Skip to main content

NHS England Data Sharing Remote Audit: University College London (The Centre for Longitudinal Studies – The CLS)

This report provides the formal closure of the remote data sharing audit of University College London (UCL) and its Processors between 27 March and 3 April 2023.

Audit summary

Purpose

This report provides the formal closure of the remote data sharing audit of University College London (UCL) and its Processors between 27 March and 3 April 2023 against the requirements of:

  • the data sharing framework contract: (DSFC) CON-321538-B5D8B-v2.01
  • the data sharing agreement: (DSA) DARS-NIC-51342-V1M5W-v4.10 (expired in December 2022, though UCL had an ongoing application at the time of the audit)
  • the organisations’ own policies, processes and procedures

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Identifiable, Non-sensitive 1997/98 - 2021/22_M08
HES - Critical Care Identifiable, Non-sensitive 2008/09 - 2021/22_M08
HES - Outpatients Identifiable, Non-sensitive 2003/04 - 2021/22_M08
HES – Accident and Emergency Identifiable, Non-sensitive 2007/08 - 2019/20_M12
Emergency Care Data Set (ECDS) Identifiable, Sensitive 2020/21 - 2021/22_M08

The Controller is UCL (The Centre for Longitudinal Studies – The CLS) and the Processors are the University of Essex (UoE) and Amazon Web Service (AWS). UoE store data using the UK Data Service (UKDS) infrastructure. AWS provide cloud storage services to UCL.

Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.

Post Audit Review

This post audit review comprised a desk-based assessment along with a video call to review the action plan and supporting evidence supplied by UCL and UoE between 2 and 15 February 2024.

Post Audit Review Outcome

Based on the evidence provided by the UCL and UoE, the Audit Team has closed all the findings. Therefore, no further action is required.

Updated Risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original Risk statement: Medium

Current Risk Statement: Low

 

Data recipient’s acceptance statement

UCL and UoE have reviewed this report and confirmed that it is accurate. 

 

Findings

The following tables identify the 2 agreement nonconformities, 10 opportunities for improvement and 5 points for follow-up raised as part of the original audit.

CLS / UCL

Ref Finding Link to area Update Designation Status
1

Data are being processed and stored at locations not specified on the DSA.
It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS England on request.    
 

 Information Transfer The CLS have created a data processing and storage location document. This sets out not only the location, but other key information for each facility. Document control information was up to date in the copy provided as evidence to the Audit Team. Agreement nonconformity Closed
2

The CLS has not included the obligations from the DSA and DSFC in its data processing agreement with UoE. 
CLS reported that the sub-licensing model including the data processing agreement had been previously agreed between them and NHS England in 2019. It was also noted that CLS had shared previous versions of the DSAs with UoE to make them aware of the obligations. 
 

 Operational Management An updated data processing agreement between the CLS and UoE has been provided to the Audit Team as evidence. This agreement now sets out the requirements within both the DSA and DSFC that the UKDS, acting as the processor, must adhere to. Agreement nonconformity Closed
3

The CLS should consider adding a field in the application register to include details on outputs. 

 Use and Benefits

The CLS have now included a field in their application register to provide details on any research outputs. A link to the updated register was provided to the Audit Team.

 Opportunity for improvement Closed
4

The CLS should develop supporting documentation that makes it clear on the recommendations / outcomes that can be made by the Data Access Committee (DAC) whether an application not fully approved needs to be returned to DAC for further review. 

 Operational Management An updated CLS DAC Data Sharing Protocol has been provided as evidence to the Audit Team. The revised protocol now contains additional information which sets out the decision making limitations of the DAC. Opportunity for improvement Closed
5

The CLS should consider improving the local risk register by including the status of risks, post mitigation risk scores, mitigation steps and risk review dates.

 Risk Management The CLS have reviewed the local risk register and some recommendations from the audit have been incorporated. A copy of the updated register was provided to the Audit Team. Opportunity for improvement Closed
6 Meetings between the CLS and the UoE should be documented. The CLS should ensure that risks in relation to processing of the data by the UoE are formally documented.      Operational Management The CLS now have quarterly, minuted meetings with UKDS. A new internal risk register has been created to monitor data sharing risks, which are to be raised during these meetings. Opportunity for improvement Closed
7

The CLS should consider updating the Data Processing Impact Assessment (DPIA) and Record of Processing Activities (ROPA) which include a description of processing undertaken by the UoE, to include a sign off section for the UoE to confirm that it has reviewed the documents. 

 Operational Management Copies of a DPIA and a ROPA, along with supporting documentation, have been provided to the Audit Team which illustrate that each now have a sign off section. Opportunity for improvement Closed
8 At the post audit review, the Audit Team will review the updated DSA to ensure the details on the role of the DAC have been correctly reflected. Use and Benefits The role of the DAC referred to in this finding have been removed from subsequent applications. Follow-up Closed
9 At the post audit review, the Audit Team will review the updated DSA to check that details have been included on where users can access the data. During the audit, the CLS stated that this is being addressed in the ongoing application.     
It was noted that CLS had confirmation from the DARS team in March 2022 that they could continue to work from home providing previous guidance was adhered to.  
 		 Access Control The current data sharing agreement includes details in section 5b, which indicates that the UKDS home working policy does not involve bring your own device (BYOD). Researchers applying to use data remotely from home, will only be given permission to access the data if they agree to use their work computer remotely and access the Secure Lab from there. Follow-up Closed
10 At the post audit review, the Audit Team will review the progress made on addressing the vulnerabilities identified through the vulnerability scan. Access Control A report was provided as evidence to the Audit Team which illustrates regular progress is monitored for any vulnerabilities identified during a scan. It also provides details of how each is risk assessed and priorities apportioned. Follow-up Closed

UoE / UKDS

Ref

Finding

Link to area

Update

Designation

Status
11

The risk register should be updated as some of the recorded review dates are not consistent with recent reviews. 

 Risk Management A redacted copy of the latest Information Security Risk Assessment report was provided to the Audit Team. This illustrates that review dates are provided for all entries. Opportunity for improvement Closed
12 The UKDA should review and update the following documentation as they contain duplication of contents: 
  • CD-091 Business Continuity Plan / CD-247 – Crisis Communications plan
  • CD-255 – Annual Information review procedures / CD174 – Information Management Procedures
 Operational Management The UKDS, after consideration, provided justification for not updating the documents listed, as they feel the information is better located as currently presented. Opportunity for improvement Rejected
13 The UKDA should consider documenting the approach to patching and associated schedules. Access Control The UKDS have now documented the approach to patching, along with schedules in Confluence. JIRA tickets are now used to capture evidence on a monthly basis. An extract from Confluence has been provided as evidence to the Audit Team. Opportunity for improvement Closed
14 The UKDA should consider maintaining internal training records for data protection.  Operational Management The maintenance of internal training records was discussed in a UKDS Information Security Management Group meeting, the minutes of which have been provided as evidence to the Audit Team. No firm decision was agreed, but will be recorded if adopted. Opportunity for improvement Closed
15 The UKDA should consider defining the dormant account process including the period of time after which inactive accounts are disabled. Access Control An updated copy of the UKDS document Managing Access to Secure Lab Accounts was provided to the Audit Team as evidence. This sets out the process for managing inactive accounts. Opportunity for improvement Closed
16 At the post audit review, the Audit Team will review the recent security report and any remediation plans put into place.  Access Control During an online meeting with UCL and UKDS, the Audit Team were shown a recent security report on screen, which provided a summary of issues identified on a server holding NHSE data. No significant areas of concern were raised and all actions have a clear supporting action plan. Follow-up Closed
17 At the post audit review, the Audit Team will review the work to implement Multi Factor Authentication (MFA) in place for Secure Labs. Access Control During an online meeting with UCL and UKDS, the Audit Team were given a demonstration of how MFA has been incorporated and is now in place for Secure Labs. Follow-up Closed

Disclaimer

NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 29 April 2024 8:57 am