NHS England Data Sharing Remote Audit: Institute for Fiscal Studies
This report records the key findings of a remote data sharing audit of the Institute for Fiscal Studies (IFS) in September 2024.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Institute for Fiscal Studies (IFS) between 16 and 23 September 2024. It provides an evaluation of how IFS conforms to the requirements of:
- the data sharing framework contract (DSFC) CON-305762-B8S7B (Version 2.01)
- the data sharing agreement (DSA) DARS-NIC-17824-V9F2B-v6.4
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES):Civil Registration (Deaths) bridge | Pseudo/Anonymised, Non-Sensitive | 1997/98 to 2017/18 |
| HES Admitted Patient Care | Pseudo/Anonymised, Non-Sensitive | 1997/98 to 2017/18 |
| HES Outpatients | Pseudo/Anonymised, Non-Sensitive | 2005/06 to 2017/18 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-Sensitive | 2007/08 to 2017/18 |
| Patient Reported Outcome Measures | Pseudo/Anonymised, Non-Sensitive | 2009/10 to 2013/14 |
|
Civil Registrations of Death – Secondary Care Cut |
Pseudo/Anonymised, Sensitive | 1997/98 to 2017/18 |
The Controller is the IFS.
The IFS was founded as an independent research institute, with the principal aim of better informing public debate on economics in order to promote the development of effective fiscal policy. Its research impacts policy makers, think tanks and practitioners and is communicated widely on a national and international scale. On healthcare, IFS focuses on the increased use of market mechanisms within the NHS. They examine the responses of patients, GPs and other healthcare workers to market incentives, and the impacts upon recorded NHS activity and hospital outcomes.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
| Audit type | Focussed |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The IFS has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The IFS will establish a corrective action plan to address each finding shown in the findings table in Section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with the IFS to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
The Audit Team has identified 5 opportunities for improvement in Section 3 which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following table identifies the 6 agreement nonconformities, 4 observations and 1 point for follow-up raised as part of the audit.
Whilst the audit only considered the limited scope areas (Data Use and Benefits, Information Transfer, Access Controls, Operational Management and Control) within its scope, the Audit Team did note one observation around the destruction of the data which is better classified to a different scope area.
IFS
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | The Audit Team were unable to confirm that the server being used to store data provided by NHS England has received software updates on a consistent basis. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity |
| 2 | Not compliant with the technical requirements of the DSFC | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity |
| 3 | The data provided by NHS England are not being backed up inline with the requirements of the DSFC and the processes outlined within IFS backup policy. | Information Transfer | DSFC, Schedule 2, Section A, Clause 4.5 | Agreement nonconformity |
| 4 | Security logs are not retained as required by the DSFC and IFS Policy | Access Control | DSFC, Schedule 2, Section A, Clause 4.3 | Agreement nonconformity |
| 5 | The level of encryption applied to the data in transit was not in line with the requirements of the DSFC. | Access Control | DSFC, Schedule 2, Section A, Clause 4.6 | Agreement nonconformity |
| 6 |
It was noted by the Audit Team that although version 6.4 of the DSA ended on 30 November 2023, IFS have continued to use the data. The Audit Team confirmed that this was for the projects detailed within version 6.4 of the agreement only. The Audit Team noted the use of the data after the DSA expired was identified by NHS England retrospectively, during an amendment application to the DSA. The Audit Team received no evidence to indicate that permission to continue to use the data was given to IFS prior to the data being used. IFS have continued to process data after the DSA has ended |
Use and Benefits | DSA, Appendix A, Section 1a | Agreement nonconformity |
| 7 |
Two research fellows who were accessing the data provided by NHS England had not signed the latest version of the data access honorary contracts. The Audit Team noted that these 2 research fellows no longer have access to the data because they are no longer working on projects under the new Data Sharing Agreement. |
Access Control | DSFC, Schedule 2, Section A, Clause 1.2 | Observation |
| 8 |
A certificate of destruction must be provided to NHS England in December 2024 when data that currently resides within the Enclave storage location at IFS is destroyed. The Audit Team noted that this certificate of destruction has been submitted to NHS England by IFS on 14 October 2024. |
Data Destruction | DSFC, Part 2, Clause 5.4.1 | Observation |
| 9 |
The Audit Team reviewed version 7.2 of the DSA which was yet to be signed off at the time of audit and noted some project status updates that were required to be made. The Audit Team noted that IFS have since updated DARS on these changes during the audit fieldwork, and Version 7.2 of the DSA has now been signed by IFS. |
Access Control | DSA, Annex A, Section 5a | Observation |
| 10 |
The Audit Team noted that the Privacy Notice on the IFS website contained outdated information. The Audit Team noted that IFS have updated their Privacy Notice as of 8 October 2024. |
Access Control | DSA, Schedule 1, Appendix A, Section 4 | Observation |
| 11 | At the post audit review, the Audit Team will receive an update from IFS on the ongoing project to migrate to a cloud provider from their current on-premises server environment. | Access Control | Follow-up |
Opportunities for Improvement
| Ref | Opportunity for Improvement | Link to area |
|---|---|---|
| 1 | IFS should consider documenting a centralised Quality Control Policy which outlines the expected quality control standards and processes for each IFS research project. | Operational Management |
| 2 | IFS should consider renaming a technical administrative account identified during the audit. | Access Control |
| 3 | IFS should consider amending its current Information Asset Register (IAR) and Record of Processing Activities (ROPA) document to include the end date for each DSA. | Operational Management |
| 4 | IFS should consider documenting a centralised Patch Management Policy that expands on information within the IFS Information Security Manual. | Access Control |
| 5 |
IFS to consider amending the automatic screen lockout function for users who have access to the data provided by NHS England. The Audit Team noted that following the audit interviews, prior to this report being finalised, IFS have updated the automatic screen lockout function for users from 15 minutes to 5 minutes. |
Access Control |
Use of data
IFS confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
IFS confirmed that processing and storage location of the datasets were limited to the location shown in the following table. This location conforms with the territory of use defined in Section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| IFS | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| IFS | None (noted in finding Ref 3.) | None (noted in finding Ref 3.) |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report
Last edited: 18 December 2024 11:32 am