NHS England Data Sharing Remote Audit: University Hospitals Birmingham NHS Foundation Trust
This report records the key findings of a remote data sharing audit of University Hospitals Birmingham NHS Foundation Trust (UHBFT) between 5 and 14 February 2024.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of University Hospitals Birmingham NHS Foundation Trust (UHBFT) between 5 and 14 February 2024. It provides an evaluation of how UHBNHST and its Processor conform to the requirements of:
- the data sharing framework contract (DSFC) CON-314093-X4T8R-v2.02
- the data sharing agreement (DSA) DARS-NIC-77142-Q4D1D-v1.5
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Hospital Episode Statistics (HES) Admitted Patient Care |
Anonymised/Pseudonymised, Non-sensitive | 1997/98 – 2018/19 |
| HES Outpatients | Anonymised/Pseudonymised, Non-sensitive | 2003/04 – 2018/19 |
| Civil Registrations of Death | Anonymised/Pseudonymised, Non-sensitive | Latest available |
The Controller is UHBFT and the Processor is University of Birmingham (UoB).
UHBFT requires access to NHS England data for the purpose of the Epidemiology of Cancer After Solid Organ Transplant (EpCOT) study. The main objective for the EpCOT project is to link data sets which already exist in isolation to create an integrated data set that can explore post-transplant cancer epidemiology.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
UHBFT and UoB have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UHBFT and UoB will establish a corrective action plan to address each finding shown in the tables below. The Audit Team will validate this plan and the resultant actions at a post audit review with UHBFT and UoB to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 5 agreement nonconformities, 2 organisation nonconformities, 3 observations, 4 opportunities for improvement and 2 points for follow-up raised as part of the audit.
UHBFT
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | The Data Processing Agreement between UHBFT and UoB has now expired. UHBFT has developed a new data processing agreement that includes the terms of the DSA to ensure compliance. It has been shared with UoB and is awaiting feedback and signature. The Audit Team also suggested that UHBFT ensures the appropriate teams and stakeholders review any new DSFC and DSA. This will ensure the organisation is aware of its responsibilities and is fully compliant. | Operational Management | DSA, Section 7(Approvals Considerations) | Agreement nonconformity |
| 2 | UHBFT will complete its Data Security and Protection Toolkit (DSPT) improvement plan prior to the next DSA being agreed and signed. | Operational Management | DSA, Annex A, Section 6 | Observation |
UoB
| Ref | Finding | Link to Area | Clause | Designation |
| 3 | Data in transit between the storage location and the backup site is not encrypted to the standard as required by the DSFC. | Information Transfer | DSFC, Schedule 2, Section A, Clause 4.6 | Agreement nonconformity |
| 4 | There was no evidence to show that access reviews of the locations being used to store data supplied by NHS England are reviewed on a regular basis. It was noted during the audit that one SQL service account with access to the data should be deactivated. | Access Control | DSFC, Schedule 2, Section A , Clause 4.3 | Agreement nonconformity |
| 5 | No recent security assessments have been performed on the infrastructure used to store data supplied by NHS England. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity |
| 6 | UoB has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. Instead, information specific to the DSA datasets is spread across different documents. Once the ROPA is completed, it should be passed to the Controller for review and approval. The Audit Team noted that a ROPA was completed during the audit. However, it is yet to be reviewed and approved by the Controller. | Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) | Agreement nonconformity |
| 7 | UoB to review the Microsoft Windows security log retention to ensure security logs are retained inline with UoB Policy. | Access Control | UoB Hardening Standard v1.007 | Organisation nonconformity |
| 8 | The SQL database holding data provided by NHS England is not encrypted, as required by the Data Processing Agreement between UHBFT and UoB. | Access Control | UHBFT and UoB Data Processing Agreement | Organisation nonconformity |
| 9 | The Data Protection Impact Assessment (DPIA) created by UoB is currently in draft format. As Controller, UHBFT must review and approve the DPIA. | Operational Management | DSFC, Schedule 3, General Data Protection Regulation (UK GDPR) | Observation |
| 10 | The Server used to store data provided by NHS England is running an Operating System that is approaching end of support. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Observation |
| 11 | UoB to consider encrypting desktops that are being used to download data provided by NHS England. | Access Control | Opportunity for improvement | |
| 12 | UoB to consider implementing a function to automatically disable inactive user accounts after a set period. | Access Control | Opportunity for improvement | |
| 13 | UoB to update its Information Asset Register (IAR) to include the correct DSA end date. | Operational Management | Opportunity for improvement | |
| 14 | UoB to consider maintaining a record of the annual physical reviews of the UoB datacentre. | Access Control | Opportunity for improvement | |
| 15 | At the post audit review, the Audit Team will review progress of the migration of the Server being used to store data provided by NHS England. | Access Control | Follow-up | |
| 16 | At the post audit review, the Audit Team will review the results of a security assessment scheduled to be performed in 2024. | Access Control | Follow-up |
Use of data
UHBFT and UoB confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
UHBFT and UoB confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| UoB | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UoB (processor) | Tape | 10 years |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 25 April 2024 2:25 pm