Post Audit Review: University of Sheffield
This report provides the formal closure of the remote data sharing audit of the School of Health and Related Research at the University of Sheffield in November 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the School of Health and Related Research (ScHARR) at the University of Sheffield (UoS) between 14 and 22 November 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-313198-X4C5P-v2.0
- the data sharing agreement (DSA) DARS-NIC-377644-X9J4P-v1.2
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Critical Care | Identifiable, Non-sensitive | 2019/20 – 2020/21_M05 |
| Emergency Care Data Set (ECDS) | Identifiable, Sensitive | 2019/20 – 2020/21_M05 |
| GPES Data for Pandemic Planning and Research (COVID-19) | Identifiable, Sensitive | Latest available 09/2020 |
| HES Admitted Patient Care | Identifiable, Sensitive | 2019/20 – 2020/21_M05 |
| Demographics | Identifiable, Sensitive | Latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available |
The UoS is the Controller.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by UoS between 21 July and 2August 2023.
Post Audit Review Outcome
Based on the evidence provided by the UoS, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and UoS.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low. Critical - High - Medium - Low.
Original Risk Statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
UoS has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 1 agreement nonconformities, 1 organisation nonconformity and 1 opportunity for improvement raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
A third-party data centre, not declared on the DSA, is being used to store the data supplied under the DSA. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS England on request. |
Information Transfer |
Individual storage and processing locations are no longer included within a DSA. ScHARR informed DARS of the undeclared storage location and will record the storage and processing locations in their Data Security and Protection Toolkit (DSPT) security assurance asset register. |
Agreement nonconformity | Closed |
| 2 |
From a small sample of records that were selected and examined in the equipment asset register, one was found to be inaccurate. |
Access Control |
ScHARR have updated their policy on distribution of the asset type in question and these are now assigned directly to a member of staff. A procedure has been documented to support managing these assets to reallocate or dispose of them as necessary on return. The procedure was approved in May 2023 and a copy was provided to the Audit Team. |
Organisation nonconformity | Closed |
| 3 |
Access reviews of folders and virtual machines (VMs) holding data supplied under this DSA that are conducted in addition to the annual review, should be documented. |
Access Control |
ScHARR have added instructions to update relevant records when reviews of the data locations and access take place. A copy of the updated procedure was provided to the Audit Team. |
Opportunity for improvement | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 19 October 2023 2:35 pm