NHS England Post Audit Review: Hull Health Trials Unit
This report provides the formal closure of the remote data sharing audit of the Hull Health Trials Unit at the University of Hull where the interviews were conducted in July 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the Hull Health Trials Unit (HHTU) at the University of Hull (UoH) where the interviews were conducted between 5 and 8 July 2022. It provides an evaluation of how the HHTU conforms to the requirements of the:
- Conditional Approval letter, dated 6 September 2021
- Data Sharing Contract ODR2021_179
- organisation’s own policies, processes and procedures.
This contract initiated by Public Health England (PHE) was novated to NHS Digital on 7 October 2021.
This contract covers the provision of the following datasets, limited to those patients who met the study’s inclusion criteria:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| National Cancer Registration and Analysis Service (NCRAS) - AT_Patient_England | Pseudonymised | 2016 - 2017 |
| NCRAS - AT_Tumour_England | Pseudonymised | 2016 - 2017 |
| NCRAS - AT_Treatment_England | Pseudonymised | 2015 - 2018 (note 1) |
| NCRAS - AT_Pathway_England | Pseudonymised | 2016 - 2018 (note 1) |
| Hospital Episode Statistics (HES) Admitted Care data | Pseudonymised | 2015 - 2018 (note 1) |
| Diagnostic Imaging Data | Pseudonymised | 2015 - 2017 (note 1) |
Note 1: approximate date ranges, as the data includes records occurring in a period before and/or after a diagnostic date field in AT_Tumour_England.
The Controller is the UoH and the Processor is AIMES. All processing of the data is undertaken by the HHTU in the Data Safe Haven (DSH) which is owned and operated by AIMES.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by the HHTU between March and May 2023.
Post audit review outcome
Based on the evidence provided by the HHTU, the Audit Team has closed the nonconformities and observation. Although no further action is required by the Audit Team, there are 5 opportunities for improvement and 1 point for follow-up still open, and the HHTU should complete the actions against these findings.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
The HHTU has reviewed this report and confirmed that it is accurate.
Status
The following identify the 4 organisation nonconformities, 1 observation, 11 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
HHTU
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | No Data Protection Impact Assessment (DPIA) or screening questionnaire has been completed for the study utilising the data provided under this Contract. | Operational Management |
The HHTU has changed the Data Safe Haven Project Management Standard Operating Procedure (SOP), v3.0, and Change to DSH project onboarding SOP, v3.0, to mandate the completion of a DPIA prior to project onboarding. Copies of these SOPs and a completed DPIA, dated 01/03/2023, for the study utilising the data provided under this Contract were supplied to the Audit Team. |
Organisation nonconformity | Closed |
| 2 |
A data classification has not been assigned to the data in accordance with the UoH Data Classification and Handling Policy. |
Operational Management |
The HHTU has added a data classification section to its Record of Processing Activities (ROPA). The definition for data classification is taken from the UoH Data Classification Policy. A copy of the updated ROPA was supplied to the Audit Team. |
Organisation nonconformity | Closed |
| 3 |
The HHTU risk register is to be aligned with the University’s risk management procedure. Currently, the UoH has given a grace period for established local risk registers to adopt the University’s defined template. |
Risk Management |
The HHTU has ported its risk register to the UoH template, and the risk scores were confirmed by the HHTU Information Governance (IG) Group. A copy of the new risk register was supplied to the Audit Team. |
Observation | Closed |
| 4 | The DPIA for the DSH should be updated to reflect recent changes. Thereafter, the HHTU should review the DPIA on a regular basis, or when a change is made. | Operational Management |
The HHTU is planning to update its Data Protection SOP to mandate an annual review of DPIA or prior to significant changes being made to the service. No change has yet been made. |
Opportunity for improvement | Open, but not for follow-up |
| 5 | The HHTU should determine whether it is feasible and practical to download data directly into the DSH rather than using an intermediatory laptop. | Information Transfer |
The HHTU, in conjunction with AIMES, has implemented 3 solutions for receiving data directly into the DSH with no touch point on local hardware. The HHTU stated that the most appropriate solution for a project will be assessed as part of project onboarding. The details for the 3 solutions were shared with the Audit Team. |
Opportunity for improvement | Closed |
| 6 | The HHTU should review its terminology with respect to specific roles and responsibilities to ensure consistency across its documentation. | Operational Management | The HHTU reported that it is engaging with the UoH IG team to align standard terminology. | Opportunity for improvement | Open, but not for follow-up |
| 7 | The HHTU should consider providing specialist role-based training where necessary, for example, Information Asset Owner (IAO). | Operational Management |
The HHTU reported that the central UoH IG team is in the process of developing a handbook to support system and asset owners. Once finalised, the HHTU team will adopt the handbook as a requirement for all staff with those roles.
|
Opportunity for improvement | Open, but not for follow-up |
| 8 | The HHTU should determine what additional reporting is available from AIMES, to enhance its own monitoring and audit activities. | Access Control |
The HHTU reported the DSH admin team continues to receive a comprehensive suite of monthly reports from AIMES on activity. Discussion on further reporting capabilities is handled through monthly service review meetings. Since the audit, the HHTU reported it had additionally requested confirmation of all permissions applied to projects within the environment. |
Opportunity for improvement | Closed |
| 9 | The HHTU may wish to hold periodic formal service review meetings with AIMES. Such meetings should be documented. | Operational Management |
The HHTU reported monthly service reviews have been established with AIMES for which minutes are taken. Copies of minutes for service reviews between September 2022 and February 2023 were supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 10 | The HHTU should conduct formal reviews of the folder permission settings. It does, however, receive monthly records from AIMES which would allow it to observe some inappropriate activity. | Access Control |
A requirement to check user permissions in the project folders in the DSH has been added to a number of documents, including the Data Safe Haven Project Management SOP v3.0. A new document “Test of user permissions within the DSH”, V1 dated 21.02.2023, has also been published. A recent audit of project permissions identified a small number of anomalies for which a ticket with AIMES to correct the permissions has been raised. Copies of the revised documentation plus the ticket were supplied to the Audit Team. At present, the HHTU is still to request the provision of a regular report (for example, monthly) listing all user permissions as part of its routine monitoring checks. |
Opportunity for improvement | Open, but not for follow-up |
| 11 | The UoH may wish to review whether desktops being used for research should be encrypted prior to the organisation’s move to Windows 11 where such machines will be encrypted by default, if possible. | Access Control |
The HHTU reported the entire Medical Building is moving to docking stations with staff issued managed and encrypted laptops. Most research staff now have an encrypted laptop. Work on the UoH migration to Windows 11 is ongoing. |
Opportunity for improvement | Closed |
| 12 | The UoH may wish to make the risk management training presentation, or a variation, available to staff, and communicate its availability. The UoH may also wish to expand upon its risk appetite statement as part of its risk management documentation. | Risk Management | The HHTU stated work around wider UoH risk management training was ongoing. | Opportunity for improvement | Open, but not for follow-up |
| 13 | The HHTU should consider when a project is closed, whether personal folders within the DSH could be closed immediately, instead of being retained for a set period of time. | Operational Management |
The HHTU has updated its Data Safe Haven Project Management SOP v3.0. and associated templates to include the option to immediately close personal folders when a project comes to an end. Copies of the SOP and associated templates were supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 14 | The Audit Team suggested that the HHTU ensures appropriate teams and stakeholders review any new contractual documentation to ensure that they are fully aware of their responsibilities and are fully compliant. For example, the NHS Digital contract is more specific regarding data in transit. | Operational Management |
The HHTU stated the DSH Admin team will review the DSA to ensure that standard DSH process does not breach the terms of the DSA or the DSFC. Checks have been added to the Project Onboarding and Project Amendment templates to record when the DSA was reviewed. The Audit Team noted that these mandated reviews place the responsibility for informing stakeholders on the DSH Admin team. |
Opportunity for improvement | Closed |
| 15 | At the post audit review, the Audit Team will review the status of the research and the availability of any resulting publications. |
Use and Benefits | A researcher has started work on analysing the data and hopes to be presenting at conferences and publishing later this year. | Follow-up | Open, but not for follow-up |
AIMES
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 16 | AIMES to delete one of its conflicting policies and review those policies that have not been reviewed for a while. It should also remove any redundant references from its policies as part of future reviews. | Operational Management |
AIMES reported that the Access Control List Policy had been deprecated, and other policies had been reviewed. Copies of the following policies were provided to the Audit Team:
|
Organisation nonconformity | Closed |
| 17 | AIMES to either keep its review logs current or rescind their use. |
Operational Management |
The User Access Rights Schedule has been updated and a copy of the schedule dated 13 December 2022 was supplied to the Audit Team. |
Organisation nonconformity | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 10 July 2023 11:09 am