NHS England Post Audit Review: National Centre for Social Research
This report provides an update on progress of the remote data sharing audit of National Centre for Social Research (NatCen) on 24 and 28 April 2023.
Audit summary
Purpose
This report provides an update on progress of the remote data sharing audit of National Centre for Social Research (NatCen) on 24 and 28 April 2023 against the requirements of:
- the data sharing framework contract (DSFC) CON-322640-S9V7X-v2.01
- the data sharing agreement (DSA) DARS-NIC-311182-N0L1Y-7.2
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Hospital Episode Statistics Admitted Patient Care (HES APC) |
Identifiable, Non-sensitive | 1997/98 – 2017/18_M09 |
| HES Critical Care | Identifiable, Non-sensitive | 2008/09 – 2017/18_M09 |
| HES Outpatients | Identifiable, Non-sensitive | 2003/04 - 2017/18_M09 |
| HES Accident and Emergency | Identifiable, Non-sensitive | 2007/08 - 2017/18_M09 |
| Medical Research and Information Service (MRIS) - Members and Postings report | Identifiable, Sensitive | July 1998 - May 2018 |
|
MRIS – Flagging Current Status Report |
Identifiable, Sensitive | July 1998 - May 2018 |
|
MRIS – Cohort Event Notification Report |
Identifiable, Sensitive | July 1998 - May 2018 |
|
MRIS - Cause of Death Report |
Identifiable, Sensitive | July 1998 - May 2018 |
The Controller is NatCen.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
As the original audit took place before the merger of NHS Digital and NHS England, this report may reference both organisations as part of the post audit review.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by NatCen between 13 and 28 February 2024.
Post Audit Review Outcome
Based on the evidence, the Audit Team has found that NatCen has not suitably addressed the findings. One point for follow-up remains open.
This finding has now been handed over to the representative of the Senior Information and Risk Owner (SIRO) in the IG Risk and Assurance team at NHS England to progress as appropriate with NatCen.
Updated risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
NatCen has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 3 agreement nonconformities, 1 observation, 3 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The data are being processed and stored at locations not declared in the DSA. All the locations are within England. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS England on request. | Information Transfer | NatCen provided DARS with an update of the current locations where data is stored and processed. The Audit Team have seen this email. | Agreement nonconformity | Closed |
| 2 | NatCen has not included the data received under this DSA on an Information Asset Register (IAR), nor has NatCen clearly identified the Information Asset Owner (IAO). | Operational Management | NatCen has identified an IAO within their IAR, which is held in an accessible location for staff to access. NatCen has confirmed the delivery of training to the identified IAO. Evidence for both has been shared with the Audit Team. |
Agreement nonconformity |
Closed |
| 3 | NatCen has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. Instead, information specific to the DSA datasets is spread across different documents. | Operational Management | NatCen has created a ROPA for the data supplied under the DSA. This has been shared with the Audit Team | Agreement nonconformity | Closed |
| 4 | The operating system of the server being used to store data provided by NHS England is approaching end of support. | Access Control | NatCen has provided evidence to the Audit Team of the update to the server | Observation | Closed |
| 5 | A Data Protection Impact Assessment (DPIA) or screening questionnaire should be completed for the study utilising the data provided under this DSA. | Operational Management | NatCen confirmed their IAO will develop a DPIA in line with the Information Commissioner’s Office (ICO) guidance. | Opportunity for improvement | Closed |
| 6 | The NatCen Patch Management Policy does not reflect current practice for the patching schedule for servers. This document should be reviewed and updated to reflect that NatCen patch on a more frequent basis than defined in the policy. | Access Control | NatCen are in the process of rewriting all their Information Security policies to align to the updated version of the ISO 27001 standard prior to their next assessment in March 2024. | Opportunity for improvement | Closed |
| 7 | NatCen to consider providing specialist IAO training to all Research Directors undertaking that role. | Operational Management | NatCen will develop training in line with their IAR Management policy. This will be provided to IAOs on other studies as required. | Opportunity for improvement | Closed |
| 8 | At the post audit review, the Audit Team will review evidence of the outcome of the security exercise scheduled to be performed in 2023. | Access Control | The scheduled exercise did not take place in 2023 but is planned for June 2024. | Follow-up | Open |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 25 April 2024 2:08 pm