NHS England Data Sharing Remote Audit: LA-SER Europe Limited
This report records the key findings of a remote data sharing audit of LA-SER Europe Limited (LE), a Certara company, between 13 and 16 May 2024.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of LA-SER Europe Limited (LE), a Certara company, between 13 and 16 May 2024. It provides an evaluation of how LE and its Processors conform to the requirements of:
-
the data sharing framework contract (DSFC) CON-280098-H3R8C-v2.02
-
the data sharing agreement (DSA) DARS-NIC-682048-S9P4H-v1.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| NDRS Cancer Registrations | Anonymised/Pseudonymised, Sensitive | Latest available |
| NDRS Linked HES AE | Anonymised/Pseudonymised, Sensitive | 01 April 2007 to 31 March 2020 |
| NDRS Linked HES Outpatient | Anonymised/Pseudonymised, Sensitive | Latest available |
| NDRS Systemic Anti-Cancer Therapy Dataset (SACT) | Anonymised/Pseudonymised, Sensitive | Latest available |
The Controller is LE and the Processors are Certara France and Microsoft UK. Microsoft UK do not have access to the data and only provide cloud hosting services.
LE (a Certara company) requires access to NHS England data for the purpose of the following research project: Clinical and economic burden of graft versus host disease in allogeneic stem cell transplant recipients in England, a retrospective cohort study.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.
Audit type and scope
| Audit type | Focused |
|---|---|
| Scope areas |
Information Transfer Access Control Data Use and Benefits Data Destructions |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared, the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
LE has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
LE will establish a corrective action plan to address each finding shown in the findings table in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with LE to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
The Audit Team has identified 2 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following tables identify the 3 observations and 1 opportunity for improvement raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | It should be recognised that incidents, breaches or deviations to the DSFC must be reported immediately to NHS England. This type of reporting should be recognised and clearly documented in addition to any other regulatory reporting that may be required. | Operational Management | DSFC Schedule 2, Section B, Clause 4.7 | Observation |
| 2 | At the post audit review, the Audit Team will review the outputs specified within Annex A, Section 5c of the DSA. | Use and Benefits | DSA, Annex A, Section 5c | Follow-up |
Opportunities for Improvement
| Ref | Finding | Link to area |
|---|---|---|
| 1. | LE should consider revising its policy on data stored locally on machines. It should be noted that no data provided by NHS England was being stored locally. | Access Control |
| 2. | LE should consider updating its Data Processing and Data Workflows Policy to specify that the National Cancer Registration and Analysis Service (NCRAS) database is not stored locally on a laptop. | Access Control |
Use of data
LE confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
LE confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| LA-SER Europe Limited | UK and EEA |
| Certara France (Processor) | UK and EEA |
| Microsoft (Processor) | UK and EEA |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Microsoft Limited (Microsoft SharePoint Online) | Cloud | 30 days |
Disclaimer
The audit was based upon a sample of the data recipient's activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 22 July 2024 10:47 am