Post Audit Review: Liverpool University Hospitals NHS Foundation Trust
This report provides an update on progress of the remote data sharing audit of Liverpool University Hospitals NHS Foundation Trust (LUHFT) and the Liverpool Clinical Trials Centre (LCTC) at the University of Liverpool (UoL) between 13 and 21 March 2023.
Audit summary
Purpose
This report provides an update on progress of the remote data sharing audit of Liverpool University Hospitals NHS Foundation Trust (LUHFT) and the Liverpool Clinical Trials Centre (LCTC) at the University of Liverpool (UoL) between 13 and 21 March 2023 against the requirements of:
- the data sharing framework contracts (DSFC)
- CON-313262-W1P4R-v2.01 - LUHFT
- CON-312559-T8H2T-v2.01 - UoL
- the data sharing agreement (DSA) DARS-NIC-161422-Q0K1M-v4.3
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period | |
|---|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 2017/18 - 2022/23_M12 | |
| Diagnostic Imaging Dataset (DID) | Identifiable, Non-sensitive | 2017/18 - 2022/23_M12 | |
| HES Statistics Critical Care | Pseudo/Anonymised, Non-sensitive | 2017/18 - 2022/23_M12 | |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2017/18 - 2019/20 | |
| HES Outpatients | Pseudo/Anonymised, Sensitive | 2017/18 - 2022/23_M12 | |
| Medical Research Information Service (MRIS) - List Bespoke | Non-sensitive | Latest available | |
| Civil Registration (Deaths) - Secondary Care Cut | Pseudo/Anonymised, Sensitive | Latest available | |
| HES / Civil Registration (Deaths) bridge | Pseudo/Anonymised, Non-sensitive | Latest available | |
| Bridge file: HES to DID | Identifiable, Non-sensitive | 2017/18 - 2022/23_M12 | |
| Emergency Care Data Set (ECDS) | Pseudo/Anonymised, Non-sensitive | 2017/18 - 2022/23_M12 |
The joint Controllers are LUHFT and the UoL.
Further guidance on the terms used in this post audit review report can be found in the NHS England Data Sharing Remote Audit Guide version 1.
Post Audit Review
This post audit review comprised of a desk-based assessment and video calls of the action plan and supporting evidence supplied by LUHFT and the UoL between 31 July 2023 and 3 May 2024.
Post Audit Review Outcome
Based on the evidence, the Audit Team has found that the UoL has not suitably addressed all the findings. 1 agreement nonconformity remains open. The open finding has now been handed over to the representative of the Senior Information Risk Officer (SIRO) in the IG Risk and Assurance team at NHS England to progress as appropriate with the UoL.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: Low
Current Risk Statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
LUHFT and the UoL have reviewed this report and confirmed that it is accurate.
Findings
The following tables identify the 4 agreement nonconformities, 1 observation, 5 opportunities for improvement and 4 points for follow-up raised as part of the original audit.
LUHFT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The Information Asset Register (IAR) contained some incorrect information which needs to be amended. | Operational Management | The information has now been corrected. A copy of the completed IAR form was provided to the Audit Team for review. |
Agreement nonconformity |
Closed |
| 2 |
The LUHFT should agree with the Data Access Request Service (DARS) as to who is to receive the Secure Electronic File Transfer (SEFT) login credentials. During the audit, a dialogue was started with DARS as to the future recipient. |
Access Control |
The LUHFT shared an email dated 17 March 2023 from the SEFT team. The email included details on the named individual who is now responsible for downloading the data from the SEFT portal. |
Observation |
Closed |
| 3 | A Data Protection Impact Assessment (DPIA) or screening questionnaire should be completed for the study utilising the data provided under this DSA. | Operational Management | A DPIA has been undertaken for the study. A copy was provided to the Audit Team for review. |
Opportunity for improvement |
Closed |
| 4 | The LUHFT should consider carrying out a risk assessment on the laptops used to access and process the data, should further data be shared by the LCTC, as there is a risk that temporary files could be cached on the machines. | Access Control | The LUHFT have evaluated the controls in place for these laptops. They concluded that the risk to the data is low and accepted the residual risk associated with the temporary files. |
Opportunity for improvement |
Closed |
| 5 |
The LUHFT should ensure that all stakeholders have sight of future DSA and DSFC to ensure that they are all fully aware of their responsibilities and are fully compliant. |
Operational Management | The LUHFT advised that stakeholders now have an awareness of the DSA and DSFC. These are now stored in the in the trial master files to make them available to relevant staff. |
Opportunity for improvement |
Closed |
| 6 |
At the post audit review the Audit Team will review any specialist training undertaken by the Data Protection Officer. |
Operational Management | The DPO is scheduled to attend an externally facilitated course in May 2024. DPO Officers have all obtained BCS Data Protection Practitioner certificates. | Follow-up | Closed |
UoL
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 7 |
There was no evidence to show that access to the locations holding data supplied under this DSA is reviewed on a regular basis. |
Access Control |
The UoL has updated the User Access Standard Operating Procedure (SOP) IS015 which now covers the review of access. A review of access was carried out in March 2024. An extract from the SOP covering the access review and evidence of the check were provided to the Audit Team. |
Agreement nonconformity |
Closed |
| 8 |
The data are being stored at University of Liverpool locations not declared in the DSA. During the audit the LCTC recognised and recorded the missing locations. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Data Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS Digital on request. |
Information Transfer |
This finding had been closed at the time of the original audit as LCTC recognised and recorded the missing locations. |
Agreement nonconformity |
Closed |
| 9 | Data in transit between UoL data centres is not encrypted as required by the DSFC. The LCTC reported that the transit is via dark fibre. | Information Transfer |
The UoL has completed a risk assessment regarding data in transit not being encrypted. However, it has not been signed off by the Senior Information Risk Owner. A copy of the risk assessment was provided to the Audit Team. The UoL have also stated that the processing activities have also been reviewed and updated, and data is only held in an encrypted database. |
Agreement nonconformity |
Open |
| 10 | The UoL should consider carrying out a risk assessment on the laptops used to access and process the data as there is a risk that temporary files could be cached on the machines. | Access Control |
The UoL completed a risk assessment in September 2023 and accepted the risks identified which included the mitigation controls in place. A copy of the risk assessment was shared with the Audit Team. |
Opportunity for improvement |
Closed |
| 11 | The LCTC / UoL should ensure that all stakeholders have sight of future DSA and DSFC to ensure that they are all fully aware of their responsibilities and are fully compliant. | Operational Management |
The UoL have advised that the LCTC will notify trial management teams to ensure that any DSA is notified to the Information Security team at LCTC. SOP IS015 has been updated to ensure the DSA is attached to any request for transfer of data to ensure that requirements are met. |
Opportunity for improvement |
Closed |
| 12 | At the post audit review the Audit Team will review the incident report associated with data being held on an encrypted USB memory stick. | Information Transfer | A copy of the incident report was provided to the Audit Team. It had been signed off by representatives from LUHFT and UoL. |
Follow-up |
Closed |
| 13 | At the post audit review the Audit Team will review the security assessments undertaken for the LCTC infrastructure. | Access Control | The UoL provided evidence to the Audit Team to show that security assessments are undertaken for the IT infrastructure. |
Follow-up |
Closed |
| 14 | At the post audit review the Audit Team will clarify the retention period for data held on backup tape. | Information Transfer | The UoL has confirmed that the retention period for data held on backup tapes is 12 months. |
Follow-up |
Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 22 July 2024 10:45 am