NHS England Post Audit Review: Institute of Cancer Research
This report provides the formal closure of the remote data sharing audit of the Institute of Cancer Research (ICR) between 11 and 15 December 2023.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the Institute of Cancer Research (ICR) between 11 and 15 December 2023 against the requirements of:
- the data sharing framework contract (DSFC) CON-313340-Z2F1L-v2.02
- the data sharing agreement (DSA) DARS-NIC148118-VCXW9-v5.5
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Medical Research Information Service (MRIS) - Cause of Death Report |
Identifiable, Sensitive | Historic Held (July 2011 – December 2019) |
|
MRIS – Cohort Event Notification Report |
Identifiable, Sensitive | Historic Held (July 2011 – December 2019) |
| MRIS – Flagging Current Status Report | Identifiable, Sensitive | Historic Held (July 2011 – December 2019) |
| MRIS - Members and Postings Report | Identifiable, Sensitive | Historic Held (July 2011 – December 2019) |
The Controller is the ICR.
The DSA at the time of the original audit only allows retention of the data and no processing.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.
Post Audit Review
This post audit review was comprised of a desk-based assessment of the action plan and supporting evidence supplied by the ICR between January and February 2025.
Post Audit Review Outcome
Based on the evidence provided by the ICR, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and the ICR.
Updated risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: Medium
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data Recipient’s Acceptance Statement
The ICR has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 4 agreement nonconformities, 1 organisation nonconformity, and 3 points for follow-up raised as part of the audit. During the audit, 2 of these findings were closed.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The server holding data provided by NHS England is running unsupported software. | Access Control | The ICR have provided details that a new supported server has been built, together with a recent compliance report. | Agreement nonconformity | Closed |
| 2 | The file download credentials supplied by NHS England are shared between three members of the research team. This was resolved during the audit. | Access Control | The ICR resolved this finding during the original audit by disabling the shared credentials and it is now assigned to a single user. | Agreement nonconformity | Closed |
| 3 | The ICR must remove non-administrator accounts from the file system administrator security group. | Access Control | The ICR provided a description and a supporting screenshot that non-administrator accounts have been removed from the security group. | Agreement nonconformity | Closed |
| 4 | User reviews were not taking place on the database software. | Access Control |
The ICR shared the database logging and monitoring Standard Operating Procedure (SOP) with the Audit Team. It includes a paragraph that covers the monthly team meeting, where leavers and movers will be discussed. It also states that database access will be reviewed and updated accordingly. The meeting agendas for October, November and December 2024 were shared with the Audit Team. The ICR have confirmed that no issues have been identified during the reviews. |
Agreement nonconformity | Closed |
| 5 | Procedures defining destruction of electronic data were not followed during the migration of the data to the current infrastructure. | Data Destruction | The ICR have included a new statement in the Security of Sensitive Information Policy (IGC/08/21/05) and this now covers the process to follow when migrating data. | Organisation nonconformity | Closed |
| 6 | At the post audit review, the Audit Team will follow up progress of the investigation into the retention of NHS England data on the back up tapes. | Information Transfer | The ICR provided a paper on backup retention presented to the Information Governance Committee on 11 December 2024, that stated that the historic back tapes pre-2018 have been destroyed. To support this, the ICR shared a certificate of destruction and breakdown with the Audit Team. | Follow-up | Closed |
| 7 | At the post audit review, the Audit Team will review the contract in place with the third party disposal provider. At the time of the audit, a contract was being negotiated with the new provider. | Data Destruction | The ICR shared a copy of the contract with the third-party disposal provider. The contract was signed by both parties in April 2024. | Follow-up | Closed |
| 8 | At the post audit review, the Audit Team will review progress on the implementation of Centre for Internet Security Hardening Level 2 to the database server holding NHS England data. | Information Transfer |
The ICR stated that Centre for Internet Security Hardening Level 2 is not possible for the new database server, however Level 1 is being implemented, and they are aiming for up to 90% compliance. The ICR supplied summary compliance report from January 2025. |
Follow-up | Closed |
Opportunities for improvement
The following table identifies 1 opportunity for improvement which could help an organisation improve its controls and / or processes.
ICR
| Ref | Opportunity for improvement | Link to Area | Notes |
| 1. |
The ICR should implement further technical controls to provide alerts when changes are made to the security group controlling access to the data. This was resolved during the audit. |
Access Control |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 2 May 2025 9:14 am