NHS England Post Audit Review: University of Glasgow
This report provides the formal closure of the remote data sharing audit of the University of Glasgow and the Nottingham University Hospitals NHS Trust in December 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the University of Glasgow (UoG) and the Nottingham University Hospitals NHS Trust (NUH) between 12 and 15 December 2022. It provides an evaluation of how the UoG and the NUH conform to the requirements of:
- the data sharing framework contracts (DSFC):
- CON-329582-W2T4D-v2.01 (UoG)
- CON-303563-Q4S3W-v2.01 (NUM)
- the data sharing agreement (DSA) DARS-NIC-72626-V4P9B-v4.2
- the organisations' own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES): Civil Registration (Deaths) bridge | Pseudo/Anonymised, Non-sensitive | Latest Available 02/2022 |
| HES Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 2004/05 - 2019/20 |
| HES Critical Care | Pseudo/Anonymised, Non-sensitive | 2008/09 - 2019/20 |
| HES Outpatients | Pseudo/Anonymised, Non-sensitive | 2003/04 - 2004/05 2017/18 - 2019/20 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2008/09 - 2019/20 |
| Diagnostic Imaging Dataset | Pseudo/Anonymised, Non-sensitive | 2012/13 - 2019/20 |
| Bridge file: HES to Diagnostic Imaging Dataset | Pseudo/Anonymised, Non-sensitive | Latest Available 02/2022 |
| Medical Research Information Service (MRIS) - Flagging Current Status Report | Identifiable, Sensitive | Latest available |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | Latest available |
| MRIS - Cause of Death Report | Identifiable, Sensitive | Latest available |
| Demographics | Pseudo/Anonymised, Sensitive | Latest Available 03/2022 |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | Latest Available 03/2022 |
| Cancer Registration Data | Pseudo/Anonymised, Sensitive | Latest Available 03/2022 |
The joint Controllers are the UoG and the NUH. The NUH does not store or process any data supplied under this DSA. The data requested under this agreement is disseminated to and stored at the Robertson Centre for Biostatistics (RCB) at the UoG.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment and video calls of the action plan and supporting evidence supplied by RCB, UoG and NUH between July and August 2023.
Post Audit Review Outcome
Based on the evidence provided by RCB, UoG and NUH, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and RCB, UoG and NUH.
Updated risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: Medium
Current risk statement: Low
Data recipient’s acceptance statement
The UoG, the NUH and the RCB have reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 9 agreement nonconformities, 1 organisation nonconformity, 1 observation, 3 opportunities for improvement and 1 point for follow-up raised as part of the audit.
UoG and NUH
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
The UoG and the NUH should review their joint Controller arrangement in anticipation of the next iteration of the DSA. |
Access Control | The joint controller agreement has been reviewed and signed off by both organisations. A copy of the signed agreement was provided to the Audit Team. | Opportunity for improvement | Closed |
RCB
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 2 |
Data are being stored at a location that is not declared on the DSA. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS England on request. |
Access Control |
Individual storage and processing locations are no longer included within a DSA. However, RCB have recorded the storage and processing locations in their Information Asset Register (IAR). |
Agreement nonconformity | Closed |
| 3 |
Weekly backup tapes stored offsite at a third-party location are not encrypted. The RCB enabled encryption during the audit. |
Access Control | Encryption has been enabled for weekly backups. Configuration of the backup was viewed to confirm this action had been completed. | Agreement nonconformity | Closed |
| 4 | The network attached storage device is running an unsupported operating system. | Access Control |
The data has been migrated to a platform that is running a supported operating system. RCB provided deletion certificates to the Audit Team relating to the removal of data from the network attached storage device running the unsupported operating system. |
Agreement nonconformity | Closed |
| 5 | The RCB has not included the data received under this DSA on an Information Asset Register (IAR), nor has the RCB clearly identified the Information Asset Owner (IAO). | Operational Management |
RCB has added the data associated with the study into their IAR and identified the IAO for the study and data. An extract from the IAR relating to the data received under this DSA was provided to the Audit Team. |
Agreement nonconformity | Closed |
| 6 | The RCB has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. Instead, information specific to the DSA datasets is spread across different documents. | Operational Management |
A ROPA has now been completed with the detail recommended by the Information Commissioners Office (ICO). A copy of the ROPA was provided to the Audit Team. |
Agreement nonconformity | Closed |
| 7 | A Data Protection Impact Assessment (DPIA) or screening questionnaire has not been completed for the study utilising the data provided under this DSA. | Operational Management |
A DPIA has been completed and signed off by the Data Protection Officer. A copy of the DPIA was provided to the Audit Team. |
Agreement nonconformity | Closed |
| 8 | Data in transit between the processing and storage locations is not encrypted as required by the DSFC. However, the RCB reported that transit is limited to a private network with all associated equipment owned by the RCB. | Information Transfer | RCB has added this to the risk register and reviewed the controls and mitigations in place to secure data in transit between the processing and storage locations. The risk was included in the DPIA, which also records the technical security controls in place to mitigate the risk. | Agreement nonconformity | Closed |
| 9 | Recent publications in relation to the study did not include sufficient acknowledgement to the source of the data as required by the DSFC. | Use and Benefits | RCB will ensure that all future publications will include explicit acknowledgement of NHS England as the source of the data. | Agreement nonconformity | Closed |
| 10 | A security assessment has not been performed on the safe haven infrastructure. RCB stated that it intends to conduct an assessment early in 2023. | Access Control | A security assessment was conducted in January 2023. The report and action plan were reviewed by the Audit Team with the IAO. | Agreement nonconformity | Closed |
| 11 | On transferring the downloaded data from the PC to the network attached storage device, the data was logically deleted from the PC rather than using the secure deletion process documented in the Data Archival and Removal procedure. | Information Transfer |
RCB has revised the Secure Electronic File Transfer (SEFT) download process to ensure the data is saved directly to the network attached storage server. The documentation covering this procedure has been updated and the Audit Team were provided with a copy for review |
Organisation nonconformity | Closed |
| 12 | The RCB’s overall approach to risk classification is not consistent with the UoG Information Risk Classifications document. | Risk Management | RCB have reviewed their information security risk management framework and have aligned it to the requirements of ISO27001. They have developed and documented guidance for risk scoring and prioritisation. The Audit Team were provided with the documentation for review. | Observation | Closed |
| 13 | The RCB Information Security Management policy should record the timescales for reporting security incidents to data providers. | Operational Management |
RCB have updated their Information Security Manual to include timescales for reporting security incidents to data providers. A copy of the updated document was provided to the Audit Team for review |
Opportunity for improvement | Closed |
| 14 | The RCB should update its training policy to check that affiliate status employees have undertaken appropriate information governance/data protection training during the year. | Operational Management |
RCB has updated the documented standard operating procedure to include information governance and data protection training requirements for staff employed under honorary and affiliate arrangements. A copy of the procedure was provided to the Audit Team for review. |
Opportunity for improvement | Closed |
| 15 | At the post audit review, the Audit Team will follow up the results of the user account review expected to take place in January 2023. | Access Control |
RCB conducted an internal audit in June 2023 to identify and remove accounts that were no longer required. Reports of the findings of the review and subsequent actions taken to delete the accounts were provided to the Audit Team for review. |
Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 28 November 2023 1:50 pm