NHS England Data Sharing Remote Audit: University of Oxford
This report records the key findings of a remote data sharing audit of University of Oxford (UoO) between 16 and 29 May 2024.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of University of Oxford (UoO) between 16 and 29 May 2024. It provides an evaluation of how the UoO and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC) CON-319043-Y2R5H-v2.03
- the data sharing agreement (DSA) DARS-402963-P0Y5D-v1.8
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Emergency Care Data Set (ECDS) | Anonymised/Pseudonymised | 2019 – 2023 Month 7 |
| COVID-19 Vaccination Adverse Reactions | Anonymised/Pseudonymised | Latest available |
| COVID-19 Hospitalisation in England Surveillance System | Anonymised/Pseudonymised | Latest available |
| COVID-19 SGSS First Positives (Second Generation Surveillance System) | Anonymised/Pseudonymised | Latest available |
| COVID-19 Vaccination Status | Anonymised/Pseudonymised | Latest available |
| COVID-19 General Practice Extraction Service (GPES) Data for Pandemic Planning and Research (GDPPR) | Anonymised/Pseudonymised | Latest available |
| Covid -19 UK Non-hospital Antigen Testing Results (pillar 2) | Anonymised/Pseudonymised | Latest available |
| HES-ID to MPS-ID HES Accident and Emergency | Anonymised/Pseudonymised | 2016 -2019 |
| Hospital Episode Statistics (HES) Admitted Patient Care | Anonymised/Pseudonymised | 2018 - 2023 Month 7 |
| HES Accident and Emergency | Anonymised/Pseudonymised | 2016 - 2020 Month 12 |
| Secondary Uses Service Payment by Results Episodes | Anonymised/Pseudonymised | 2017 – 2021 |
| Secondary Uses Service Payment By Results Spells | Anonymised/Pseudonymised | 2017 -2021 |
| Secondary Uses Service Payment By Results Outpatients | Anonymised/Pseudonymised | 2017 - 2022 |
| Mental Health Services Data Set (MHSDS) | Anonymised/Pseudonymised | 2016 -2019 |
| Improving Access to Psychological Therapies (IAPT) v1.5 | Anonymised/Pseudonymised | 2018 - 2021 |
| Civil Registrations of Death | Anonymised/Pseudonymised | Latest available |
| National Diabetes Audit | Anonymised/Pseudonymised | 2016 -2019 |
The Controller is the UoO and the Processors are Public Health Scotland (PHS), the University of Edinburgh (UoE) and the University of Liverpool.
The Coronavirus Clinical Information Network (CO-CIN) has collected data for the International Severe Acute Respiratory Infection Consortium (ISARIC) Coronavirus Clinical Characterisation Consortium through a commission from the Chief Medical Officer. ISARIC conduct Urgent Public Health Research to provide evidence that informs public health policy in response to the COVID-19 emergency. ISARIC is a global federation of clinical research networks, providing a proficient, coordinated and agile research response to outbreak-prone infectious diseases.
The ISARIC Coronavirus Clinical Characterisation Consortium is a UK-wide consortium of leading experts in outbreak medicine with a proficient, coordinated, and agile research response to COVID-19. Their purpose is to prevent illness and deaths from infectious disease outbreaks.
PHS provides research services to ISARIC through their Electronic Data Research and Innovation Service (eDRIS) and the National Safe Haven (NSH) which is a secure environment where project data is uploaded, stored and accessed. The NSH is hosted by the Edinburgh Parallel Computing Centre (EPCC) based at the UoE.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 4.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The UoO, PHS and UoE have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The UoO will establish a corrective action plan to address each finding shown in the findings tables in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with the UoO to confirm the findings have been satisfactorily addressed.
The Audit Team has identified 1 opportunity for improvement in section 3 which is provided for reference only and will not be followed up as part of any post audit review.
Findings
The following tables identify the 1 agreement nonconformity, 1 organisation nonconformity, 3 observations, and 3 points for follow-up raised as part of the audit.
UoO
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | The DSA limits access to substantive employees employed by the UoE as stated in the DSA. The Audit Team found 2 of the users accessing the data were not substantive employees of UoE. There was no formal process to allow researchers who were substantive employees of other organisations through an honorary contract with UoO to access data. | Operational Management | DSA, Section 5b |
Agreement nonconformity |
| 2 | UoO did not provide annual data protection training to researchers. There were no checks in place to ensure that researchers from external organisations attended annual data protection training with their employing organisation. During the audit UoO contacted the researcher employing organisations and confirmed they had attended annual data protection training in the last 12 months. | Operational Management | DSFC, Part 2, Schedule 2, Section A, Clause 1.2 | Observation |
| 3 | The data processing agreement in place between the UoO and PHS did not reference the current DSA and DSFC to ensure the Processor acknowledges compliance with these documents. | Operational Management | DSFC, Part 2, Clause 4.1 | Observation |
PHS
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 4 | The retention period for the study data was not recorded in the Information Asset Register (IAR). | Operational Management | PHS Records Management, Document Storage and Retention Policy, Section 5 | Organisation nonconformity |
| 5 | The NSH user agreement form did not reflect the territory of use as defined in the DSA, therefore requires updating. | Access Control | DSA, Section 2c | Observation |
UoE
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 6 | At the post audit review, the Audit Team will review the status of the NSH infrastructure migration and decommission of the hardware including the disks which held NHS England data. | Data Destruction |
Follow-up |
|
| 7 | At the post audit review, the Audit Team will examine some technical requirements of the DSFC which were not available at the time of the audit. | Access Control |
Follow-up |
|
| 8 | At the post audit review, the Audit Team will review the status of database software updates. | Access Control |
Follow-up |
Opportunities for Improvement
UoE
The following table identifies 1 opportunity for improvement which could help an organisation improve its controls and processes.
| Ref | Opportunity for Improvement | Link to Area |
| 1 | The UoE should consider implementing email alerts for high priority issues to notify relevant technical staff and the service desk. | Access Control |
Use of data
The UoO confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
The UoO confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| UoE | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UoE | Media (e.g tape) | 14 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 10 September 2024 4:12 pm