NHS England Data Sharing Remote Audit: University of Bristol
This report records the key findings of a remote data sharing audit of the University of Bristol (UoB) in January 2024.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the University of Bristol (UoB) between 22 and 30 January 2024. It provides an evaluation of how UoB and its Processor conform to the requirements of:
- the data sharing framework contracts (DSFC):
- UoB: CON-304765-H4P3X-2.02
- Royal Devon University Healthcare NHS Foundation Trust (RDUH): CON-306176-T4X6H-v2.02
- the data sharing agreement (DSA) DARS-NIC-134719-D5W2Y-v0.17
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Hospital Episode Statistics (HES) Admitted Patient Care |
Identifiable, Non-sensitive | 2017/18 – 2022/23_M09 |
| HES Critical Care | Identifiable, Non-sensitive | 2017/18 – 2022/23_M09 |
| HES Outpatients | Identifiable, Non-sensitive | 2017/18 – 2022/23_M09 |
| HES Accident and Emergency | Identifiable, Non-sensitive | 2017/18 – 2019/20 |
| Diagnostic Imaging Data Set | Identifiable, Non-sensitive | Latest available |
|
HES Civil Registration (Deaths) bridge |
Identifiable, Non-sensitive | Latest available |
|
Bridge file: Hospital Episode Statistics to Diagnostic Imaging Dataset |
Identifiable, Non-sensitive | Latest available |
|
Emergency Care Data Set (ECDS) |
Identifiable, Sensitive | 2020/21 – 2022/23_M09 |
|
Civil Registrations of Death – Secondary Care Cut |
Identifiable, Sensitive | Latest available |
The Joint Controllers are UoB and and RDUH. The Processor is the University Hospitals Bristol and Weston NHS Foundation Trust (UHBW). UHBW’s role is limited to providing IT hosting services.
RDUH is the sponsor for this study and has oversight of the processes. RDUH do not have access to NHS England (NHSE) data and they will only see the aggregated outputs with small numbers suppressed in line with the NHSE analysis guidelines. For this reason it was agreed prior to the audit that RDUH would not participate, despite being named as a Joint Controller.
The UK Cohort Study to Investigate the Prevention of Parastomal Hernia (CIPHER) study is an ethically approved study with patients providing consent to participate. Participants understand how their data will be used and why. This study collected data about key technical surgical steps used during stoma formation and followed up participants to establish the incidence of symptomatic and clinically confirmed Parastomal Hernia (PSH). Modification of the technical aspects of surgery may reduce the incidence of PSH and could lead to improvements in health of patients, better quality of life, a reduction in stoma appliance and accessory costs and fewer PSH repairs.
The CIPHER study aims to establish the incidence of symptomatic and clinically confirmed PSH during a minimum of 2 years follow up, and to evaluate key technical surgical steps and the risk of developing a PSH when a stoma is created.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: High
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
UoB and UHBW have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UoB and UHBW will establish a corrective action plan to address each finding shown in the findings tables below. The Audit Team will validate this plan and the resultant actions at a post audit review with UoB and UHBW to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 6 agreement nonconformities, 2 organisation nonconformities, 2 observations, 6 opportunities for improvement and 3 points for follow-up raised as part of the audit. During the audit 1 of these findings was closed.
UoB
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | No coherent Record of Processing Activities (ROPA) to cover the data supplied under the DSA currently exists. The information relating to the data is spread across different documents. | Operational Management | DSFC, Part 2, Schedule 3, General Data Protection Regulations (GDPR) | Agreement nonconformity |
| 2 | The UoB are recording Cyber Security Team risks in a risk register. The Audit Team were verbally informed that the risk review period was monthly, but some high rated risks had not been reviewed for at least 3 months. | Risk Management | DSFC, Part 2, Schedule 2, Section A, Clause 3 | Agreement nonconformity |
| 3 | As Joint Controller, RDUH must be involved in the review and approval of the Data Protection Impact Assessment (DPIA) and ROPA. | Operational Management | DSFC, Part 2, Schedule 3, GDPR | Agreement nonconformity |
| 4 | Validation testing of required security controls has not been conducted. | Access Control | DSFC, Part 2, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity |
| 5 | Technical security controls had not been applied as detailed in a technical standards document. | Access Control | Secure VM (eVM), Section: Implementation, Auditing; System Access | Organisation nonconformity |
| 6 |
The UoB have included a clause in their data agreement with the UHBW to implement appropriate technological and organisational measures to protect against accidental loss, destruction, damage, alteration or disclosure of any personal data. However, they do not obtain evidence of compliance and assurance of this clause from the UHBW. Whilst the UHBW were very open during the remote audit meetings and provided a range of evidence, they declined the opportunity to share the results of security testing and associated remediation plan(s) to the Audit Team. |
Access Control | DSFC, Part 2, Schedule 3, GDPR | Observation |
| 7 | The UoB should consider implementing USB device port control. | Access Control | Opportunity for improvement | |
| 8 | The postal addresses of all the processing and storage locations should be added to the Information Asset Register (IAR) entry for this study. | Operational Management | Opportunity for improvement | |
| 9 | The UoB should consider specialist training for the Information Asset Owners (IAO) and Information Asset Administrators (IAA). | Operational Management | Opportunity for improvement | |
| 10 |
In the event of an NHSE data breach or contract breach, the UoB should ensure that any person handling the event is familiar with and able to meet the defined NHSE reporting requirements. This was addressed immediately after the closing meeting and evidence was provided to the Audit Team. |
Operational Management | Opportunity for improvement | |
| 11 | The UoB should consider undertaking a compliance check against the requirements of the DSFC and DSA. | Operational Management | Opportunity for improvement | |
| 12 | At the post audit review, the Audit Team will look at the progress on implementation of the Information Governance (IG) Risk Framework and the IG risk register. | Operational Management | Follow-up | |
| 13 | At the post audit review, the Audit Team will look at the GDPR compliance audit report that is to be undertaken in first quarter of 2024. | Operational Management | Follow-up |
UHBW
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 14 | A security group which did not require access to the data was assigned to the folder containing NHSE data. | Access Control | DSFC, Part 2, Clause 5.4.6 | Agreement nonconformity |
| 15 | No audit trail of access to the folder containing NHSE data was available. | Access Control | DSFC, Part 2, Clause 5.4.6 | Agreement nonconformity |
| 16 | One of the UHBW laptops issued to the UoB was encrypted to AES-128. The UHBW Cryptographic Control and Key Policy states that laptops must have full disk encryption installed and operational to a minimum level of AES-256. | Information Transfer | Cryptographic Control and Key Policy, Section 7.3 | Organisation nonconformity |
| 17 | The UHBW have not met all the Data Security Protection Toolkit (DSPT) assertions in its 2022/23 submission but are working towards full compliance. | Operational Management | DSA, Section 6, Special Conditions | Observation |
| 18 | The UHBW should review the updates available for the STATA application and apply them to the UHBW laptops and devices as necessary. | Access Control | Opportunity for improvement | |
| 19 | At the post audit review, the Audit Team will review evidence of equipment disposal, to include records of equipment being sent for destruction, along with a confirmation list back from the supplier. | Data Destruction | Follow-up |
Use of data
The UoB confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
The UoB and its Processor confirmed that the processing and storage locations, including disaster recovery and backups of the datasets, were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| UoB | England and Wales |
| UHBW | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UoB | N/A | Backups not undertaken as raw data held at UHBW |
| UHBW | Disk | 365 days |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- The UoB was able to clearly demonstrate the value the data supplied under this DSA has had towards benefitting the provision of health and social care in England, specifically in identifying risk factors that cause PSH.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 7 June 2024 4:12 pm