Post Audit Review: University College London - SABRE
This report provides the formal closure of the remote data sharing audit of University College London (UCL) Southall and Brent Revisited (SABRE) Study between 20 and 24 November 2023.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of University College London (UCL) Southall and Brent Revisited (SABRE) Study between 20 and 24 November 2023. It provides an evaluation of how UCL conformed to the requirements of:
- the data sharing framework contract (DSFC) CON-321538-B5D8B-v2.02
- the data sharing agreements (DSA)
- DARS-NIC-148407-LRP3M-v7.3
- DARS-NIC-91374-Z5V6Y-v6.4
- DARS-NIC-99077-Q0K6Z-v7.3
- the organisation’s own policies, processes, and procedures
These DSAs cover the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics Admitted Patient Care (HES APC) | Identifiable, Sensitive | 1989/90 – 2023/24 |
| MRIS – Members and Postings Report | Identifiable, Sensitive | Historic Held (May 1995 – March 2020) |
| MRIS – List Cleaning Report | Identifiable, Sensitive | Historic Held (May 1995 – March 2020) |
| MRIS – Flagging Current Status Report | Identifiable, Sensitive | Historic Held (May 1995 – March 2020) |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | Historic Held (May 1995 – March 2020) |
| MRIS – Cause of Death Report | Identifiable, Sensitive | Historic Held (May 1995 – March 2020) |
| Demographics | Identifiable, Sensitive | Latest available |
| Civil Registrations of Death | Identifiable, Sensitive | Latest available |
| Cancer Registration Data | Identifiable, Sensitive | Latest available |
The Controller is UCL and the Processor is Amazon Web Services (AWS). AWS do not have access to the data and only provide cloud hosting services.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by UCL between 15 - 19 July 2024.
Post Audit Review Outcome
Based on the evidence provided by the UCL, all findings have been closed, with exception of 4 opportunities for improvement which are open but not for follow-up. Therefore, no further action is required by the Audit Team and UCL.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.
Original risk statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
UCL has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 1 agreement nonconformity and 6 Opportunities for Improvement raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | All database accounts have been granted superuser permissions. UCL should apply the principle of least privilege to these user accounts to limit access to administrator functions within the database. | Access Control | UCL have provided an update to the Audit Team, along with screenshot evidence, to clearly illustrate the permissions have been amended to remove administration functions from users who no longer require access to the database. | Agreement nonconformity | Closed |
| 2 | UCL should review the number of technical support staff that have permissions to the data. | Operational Management | UCL confirmed that these permissions are reviewed on a regular basis and that the number of staff with administrator permissions is kept to a minimum essential number. | Opportunity for improvement | Closed |
| 3 | UCL should add a procedure to delete database accounts to the leavers process. | Operational Management | UCL agreed that an update to the Joiners, Movers and Leavers template will be made to specifically include local database accounts. | Opportunity for improvement | Open, but not for follow-up |
| 4 | UCL should reference the storage and processing locations in the entry for the NHS England data on the Information Asset Register. | Operational Management | UCL will add processing locations to the Information Asset Register. | Opportunity for improvement | Open, but not for follow-up |
| 5 | UCL should consider implementing a process to communicate data protection policy updates to users. | Operational Management | UCL will create an automated process for communicating policy updates to users. | Opportunity for improvement | Open, but not for follow-up |
| 6 | The Audit Team suggested that data suppliers are added to the table of contacts in the Critical Incident Process. | Operational Management | UCL have updated their Critical Incident Process document to include Information Asset Owners and Information Asset Administrators in the communication plan. This document explicitly refers to informing any data providers in the event of an incident. | Opportunity for improvement | Closed |
| 7 | Where the data is used in future publications, UCL should acknowledge the source of the data in accordance with the requirements of the DSFC. | Operational Management |
UCL will instruct all future users they should cite the source of the data. Where practicable all outputs will include “This work uses data provided by the NHS as part of their care and support”. This requirement will be checked prior to any publication. |
Opportunity for improvement | Open, but not for follow-up |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 25 October 2024 2:26 pm