NHS England Post Audit Review: University College London- Regional Heart Study

This report provides the formal closure of the remote data sharing audit of University College London – Regional Heart Study (UCL-RHS) on 13 December 2023.

Audit summary

Purpose

This report provides the formal closure of the remote data sharing audit of University College London – Regional Heart Study (UCL-RHS) on 13 December 2023 against the requirements of:

data sharing framework contract (DSFC): CON-321538-B5D8B-v2.02
data sharing agreement (DSA): DARS-NIC-148101-R7RSL-v6.2
data sharing agreement (DSA): DARS-NIC-148101-R7RSL-v7.4
the organisation's own policies, processes and procedures

These DSAs cover the provision of the following datasets:

Dataset	Classification of data	Dataset period
MRIS – Cause of Death Report	Identifiable/Sensitive	February 2000 – December 2016
MRIS – List Cleaning Report	Identifiable/Sensitive	February 2000 – December 2016
MRIS – Members and Postings Report	Identifiable/Sensitive	February 2000 – December 2016
MRIS – Flagging Current Status Report	Identifiable/Sensitive	February 2000 – December 2016
MRIS – Cohort Event Notification Report	Identifiable/Sensitive	February 2000 – December 2016

The Controller and Processor is UCL-RHS.

Further guidance on the terms used in this post audit review report can be found in the Data Sharing Remote Audit Guide version 4.

Post Audit Review

This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by the UCL-RHS between 13 December 2023 and 24 April 2024.

Post Audit Review Outcome

Based on the evidence provided by the UCL-RHS, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and the UCL-RHS.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: Low

Current Risk Statement: Low

Data recipient’s acceptance statement

The UCL-RHS has reviewed this report and confirmed that it is accurate.

Findings

The following table identifies the 1 observation and 2 opportunities for improvement raised as part of the original audit.

Ref	Finding	Link to area	Update	Designation	Status
1	No evidence was provided to the Audit Team to confirm that the Information Commissioners Office (ICO) was satisfied with the output of the improvement plan UCL-RHS provided to the ICO in 2017, in response to a reported data breach. The ICO action plan included a training plan, which was endorsed on 28 June 2017 by the UCL Information Service Governance Committee (UCL ISGC). The plan covers annual data protection training for all UCL staff by 2018. Existing arrangements are in place to provide annual training for those using NHS England data. The Audit Team recommend that if UCL-RHS are unable to locate and supply confirmation from the ICO that all areas of the action plan have been addressed, that a copy is requested from the ICO to hold on file.	Information Transfer	The UCL-RHS provided evidence to the Audit Team of correspondence from the ICO. This included formal acknowledgement that the UCL-RHS improvement plan addressed the concerns raised as part of the reported data breach in 2017. The only recommendation from the ICO related to the frequency of data protection training. The UCL-RHS provided further evidence to illustrate that this recommendation had been adopted across the organisation.	Observation	Closed
2	UCL-RHS should improve its Information Asset Register (IAR) to include descriptions around what data is being held within each case reference number. The lack of detailed descriptions for each entry could lead to issues when any data is to be destroyed.	Operational Management	The UCL-RHS provided the Audit Team with screenshots of its IAR which clearly illustrated that descriptions are now included for each entry.	Opportunity for improvement	Closed
3	On reviewing the system access logs during the audit, it became apparent that a longer retention period would benefit UCL-RHS, to monitor access to files and folders more effectively. The Audit Team observed the retention period was extended during the audit.	Access Control	The UCL-RHS provided this evidence during the original audit.	Opportunity for improvement	Closed

Ref

Finding

Link to area

Update

Designation

Status

No evidence was provided to the Audit Team to confirm that the Information Commissioners Office (ICO) was satisfied with the output of the improvement plan UCL-RHS provided to the ICO in 2017, in response to a reported data breach.

The ICO action plan included a training plan, which was endorsed on 28 June 2017 by the UCL Information Service Governance Committee (UCL ISGC). The plan covers annual data protection training for all UCL staff by 2018. Existing arrangements are in place to provide annual training for those using NHS England data.

The Audit Team recommend that if UCL-RHS are unable to locate and supply confirmation from the ICO that all areas of the action plan have been addressed, that a copy is requested from the ICO to hold on file.

Information Transfer

The UCL-RHS provided evidence to the Audit Team of correspondence from the ICO. This included formal acknowledgement that the UCL-RHS improvement plan addressed the concerns raised as part of the reported data breach in 2017.

The only recommendation from the ICO related to the frequency of data protection training. The UCL-RHS provided further evidence to illustrate that this recommendation had been adopted across the organisation.

Observation

Closed

UCL-RHS should improve its Information Asset Register (IAR) to include descriptions around what data is being held within each case reference number. The lack of detailed descriptions for each entry could lead to issues when any data is to be destroyed.

Operational Management

The UCL-RHS provided the Audit Team with screenshots of its IAR which clearly illustrated that descriptions are now included for each entry.

Opportunity for improvement

Closed

On reviewing the system access logs during the audit, it became apparent that a longer retention period would benefit UCL-RHS, to monitor access to files and folders more effectively.

The Audit Team observed the retention period was extended during the audit.

Access Control

The UCL-RHS provided this evidence during the original audit.

Opportunity for improvement

Closed

Disclaimer

NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 28 May 2024 8:55 am