Post Audit Review: University of East Anglia
This report provides the formal closure of the remote data sharing audit of the University of East Anglia (UEA) between 19 and 23 June 2023.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the University of East Anglia (UEA) between 19 and 23 June 2023 against the requirements of:
- the data sharing framework contract (DSFC) CON-324412-Y0F4Z-v2.02
- the data sharing agreement (DSA) DARS-NIC- 79526-V8F2X-v2.7
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period | |
|---|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 | |
| HES Critical Care | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 | |
| HES Outpatients | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 | |
| HES Accident and Emergency | Pseudonymised/Identifiable, Non-sensitive | 2015/16 – 2019/20 M12 | |
| Civil Registration of Death Secondary Care Cut | Care Cut Pseudonymised, Sensitive | Historic Data Request Latest Available |
The Controller is UEA.
The UK study for the At-Risk Registers Integrated into primary care to stop Asthma crisis in the UK (ARRISA) is performed by the Norwich Medical School and supported by the Norwich Clinical Trials Unit (NCTU) which sits within the School under the Faculty of Medicine and Health at UEA.
Following a post audit review published in October 2023, 3 organisation nonconformities, 2 observations, 6 opportunities for improvement and 3 points for follow-up remained open.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by UEA in August 2024.
Post Audit Review Outcome
Based on the evidence, the Audit Team has found that UEA has not suitably addressed the findings. 1 organisation nonconformity and 2 points for follow-up remain open. The open findings have now been handed over to the representative of the Senior Information Risk Owner (SIRO) in the IG Risk and Assurance team at NHS England to progress as appropriate with the UEA. There are 6 opportunities for improvement which could help an organisation improve its controls and / or processes. These will not be followed up by NHS England.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: High
Previous risk statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
UEA has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 6 agreement nonconformities, 5 organisation nonconformities, 4 observations, 6 opportunities for improvement and 4 points for follow-up raised as part of the original audit. Findings 1 – 7, 9, 13, 14, 23 were closed as part of the post audit review conducted in October 2023.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The server holding the data provided by NHS England is not installed with the latest software updates. The latest updates were installed on the server during the audit. | Access Control | The latest updates were installed on the server during the audit. | Agreement nonconformity
|
Closed |
| 2 | There was no evidence to show that user permissions to the NHS England data had been reviewed on a regular basis. | Access Control | User permission reviews are scheduled to be performed annually, or whenever a change is made to permissions. The NCTU Information Asset Register (IAR) has been updated to record all user permission reviews, including each review date and name of reviewer. The Audit Team confirmed the latest user permissions review found no issues. The Audit Team also received a copy of the updated IAR. | Agreement nonconformity | Closed |
| 3 | Security assessments have never been performed on the infrastructure used to store data supplied by NHS England. | Access Control | A security assessment was performed in September 2023. The Audit Team reviewed the outcome of the assessment. The assessment found no critical, high or medium rated findings. | Agreement nonconformity | Closed |
| 4 | NCTU has not included the data received under this DSA on an Information Asset Register (IAR). | Operational Management | NCTU has updated its IAR to include the data received under this DSA. The Audit Team received a copy of the updated IAR. | Agreement nonconformity | Closed |
| 5 | NCTU have not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. Instead, a ROPA has been completed for the wider NCTU. | Operational Management |
NCTU have completed a ROPA for the data supplied under the DSA. The Audit Team received a copy of the completed ROPA. |
Agreement nonconformity | Closed |
| 6 | The Audit Team was unable to verify that the level of encryption applied to data in transit was in line with the requirements of the DSFC. However, UEA reported that transit is via a private network. | Information Transfer | The Audit Team verified the level of encryption applied to the data in transit is now in line with the requirements of the DSFC. | Agreement nonconformity | Closed |
| 7 | The server holding the data at rest was not encrypted in line with UEA policy. | Operational Management | The Audit Team verified the server holding the data at rest is now encrypted in line with UEA policy. | Organisation nonconformity | Closed |
| 8 | UEA network security vulnerabilities are not being remediated within the period defined within UEA policy. | Access Control | Documents covering Cyber strategy, security policy and patching process were shared with the Audit Team. UEA has addressed a number of the findings identified at the original audit in June 2023. They shared details of two servers and a recent scan report. However, the report identifies an issue that has not been remediated within the period defined in the UEA policy. UEA advised that a plan is in place to address the vulnerability however there has been a delay due to operational issues. This finding remains open. | Organisation nonconformity | Open |
| 9 | Password settings enforced for administrator accounts with access to data provided by NHS England were not in line with the requirements as outlined in UEA policy. | Access Control | Password settings enforced for administrator accounts with access to data provided by NHS England are now in line with the requirements as outlined in UEA policy. The Audit Team received evidence to confirm this. | Organisation nonconformity | Closed |
| 10 | No annual review has been performed by UEA Information Compliance Team regarding incident reporting and handling as required by UEA policy. | Operational Management | UEA advised guidance pages are kept under constant review and updated when required, or where there are material changes to the law. UEA have produced a new Cyber Incident Response Plan. A copy of the plan with the approval date 19 July 2024, version 3 was shared with the Audit Team. | Organisation nonconformity | Closed |
| 11 | No audit has been performed on UEA data processing practices as required by UEA policy. | Operational Management | UEA confirmed that the Data Protection (DP) policy has been updated. A copy of the policy approved on 31 January 2024; version 5 was shared with Audit Team. Section 4.4 of the DP policy states ‘The DPO will, where required and according to any defined and agreed schedule, undertake audits of data processing practices across the University.’ UEA have further advised that ‘we do not have a defined or pre-agreed schedule for this’ at the time of this post audit review. | Organisation nonconformity | Closed |
| 12 | UEA staff under honorary contracts are not required to complete mandatory UEA annual data protection training. In order to comply with the DSFC, UEA should ensure that all staff under an honorary contract complete the UEA annual data protection training. | Operational Management |
UEA advised that its People and Culture Division (PCD) have completed an extensive review of mandatory training across all staff and associate groupings, including those on honorary contracts. A recommendation was made that all individuals (employees, workers and associates including staff working under an honorary contracts) must complete mandatory training across core modules, and this has been approved by the Executive Team. A communications plan is also being developed which will include updates on the revised policy and how mandatory training can be accessed more easily to support people with completion. A draft copy of the mandatory training policy was shared with the Audit Team. The policy applies to all employees, contractors, and temporary staff working at or associated with the UEA and covers mandatory training including data protection. At the time of this review, the Audit Team were informed that it was in the process of being finalised. |
Observation | Closed |
| 13 | The operating system of the server being used to store data provided by NHS England is approaching end of support. | Access Control | The Audit Team verified that the data provided by NHS England is now being stored on a server that has a supported operating system. | Observation | Closed |
| 14 | The current Data Protection Impact Assessment (DPIA) is yet to be finalised and provided to the DARS Team for review. | Operational Management | The DPIA has been finalised and provided to the DARS Team for review. The Audit Team received a copy of this DPIA. | Observation | Closed |
| 15 | A number of policies and procedures have not been reviewed within their expected timescales. The UEA and NCTU recognised that these reviews had been delayed due to the pandemic but were now tracking those that require updating. | Operational Management |
UEA shared copies of the following policies and procedures that have been reviewed and updated since the original audit:
|
Observation | Closed |
| 16 | NCTU should consider reducing the number of touchpoints of the data. | Information Transfer | UEA advised that an assessment is being performed to review whether it is possible to reduce the number of touchpoints. | Opportunity for improvement | Open, but not for follow-up |
| 17 | UEA should reassess its use of built-in administrator accounts as recommended by Microsoft. | Access Control | UEA advised that use of built-in administrator accounts is being reassessed. | Opportunity for improvement | Open, but not for follow-up |
| 18 | UEA and NCTU should consider documenting a formalised starters, leavers and movers process. | Operational Management | UEA advised it is considering documenting a process for starters, leavers and movers. | Opportunity for improvement | Open, but not for follow-up |
| 19 | The UEA should consider documenting a centralised data destruction policy by combining existing information around data destruction into a single document. | Data Destruction | UEA advised it is considering an overarching audit across all DP activities. | Opportunity for improvement | Open, but not for follow-up |
| 20 | The UEA should consider expanding the data disposal information available on the staff intranet to include processes for electronic data disposal. | Data Destruction | UEA advised it is considering an overarching audit across all DP activities. | Opportunity for improvement | Open, but not for follow-up |
| 21 | The UEA should consider documenting the role and responsibilities of UEA Information Asset Owners (IAO) and offer specialist IAO training. | Operational Management | UEA advised that the data strategy is in review and the finding will be considered. | Opportunity for improvement | Open, but not for follow-up |
| 22 |
At the post audit review, the Audit Team will review tangible outputs from the study due to be completed in November 2023, including:
|
Use and Benefits | UEA advised that due to delays in ensuring agreement nonconformities are actioned, they are not expecting anything to be published until mid 2025 | Follow-up | Open |
| 23 | At the post audit review, the Audit Team will request an update on the ongoing project to install supported operating systems. | Access Control | The Audit Team received an update on the project and confirmation that the server being used to store data supplied by NHS England is installed with a supported operating system. | Follow-up | Closed |
| 24 | At the post audit review, the Audit Team will review outputs from the working group that is in place to revise the UEA stance around how information assets are recorded and managed. | Operational Management | UEA advised that this action is ongoing. | Follow-up | Open |
| 25 | At the post audit review, the Audit Team will review the UEA revised approach to risk recording, using the newly implemented risk recording software. | Risk Management |
UEA have reviewed the risk management process, and the following actions have been undertaken:
UEA advised that there are ongoing risk management workshops to validate, identify, review and analyse risks impacting the ITCS area. Once this work is complete, all areas will have an up-to-date risk register, dashboard and report for its area. UEA have developed a new Risk Management Policy which was approved in September 2023. A copy was shared with the Audit Team. |
Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 20 November 2024 1:10 pm