NHS England Post Audit Review: University of Manchester
This report provides the formal closure of the remote data sharing audit of the University of Manchester (UoM) in February 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the University of Manchester (UoM) on 21 and 25 February 2022 against the requirements of both:
- the data sharing framework contracts (DSFC)
o CON-326191-T0T6B-v2.02 (UoM)
o CON-240079-Q7Y0S-v2.02 (British Society for Rheumatology)
- the data sharing agreement (DSA) DARS-NIC-148353-G88Q7-V3.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) - Members and Posting report | Identifiable, Sensitive | January 2003 - March 2020 |
| MRIS - Flagging Current Status report | Identifiable, Sensitive | January 2003 - March 2020 |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | January 2003 - March 2020 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | January 2003 - March 2020 |
| Demographics | Identifiable, Sensitive | Latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available |
| Cancer Registration Data | Identifiable, Sensitive | Latest available |
The Joint Controllers are UoM and the British Society for Rheumatology (BSR).
Further guidance on the terms used in this post audit review report can be found in the NHS Digital Remote Audit Guide version 1.
As the original audit took place before the merger of NHS Digital and NHS England, this report may reference both organisations as part of the post audit review.
Post Audit Review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by UoM between May and December 2023.
Post Audit Review Outcome
Based on the evidence provided by the UoM, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and UoM.
Updated risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Original Risk Statement: Medium
Current risk statement: Low
Data recipient’s acceptance statement
The UoM has reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 4 agreement nonconformities, 1 organisation nonconformity, 1 observation, 4 opportunities for improvement and 1 point for follow-up raised as part of the audit.
UoM
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | There is no coherent Information Asset Register (IAR) to cover the data supplied under the DSA. Instead, information is spread across different documents. | Operational Management | BSR Biologics Register for Rheumatoid Arthritis (BSRBR-RA) shared an IAR with the Audit Team which contained information about NHS Digital data. | Agreement nonconformity | Closed |
| 2 | There was no evidence to show that user permissions to the network folder holding NHS Digital data had been reviewed on a regular basis, nor was there any evidence of privilege access reviews being conducted in accordance with UoM documentation. | Access Control | UoM has provided evidence including Standard Operating Procedures to the Audit Team to show how they are reviewing user permissions to the network folder. | Agreement nonconformity | Closed |
| 3 | The UoM has not completed a Data Protection Impact Assessment (DPIA) for the Data Safe Haven. | Operational Management | UoM provided evidence of a DPIA assessment which was reviewed and accepted by the Audit Team. | Agreement nonconformity | Closed |
| 4 | The UoM is not undertaking certain compliance checks prescribed in its documentation. | Operational Management | UOM provided quarterly compliance reports and monitoring schedules to confirm how it is now undertaking compliance checks. The Audit Team reviewed and accepted these documents. | Organisation nonconformity | Closed |
| 5 | A number of policies and procedures have not been reviewed within their expected timescales. The UoM recognised that these reviews had been delayed due to the pandemic but were now tracking those that require updating. | Operational Management | UoM shared a tracking schedule with the Audit Team. It provided a list of policies with their review dates and the status to show policies under review. | Observation | Closed |
| 6 | The Audit Team suggested that the UoM review the naming convention for the Data Safe Haven platform and update relevant documentation where appropriate. | Operational Management | UoM confirmed that the naming convention for all elements of the Data Safe Haven infrastructure has been amended to reflect the changes. Documents have been provided to the Audit Team. | Opportunity for improvement | Closed |
| 7 | The UoM may wish to increase the backup retention period for the data supplied by NHS Digital to 28 days and reflect this on any future certificate of destruction. | Operational Management | UoM shared with the Audit Team an approved System Level Security Policy (SLSP) which has been updated to show the backup retention period for the Data Safe Haven has been increased to 28 days. UoM confirmed all relevant documentation will be updated to reflect the change. | Opportunity for improvement | Closed |
| 8 | The Audit Team suggested that Terms of Reference for the Data Safe Haven Operations Group be developed. | Operational Management | The Terms of Reference for the Data Safe Haven Operations Group has been shared with the Audit Team. | Opportunity for improvement | Closed |
| 9 | As part of future reviews, the UoM should ensure certain statements in the Data Safe Haven System Level Security Policy (SLSP) and BSRBR-RA standard operating procedures are corrected. | Operational Management | UoM has provided the Audit Team with an updated SLSP and a BSRBR-RA document control register which provided a description of the changes made and dates of the reviews. | Opportunity for improvement | Closed |
| 10 | At the post audit review, the Audit Team will review the progress on closing the findings from the last security assessment. | Access Control | UoM shared an update to the Audit Team on the progress of the actions which reported the findings had been addressed. | Follow-up | Closed |
BSR
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 11. | The BSR had not completed and submitted a Data Security Protection Toolkit (DSPT) assessment in the requested timeframe. | Operational Management | The DSPT organisation database shows the BSR was awarded “Standards Met”. | Agreement nonconformity | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 6 March 2024 10:05 am