NDPH should consider providing specialist training that is available within the department to the Information Asset Owner (IAO). | Operational Management | Existing training material has been completed by the IAO. | Opportunity for improvement | Closed |
| 5 | NDPH should reconsider its position around its use of local user administrator accounts. | Access Control | The Senior Information Risk Owner (SIRO) at NDPH has decided that the IT Department should remove administrative rights from all standard user accounts. The Audit Team was provided with the details from the management system. |
Opportunity for improvement |
Closed |
| 6 | NDPH should consider automating encryption of connected unencrypted USB devices. | Access Control | NDPH has stated that rather than a technical solution, a documented policy will instruct staff not to copy data to USB drives. | Opportunity for improvement | Rejected |
| 7 |
NDPH should reword the statement in the Information Governance Handbook around reviews of firewall and system logs to reflect current practice. |
Operational Management | The Audit Team was provided with a copy of the updated Information Governance Handbook which has been updated with IT current practice. | Opportunity for improvement | Closed |
| 8 | At the post audit review, the Audit Team will review the upcoming publication to check that an appropriate acknowledgement to NHS Digital as the source of data has been included, in line with the new process outlined within the CTSU-ctfs Data Management Standard Operating Procedure. | Use and Benefits | Whilst the CTSU-ctfs had agreed to include an acknowledgement to NHS Digital in forthcoming publications, as a result of the merger the following text should now be used “This work uses data provided by patients and collected by the NHS as part of their care and support”. | Follow-up | Open, but not for follow-up |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 April 2023 3:08 pm