NHS England Data Sharing Remote Audit: Met Office
This report records the key findings of a remote data sharing audit of Met Office Health Research Programme (The Met Office) between 10 and 14 June 2024.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Met Office Health Research Programme (The Met Office) between 10 and 14 June 2024. It provides an evaluation of how The Met Office conforms to the requirements of:
- the data sharing framework contract (DSFC) CON-320650-T5H3H-v2.02
- the data sharing agreement (DSA) DARS-NIC-70235-T6P9F-v6.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Emergency Care Data Set (ECDS) | Anonymised/Pseudonymised, Non-sensitive | 2018/19 – March 2018 Final Data, 2018/19 – 2025/26 |
| Hospital Episode Statistics (HES) Accident and Emergency (HES A and E) | Anonymised/Pseudonymised, Non-sensitive | 2007/08 – 2019/20 |
| HES Admitted Patient Care (HES APC) | Anonymised/Pseudonymised, Non-sensitive | 1989/90 – 2025/26 |
The Controller is The Met Office.
The Met Office requires access to NHS England data for the purpose of their Health Research Programme. The programme was established in the late 1990s to support Public Health and the National Health Service (NHS) with health impacts statistics from environmental hazards. National data is required because the applicant is performing analyses on a national level and using the data for multiple investigations into links between weather and a wide range of health conditions.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The Met Office has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The Met Office will establish a corrective action plan to address each finding shown in the findings table in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with the Met Office to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
The Audit Team has identified 4 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following table identifies the 4 agreement nonconformities, 2 observations and 2 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | Not compliant with the technical requirements of the DSFC. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 |
Agreement nonconformity |
| 2 | There was no evidence to show that user permissions to the NHS England data had been reviewed on a regular basis. | Access Control | DSFC, Schedule 2, Section A, Clause 4.1 |
Agreement nonconformity |
| 3 | Not compliant with the technical requirements of the DSFC. | Information Transfer | DSFC, Schedule 2, Section A, Clause 4.6 |
Agreement nonconformity |
| 4 | At the time of audit, the Met Office could not evidence that a record of processed activities (ROPA) had been completed for the data supplied under the DSA. | Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) |
Agreement nonconformity |
| 5 | The current timescales for completion of data security training for all staff at the Met Office did not align with the requirements of the DSFC. | Operational Management | DSFC, Schedule 2, Section A, Clause 1.2.2 | Observation |
| 6 | Not compliant with the technical requirements of the DSFC. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Observation |
| 7 | At the post audit review, the Audit Team will review the progress made around reviewing cyber security risk profiles and the implementation of an IT risk register. | Risk Management | DSFC, Schedule 2, Section A, Clause 1.1 | Follow-up |
| 8 | At the post audit review, the Audit Team will review the outcome of the Oracle account administrator error observed during the audit. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Follow-up |
Opportunities for Improvement
The following table identifies 4 opportunities for improvement which could help an organisation improve its controls and processes.
| Ref | Opportunity for Improvement | Link to Area |
| 1 | The Met Office should consider documenting any encryption requirements for data “at rest” and “in transfer”. | Access Control |
| 2 | The Met Office should consider documenting its defined timescales for reviewing its internal policies and procedures. | Operational Management |
| 3 | The Met Office should consider including serial numbers of any devices on the certificates of destruction provided to the disposal company. | Data Destruction |
| 4 | The Met Office should consider updating the Hospital Admissions Data System diagram to include the correct up-to-date data flow process. | Information Transfer |
Use of data
The Met Office confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
The Met Office confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| Met Office | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Met Office | Disk | 60 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 10 September 2024 4:13 pm