Skip to main content

NHS England Post Audit Review: University of Cambridge and Cambridge University Hospitals NHS Foundation Trust

This report provides an update on progress of the remote data sharing audit of the School of Medical Science at the University of Cambridge (UoC) and the Cambridge University Hospitals NHS Foundation Trust (CUHFT) in November and December 2021.

Audit summary

Purpose

This report provides an update on progress of the remote data sharing audit of the School of Medical Science at the University of Cambridge (UoC) and the Cambridge University Hospitals NHS Foundation Trust (CUHFT) between 29 November and 4 December 2021 against the requirements of:

  • the data sharing framework contracts (DSFC)

o CON-321529-Q1B0S-v2.01 (UoC)

o CON-314354-C8S4C-v2.01 (CUHFT)

  • the data sharing agreement (DSA) DARS-NIC-24422-R3W3S-v5.9
  • the organisations’ own policies, processes and procedures

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Critical Care Identifiable, Non-Sensitive 2016 – 2021_Q4
HES Accident and Emergency Identifiable, Non-Sensitive 2016 – 2019_Q3
HES Admitted Patient Care Identifiable, Sensitive 2016 – 2021_Q4
Medical Research Information Service (MRIS) – Flagging Current Status Report Identifiable, Sensitive July 2017 – June 2019
MRIS – Cohort Event Notification Report  Identifiable, Sensitive July 2017 – June 2019
MRIS – Cause of Death Report Identifiable, Sensitive July 2017 – June 2019
Cancer Registration Data Identifiable, Non-Sensitive Latest Available
Emergency Care Data Set Identifiable, Sensitive 2020 – 2021_Q4
Civil Registration - Deaths Identifiable, Sensitive Latest Available

 

The joint Controllers are the UoC and the CUHFT.

This report also considers whether the UoC and the CUHFT conform to their own policies, processes and procedures.

Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.

Post Audit Review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the UoC and the CUHFT between June 2022 and October 2023. As the original audit took place before the merger of NHS Digital and NHS England, this report may reference both organisations as part of the post audit review.

Post Audit Review Outcome

Based on the evidence, the Audit Team has found that the UoC and the CUHFT have not suitably addressed all the findings with 1 point for follow-up remaining open.

This open finding has now been handed over to the SIRO representative in the IG Risk and Assurance team at NHS England to progress as appropriate, and to consider any implications for data sharing with both the UoC and CUHFT (given they are joint data controllers).

Updated risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low

Original risk statement: Medium

Current risk statement: Low

 

Data recipient’s acceptance statement

The UoC and the CUHFT have reviewed this report and confirmed that it is accurate.

Status

The following tables identify 5 agreement nonconformities, 6 opportunities for improvement and 2 points for follow-up raised as part of the audit. 

UoC School of Medical Science

Ref Finding Link to area Update Designation Status
1 The DSA needs to be modified to:
  • accurately reflect the distribution and storage of datasets extracted from the data supplied by NHS Digital in the processing section 
  • recognise that extracts of data supplied by NHS Digital are being stored at locations not declared in the DSA 
  • provide additional context to the special condition regarding backups.
 Use and Benefits

A new DSA has been issued by the Data Access Request Service (DARS).

It should be noted that DARS will exclude processing and storage locations (clause 2) from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data are being processed and stored and to make this available to NHS England on request.

 Agreement nonconformity Closed
2 Data in transit between the processing and storage locations is not encrypted as required by the DSFC. However, the UoC School of Medicine reported that transit is limited to a private network with all associated equipment owned by the UoC. Information Transfer The UoC shared an approved risk assessment with the Audit Team which accepted the risk of the unencrypted data flowing over the private network.

Agreement nonconformity

 Closed
3 Data supplied by NHS Digital is being processed on unencrypted desktop machines and if the application crashed, then temporary files would be cached on the machines’ local drives. Information Transfer

The UoC stated encryption is not mandated, but guidance is provided for those who require it. The Audit Team however, re-iterated that any cached data is therefore at risk of being accessed by other users of the desktop.

 Opportunity for improvement Closed
4 The UoC should consider adding an additional field to its data destruction form defining the type of disposal required for data bearing assets, should the University seek more than just the default secure erasure. Data Destruction

The UoC stated that a text box at the bottom of the disposal / destruction request form is used to request a specific form of disposal when secure erasure is not sufficient or appropriate.

The UoC receives reports from the disposal company that provides a statement as to which method was used. A copy of a report was provided to the Audit Team.

 Opportunity for improvement Closed
5 The UoC School of Medical Science should consider extending the document used to record user access to the Secure Hosting Data Server (SDHS) to also include access to the project folder holding the pseudonymised datasets not held within the SDHS. The periodicity of the current access reviews should be considered. Access Control

The UoC School of Medical Science has provided evidence to confirm:

  • each DSA will be reviewed annually in advance of the NHSE DSPT submission 
  • the Information Governance team will meet with the Data Manager and study team as necessary
  • data flows will be reviewed to ensure data are stored and processed in line with the DSA
  • regular reviews will be undertaken for all who have access to the data to ensure it is in line with the DSA and ensure records are up to date.
 Opportunity for improvement Closed
6 The UoC School of Medical Science should consider providing role specific training, for example, Information Asset Owner (IAO) training. Operational Management Role specific training has been developed and shared with the Audit Team. Opportunity for improvement Closed
7 The UoC School of Medical Science should consider renaming its “School Information Security Policy” to reflect its content more accurately. Operational Management The IT Committee has reviewed the policy as well as the title, to better reflect its content and propose the title School Information Security Policy. The policy has been shared with the Audit Team. Opportunity for improvement Closed
8 At the post audit review, the Audit Team will examine any changes that are currently being considered by the University to the password policy for its general network.  Operational Management

The password policy for the UoC general network has been reviewed by the Management Team and updated. A copy of the policy was shared with the Audit Team.

 Follow-up Closed

CUHFT

Ref Finding Link to area Update Designation Status
9 The DSA needs to be modified to:
  • accurately reflect the distribution and storage of datasets extracted from the data supplied by NHS Digital in the processing section 
  • recognise that extracts of data supplied by NHS Digital are being stored at locations not declared in the DSA 
  • provide additional context to the special condition regarding backups.
 Use and Benefits A new DSA has been issued by DARS. The Audit Team has reviewed the new Data Sharing Agreement. Agreement nonconformity Closed
10 The CUHFT is to inform the Data Access Request Service (DARS) of the outcome of its current Data Security Protection Toolkit (DSPT) assessment. The CUHFT stated it had agreed an action plan with the DSPT team and is currently working to complete the actions. Operational Management The Audit Team checked with DARS and was able to confirm the DSPT for the CUHFT has been submitted and reviewed as standards met for 2021/22. Agreement nonconformity Closed
11 Unencrypted manipulated pseudonymised data is being sent from the UoC School of Medicine to the CUHFT. Information Transfer The process of transferring data to the CUHFT has been finalised and is part of the new DSA which was provided to the Audit Team. Agreement nonconformity Closed
12 CUHFT should consider reviewing and updating the risk assessment for the study.  Risk Management The risk assessment has been updated and submitted to the sponsor for approval. A copy was also provided to the Audit Team. Opportunity for improvement Closed
13

At the post audit review, the Audit Team will review evidence supplied by the CUHFT, associated with:

  • operational management and control 
  • information transfer
  • access control
  • data destruction.
 Operational Management No evidence has been provided by CUHFT to close this finding. Follow-up Open

Disclaimer

NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 6 March 2024 10:03 am