NHS England Data Sharing Remote Audit: Institute of Cancer Research
This report records the key findings of a remote data sharing audit of the Institute of Cancer Research (ICR) between 11 and 15 December 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Institute of Cancer Research (ICR) between 11 and 15 December 2023. It provides an evaluation of how the ICR conforms to the requirements of:
- the data sharing framework contract (DSFC) CON-313340-Z2F1L-v2.02
- the data sharing agreement (DSA) DARS-NIC148118-VCXW9-v5.5
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Medical Research Information Service (MRIS) -Cause of Death Report |
Identifiable, Sensitive | Historic Held (July 2011 – December 2019) |
|
MRIS – Cohort Event Notification Report |
Identifiable, Sensitive | Historic Held (July 2011 – December 2019) |
| MRIS – Flagging Current Status Report | Identifiable, Sensitive | Historic Held (July 2011 – December 2019) |
| MRIS-Members and Postings Report | Identifiable, Sensitive | Historic Held (July 2011 – December 2019) |
The Controller is ICR.
The study aims to find genetic changes which are associated with prostate cancer risk. If the study can find alterations in genes that increase the chances of getting prostate cancer, it may be possible in the future to use this knowledge:
- To screen other family members to see if they are also at a higher risk of developing prostate cancer
- To develop new prostate cancer treatments for the future.
The current DSA only allows retention of the data and no processing.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
ICR has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The ICR will establish a corrective action plan to address each finding shown in the table below. The Audit Team will validate this plan and the resultant actions at a post audit review with the ICR, to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence, at which point the Audit Team may raise further findings.
Findings
The following table identifies the 4 agreement nonconformities, 1 organisation nonconformity, 1 opportunity for improvement and 3 points for follow-up raised as part of the audit. During the audit, 2 of these findings were closed.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | The server holding data provided by NHS England is running unsupported software. | Access Control | DSFC – Schedule 2 Section A 4.4 | Agreement nonconformity |
| 2 | The file download credentials supplied by NHS England are shared between three members of the research team. This was resolved during the audit. | Access Control | DSFC – Schedule 2 Section A 4.2 | Agreement nonconformity |
| 3 | The ICR must remove non-administrator accounts from the file system administrator security group. | Access Control | DSFC – Schedule 2 Section A 4.4 | Agreement nonconformity |
| 4 | User reviews were not taking place on the database software. | Access Control | DSFC – Schedule 2 Section A 4.11 | Agreement nonconformity |
| 5 | Procedures defining destruction of electronic data were not followed during the migration of the data to the current infrastructure. | Data Destruction | Retention policy, Section 3 | Organisation nonconformity |
| 6 | The ICR should implement further technical controls to provide alerts when changes are made to the security group controlling access to the data. This was resolved during the audit. | Access Control | Opportunity for improvement | |
| 7 | At the post audit review, the Audit Team will follow up progress of the investigation into the retention of NHS England data on the back up tapes. | Information Transfer | Follow-up | |
| 8 | At the post audit review, the Audit Team will review the contract in place with the third party disposal provider. At the time of the audit, a contract was being negotiated with the new provider. | Data Destruction | Follow-up | |
| 9 | At the post audit review, the Audit Team will review progress on the implementation of Centre for Internet Security Hardening Level 2 to the database server holding NHS England data. | Information Transfer | Follow-up |
Use of data
The ICR confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
The ICR confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. This location conforms with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| ICR | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| ICR | Tape | Indefinite (see follow-up finding ref 7) |
| ICR | Disk | 90 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 March 2024 1:24 pm