NHS England Data Sharing Remote Audit: University College London - Regional Heart Study
This report records the key findings of a remote data sharing audit of University College London – Regional Heart Study (UCL-RHS) in December 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of University College London – Regional Heart Study (UCL-RHS) on 13 December 2023. It provides an evaluation of how UCL-RHS conforms to the requirements of:
- data sharing framework contract (DSFC): CON-321538-B5D8B-v2.02
- data sharing agreement (DSA): DARS-NIC-148101-R7RSL-v6.2
- data sharing agreement (DSA): DARS-NIC-148101-R7RSL-v7.4
- the organisation's own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
MRIS – Cause of Death Report |
Identifiable/Sensitive | February 2000 – December 2016 |
| MRIS – List Cleaning Report | Identifiable/Sensitive | February 2000 – December 2016 |
|
MRIS – Members and Postings Report |
Identifiable/Sensitive | February 2000 – December 2016 |
|
MRIS – Flagging Current Status Report |
Identifiable/Sensitive | February 2000 – December 2016 |
|
MRIS – Cohort Event Notification Report |
Identifiable/Sensitive | February 2000 – December 2016 |
The Controller and Processor is UCL-RHS.
Processing of the data within DARS-NIC-148101-R7RSL-v6.2 is restricted to UCL-RHS only, no onward sharing is permitted within the terms of the agreement.
No processing is permitted on the data within DARS-NIC-148101-R7RSL-v7.4.
This was a focused audit to confirm the current data destruction position and to demonstrate that UCL-RHS have not processed the data.
The British Women’s Heart and Health Study (BWHHS) uses the patient tracking service provided by NHS England and predecessor organisations to receive notifications of its cohort members’ deaths (date and cause), cancer registrations, exits from the NHS and changes in recorded demographics (such as name, NHS Number). It is a prospective cohort study of cardiovascular disease in women aged over 60 years, in England, Scotland and Wales. The study was set up in 1999 to complement the British Regional Heart Study (BRHS), to describe and establish risk factors and the differences in their impact of women compared to the men followed up by BRHS.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
| Audit type | Focused |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality, and integrity, as appropriate.
Data recipient’s acceptance statement
UCL-RHS has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UCL-RHS will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with UCL-RHS to confirm the findings have been satisfactorily addressed. The post audit review will also consider any outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies 1 observation and 2 opportunities for improvement raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 |
No evidence was provided to the Audit Team to confirm that the Information Commissioners Office (ICO) was satisfied with the output of the improvement plan UCL-RHS provided to the ICO in 2017, in response to a reported data breach. The ICO action plan included a training plan, which was endorsed on 28 June 2017 by the UCL Information Service Governance Committee (UCL ISGC). The plan covers annual data protection training for all UCL staff by 2018. Existing arrangements are in place to provide annual training for those using NHS England data. The Audit Team recommend that if UCL-RHS are unable to locate and supply confirmation from the ICO that all areas of the action plan have been addressed, that a copy is requested from the ICO to hold on file. |
Information Transfer | Observation | |
| 2 | UCL-RHS should improve its Information Asset Register (IAR) to include descriptions around what data is being held within each case reference number. The lack of detailed descriptions for each entry could lead to issues when any data is to be destroyed. | Operational Management | Opportunity for improvement | |
| 3 |
On reviewing the system access logs during the audit, it became apparent that a longer retention period would benefit UCL-RHS, to monitor access to files and folders more effectively. The Audit Team observed the retention period was extended during the audit. |
Access Control | Opportunity for improvement |
Use of data
UCL-RHS confirmed that the datasets were only being held and used for the purposes defined in the DSAs and were not being linked with another dataset.
Data location
UCL-RHS confirmed that processing and storage locations, including disaster recovery and backups of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA..
| Organisation | Territory of Use |
|---|---|
| UCL-RHS | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UCL-RHS | Disk | 90 Days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 28 May 2024 8:53 am