Post Audit Review: Imperial College London
This report provides the formal closure of the remote data sharing audit of Imperial College London (ICL) between 9 and 13 January 2023.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Imperial College London (ICL) between 9 and 13 January 2023 against the requirements of:
- the data sharing framework contract (DSFC) CON-312177-J7P3H-v2.01
- the data sharing agreement (DSA) DARS-NIC-370843-R6V8T-v4.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period | |
|---|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 1997/98 – 2020/21 | |
| HES Outpatients | Identifiable, Non-sensitive | 2003/04 – 2020/21 | |
| HES Critical Care | Identifiable, Sensitive | 2008/09 – 2020/21 | |
| HES Accident and Emergency | Identifiable, Sensitive | 2007/08 – 2019/20 | |
| Emergency Care Data Set (ECDS) | Identifiable, Sensitive | 2020/21 – 2021/22_M02 | |
| Medical Research Information Service (MRIS) - List Cleaning Report | Identifiable, Sensitive | December 2015 – July 2016 | |
| MRIS - Flagging Current Status Report | Identifiable, Sensitive | December 2015 – July 2016 | |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | December 2015 – July 2016 | |
| MRIS - Cause of Death Report | Identifiable, Sensitive | December 2015 – July 2016 | |
| Demographics | Identifiable, Sensitive | Latest Available 07/2021 | |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest Available 07/2021 | |
| Cancer Registration Data | Identifiable, Sensitive |
Latest Available 07/2021 |
The Controller is ICL.
Further guidance on the terms used in this post audit review report can be found Data Sharing Remote Audit Guide version 1.
As the original audit took place before the merger of NHS Digital and NHS England, this report may reference both organisations as part of the post audit review.
Post Audit Review
This post audit review comprised of a desk-based assessment and video calls of the action plan and supporting evidence supplied by ICL between August 2023 and February 2024.
Post Audit Review Outcome
Based on the evidence provided by the ICL, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and ICL.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: Low
Current Risk Statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
ICL has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 1 agreement nonconformity, 1 organisation nonconformity, 6 opportunities for improvement and 7 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
Data are being stored at a location, within England, not declared in the DSA.
|
Information Transfer | Individual storage and processing locations are no longer included within a DSA. The Audit Team viewed evidence to show that the storage locations for the data were documented and stored within the COSMOS study folder. | Agreement nonconformity | Closed |
| 2 | Information Security Management Forum meetings, scheduled for every 6 months, have not been held for at least a year. | Operational Management | ISMF meetings are now held annually and the relevant policy has been updated to reflect this. The Audit Team were provided with the updated policy and minutes from the meeting that took place in March 2023. | Organisation nonconformity | Closed |
| 3 | ICL should maintain a formal audit trail when a study cohort member requests his/her data be removed from the study including details of the destruction of data. | Operational Management | A new overarching Standard Operating Procedure (SOP) has been written to support withdrawals from the enclave. Individual SOPs have been produced for each study to outline the process specific to the relevant datasets. The Audit Team were provided with the SOP for the COSMOS study. | Opportunity for improvement | Closed |
| 4 | ICL should have the third-party include a textual statement of the scope of any security assessment in the associated report. | Access Control | ICL have agreed to include the statement of scope in future assessments. | Opportunity for improvement | Closed |
| 5 | ICL should ensure any screenshots of dialogue boxes captured during the electronic destruction of data include Windows’ date and time display. | Data Destruction | Dates are now captured in screenshots. An example of electronic destruction of data that took place in March 2023 was shown to the Audit Team and it was confirmed that the dates were recorded. | Opportunity for improvement | Closed |
| 6 | If the current support role is split between personnel, then ICL should consider whether some form of ticketing system may help manage the various types of requests. | Operational Management | ICL have implemented a request management system on SharePoint, using forms and checklists to ensure requests that come in are managed by the administration support team. The system was demonstrated to the Audit Team. | Opportunity for improvement | Closed |
| 7 | ICL may wish to review the roles and responsibilities, or their specific wording, of the Information Asset Owner (IAO) to ensure they can be suitably discharged or delegated. | Operational Management | The role description of the IAO in the Data Asset Registration Tool (DART) has been updated with wording to indicate they can delegate roles or responsibilities. | Opportunity for improvement | Closed |
| 8 | At present a Data Protection Impact Assessment (DPIA) has not been produced as there is a view that such content is satisfied through a combination of other documents, for example the research approval and the information asset register. ICL should formalise its position with respect to DPIAs and as part of this activity determine whether there is sufficient coverage. | Operational Management | ICL has formalised its position on DPIAs and have published guidance on DART and conducting DPIAs on their website. When a study is registered on DART, it prompts for a DPIA to be performed. A copy of the completed DART registration showing the DPIA form for the data was provided to the Audit Team. | Opportunity for improvement | Closed |
| 9 | At the post audit review, the Audit Team will review how the support function has been resourced due to imminent staff changes. | Operational Management | The Audit Team were presented with evidence to show that the organisational structure has been reviewed. The resources required have been considered during the transitional period of staff change and longer term to support the enclave in the future. | Follow-up | Closed |
| 10 | At the post audit review, the Audit Team will review the mechanism by which database access is requested and thereafter managed, including confirmation by the IAO that access is still required. | Access Control | Requests for access to the enclave are now managed through a SharePoint request management system. This ensures that appropriate training and approval is given. Access requests can only be raised by the IAO or Information Asset Administrators (IAA). | Follow-up | Closed |
| 11 | At the post audit review, the Audit Team will review the process by which pseudonymised datasets are extracted and supplied to other research organisations under the sub-licencing clause. | Use and Benefits | ICL have confirmed that they are not sharing data with other research organisations as they do not have an active sub-license to allow them to do so. They are liaising with DARS to add a relevant sub-licensing clause to the DSA. | Follow-up | Closed |
| 12 | At the post audit review, the Audit Team will establish whether any recent research papers have been published, including those created by other researchers utilising data provided under the sub-licencing clause. | Use and Benefits | As there is no active sub-license, ICL have not shared data, but have used a federated analysis approach to use derived data in a publication in partnership with another research organisation. | Follow-up | Closed |
| 13 | At the post audit review, the Audit Team will review any new training material with respect to risk management for users of the designated platform. | Risk Management | The research department have adopted the ICL risk management system and will use the college’s training materials. Risk management policies, procedures and guidance are published on the ICL website. One to one training can be requested for risk management and the use of the college’s risk management system, Empirical. | Follow-up | Closed |
| 14 | At the post audit review, the Audit Team will review any new training material specific for IAOs. | Operational Management | ICL have developed training material aimed at the specialist data protection roles. The Audit Team were provided with the draft training presentation for review | Follow-up | Closed |
| 15 | At the post audit review, the Audit Team will review the actions taken to address the findings raised in the recent security assessment. | Access Control | The action plan to resolve issues raised in the security assessment was shown to the Audit Team for review. All issues identified in the assessment had been resolved. | Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 March 2024 1:27 pm