NHS England Post Audit Review: Merck Sharp & Dohme Limited
This report provides an update on progress of the remote data sharing audit of Merck Sharp & Dohme Limited and Manchester University NHS Foundation Trust in October 2021.
Audit summary
Purpose
This report provides an update on progress of the remote data sharing audit of Merck Sharp & Dohme Limited (MSD) and Manchester University NHS Foundation Trust (MFT) between 4 and 8 October 2021. It provides an evaluation of how MSD and MFT conform to the requirements of:
- the data sharing framework contracts (DSFC)
o MSD: CON-290527-P5C0Y
o MFT: CON-324681-Z8K6R
- the data sharing agreement (DSA) DARS-NIC-290527-P5C0Y-v1.3
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 2010/11 – 2020/21_M02 |
| HES Outpatients | Identifiable, Non-sensitive | 2010/11 – 2020/21_M02 |
| Diagnostic Imaging Dataset (DID) | Identifiable, Non-sensitive | Historic Data Request |
| Bridge file: HES to DID | Identifiable, Non-sensitive | Latest Available - 08/2020 |
The Controllers are MSD and MFT and the Processors are NorthWest EHealth Limited (NWEH), Salford Royal NHS Foundation Trust (SRFT) and Microsoft Limited.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
As the original audit took place before the merger of NHS Digital and NHS England, this report references both organisations as part of the post audit review.
Post Audit Review
Following the first post audit review published in February 2023, 3 agreement nonconformities, 1 observation, 2 opportunities for improvement and 1 point for follow-up remained open.
This second post audit review comprised of a desk-based assessment and video call of the action plan and supporting evidence supplied by NWEH between July and December 2023.
Post Audit Review Outcome
Based on the evidence, the Audit Team has found that MFT and NWEH have not suitably addressed the findings. One opportunity for improvement remains open, but not for follow up.
One agreement nonconformity remains open. The agreement nonconformity has now been handed over to the SIRO representative in the IG Risk and Assurance team at NHS England to progress as appropriate with MFT and NWEH.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.
Original risk statement: Medium
Previous risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
MSD, MFT and NWEH have reviewed this report and confirmed that it is accurate.
Findings
The following tables identify the 4 agreement nonconformities, 3 observations, 9 opportunities for improvement and 3 points for follow-up raised as part of the original audit. Findings 1,2,3,4,5,8,12,13,15,16,18 and 19 were closed as part of the first post audit review conducted in February 2023.
Some of the findings have been repeated for MSD and MFT as they are joint controllers, and the finding applies to both organisations.
MSD
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The Legitimate Interests Assessment (LIA) completed by MSD and MFT in 2019, and NWEH’s Data Protection Impact Assessment (DPIA) are in need of a refresh by all parties as there is inconsistent information. A copy of the updated DPIA should be provided to the Data Protection Officers (DPO) for approval. | Operational Management | Both the LIA (13/06/2022 v2.0) and DPIA (MSD Cough DPIA v7) have been updated and copies supplied to the Audit Team. These documents were reviewed and approved by MSD’s Data Privacy Manager. | Observation | Closed |
| 2 | Staff need to be aware of the DSFC and DSA requirements. The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements. |
Operational Management | NWEH reported it had completed a compliance check and introduced a regular check of all contractual documents as part of the project start up process. NWEH supplied a Project Initiation Checklist document (NWEH-FOR-115 v3) which shows that a contractual check has now been included for all subsequent projects. NWEH also provided an email that indicated that the review of the DSFC and DSA requirements were included as part of a planned meeting agenda item. The meeting was between MSD and NWEH. | Opportunity for improvement | Closed |
| 3 | The DSA should be reviewed and updated as it was confirmed at the audit:
|
Operational Management | The DSA has been updated and the points raised in the finding have been taken into account. A copy of the DSA DARS-NIC-290527-P5C0Y-v2.2 was reviewed by the Audit Team. | Opportunity for improvement | Closed |
| 4 | MSD’s Supplier Privacy Assessment on NWEH should be reviewed and updated. This includes:
|
Operational Management | The Supplier Privacy Assessment has been reviewed by MSD. A copy of the assessment, supporting comments and sign off document was supplied to the Audit Team. | Opportunity for improvement | Closed |
| 5 | MSD’s Privacy Advisor Impact Assessment on the study should be reviewed and updated. Potential areas for change include:
|
Operational Management | The Supplier Privacy Assessment has been reviewed by MSD. A copy of the assessment, supporting comments and sign off document was supplied to the Audit Team. | Opportunity for improvement | Closed |
MFT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 6 | The Legitimate Interests Assessment (LIA) completed by MSD and MFT in 2019, and NWEH’s DPIA are in need of a refresh by all parties as there is inconsistent information. A copy of the updated DPIA should be provided to the Data Protection Officers (DPO) for approval. | Operational Management | Both the LIA (13/06/2022 v2.0) and DPIA (MSD’s DPIA v7) have been updated and copies supplied to the Audit Team. Update from second post audit review: the Audit Team received evidence to confirm these documents have been approved by MFT’s DPO. | Observation | Closed |
| 7 | Staff need to be aware of the DSFC and DSA requirements. The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements. |
Operational Management | NWEH reported it had completed a compliance check and introduced a regular check of all contractual documents as part of the project start up process. Update from second post audit review: the Audit Team received evidence from MFT that it has informed its staff about the requirements of the DSFC and DSA. | Opportunity for improvement | Closed |
| 8 | The DSA should be reviewed and updated as it was confirmed at the audit:
|
Operational Management | The DSA has been updated and the points raised in the finding have been taken into account. A copy of the DSA DARS-NIC-290527-P5C0Y-v2.2 was reviewed by the Audit Team. | Opportunity for improvement | Closed |
NWEH
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 9 | Users from NWEH with access to data supplied by NHS Digital held on Microsoft Azure did not hold valid honorary contracts with SRFT. The DSA requires the NWEH Database Administrator and Statistics team to hold honorary NHS contracts with SRFT. | Use and Benefits | Due to NHS organisational changes, SRFT is now being replaced with Northern Care Alliance NHS Foundation Trust (NCA). Data processing agreements are being put in place between NWEH and NCA. The data processing agreement between NWEH and NCA is due to be completed by March 2024. This will be provided to NHS England on completion. | Agreement nonconformity | Open |
| 10 | NWEH did not complete the Data Security Protection Toolkit (DSPT) in 2019/20 and 2020/21 as required by the MSD’s System Level Security Policy (SLSP) that was agreed with NHS Digital in February 2020. | Access Control | The Audit Team received confirmation from MSD that they are content that NWEH have appropriate security in place and that any delay of their DSPT submission is not critical to the project. NWEH will work towards submitting the 2023/24 DSPT. | Agreement nonconformity | Closed |
| 11 | No justification to support the presence of a domain administrator account on the Microsoft Azure platform was provided. SRFT stated that it should be disabled. | Access Control | NWEH reported that the account has now been removed and the issue has been escalated to SRFT. NWEH further reported a review of all accounts has been performed and security processes in relation to Azure Account management are being updated. Update from second post audit review: Evidence was provided to the Audit Team to confirm that the SRFT user account has been removed. | Agreement nonconformity | Closed |
| 12 | NWEH to review and update its Record of Processing Activities (ROPA) as it includes inaccurate information. This includes fields on special category data, missing joint controller information and missing data source. | Operational Management | The ROPA has been updated and now takes into account the missing fields. A copy of the ROPA was shared with the Audit Team. | Agreement nonconformity | Closed |
| 13 | There is an inconsistency between the MSD’s SLSP and NWEH Security Testing policy with respect to the penetration testing of the Azure platform. The SLSP states that testing will be carried out annually and the NWEH policy states that it will be every 2 years. The last penetration test was conducted in the last 12 months. |
Access Control | NWEH has updated the statement in the SLSP to be consistent with other documents. A copy of SLSP v2 was supplied to the Audit Team. | Observation | Closed |
| 14 | MSD’s SLSP includes a statement that IP filtering based on “Deny-all first” principle will be in place and is managed by the SRFT via a change management process. Both SRFT and NWEH should consider reviewing the rules setup to ensure that they are up to date. | Access Control | NWEH reported SRFT has IP filtering rules in place. However, NWEH has postponed the implementation of rule changes until the first quarter in 2023 due to ongoing projects and to limit disruption. Update from second post audit review: NWEH are unable to implement the rule changes due to technical challenges and conflicting business priorities. | Opportunity for improvement | Open, but not for follow-up |
| 15 | NWEH should consider if technical controls could be implemented to prevent users transferring data from the Azure platform to their own corporate machines. | Access Control | NWEH supplied details on the technical controls that have been implemented. Screenshots of the setting were shared with the Audit Team. | Opportunity for improvement | Closed |
| 16 | NWEH should consider including additional fields in the Information Asset Register (IAR) such as details on the datasets received (type of data and classification), date of receipt, date of data deletion, linking to which version of the DSA it came with and certificate of destruction. | Operational Management | NWEH has considered and decided to use one of the suggested fields. A copy of the IAR was shared with the Audit Team. | Opportunity for improvement | Closed |
| 17 | A Microsoft Azure vulnerability security scan covering various parts of the platform has been recently conducted which highlighted a number of findings. At the post audit review, the Audit Team will ensure that all of the highlighted vulnerabilities have been adequately addressed. | Access Control | NWEH shared an internal report which included the actions taken to address the findings. It was noted that some actions were in progress. Update from second post audit review: The Audit Team received evidence to confirm all actions have been completed. | Follow Up | Closed |
| 18 | The DSA includes a statement that NWEH should only hold data in accordance with the consent material provided 5 years before and 2 years after diagnosis. All data outside this window should be securely deleted and evidence provided to NHS Digital by 31/7/2021. At the time of the audit, this has not been completed as NWEH was waiting for further data and should seek further guidance from the Data Access Request Service team. | Data Destruction | NWEH has deleted the data and completed a Certificate of Destruction (CoD) in June 2022. The DARS team has confirmed that the CoD was approved in July 2022. A copy of the CoD was shared with the Audit Team. | Follow Up | Closed |
| 19 | At the post audit review, the Audit Team will review the following:
|
Access Control | NWEH shared an Azure access audit report and the updated access control procedure that covered the 2 points in the findings. | Follow Up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 4 March 2024 12:10 pm