Data Sharing Remote Audit: Small Area Health Statistics Unit at Imperial College London

This report records the findings of a remote data sharing audit of the Small Area Health Statistics Unit (SAHSU) at Imperial College London in June 2021.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of the Small Area Health Statistics Unit (SAHSU) at Imperial College London (ICL) where the interviews were conducted between 28 June and 2 July 2021. It provides an evaluation of how the SAHSU conforms to the requirements of both:

the data sharing framework contract (DSFC) CON-312177-J7P3H
the data sharing agreement (DSA) DARS-NIC-204903-P1J7Q-v3.8

SAHSU currently have an ongoing application with the Data Access Request Service (DARS) team, which outlines changes with respect to processing and storage activities. These changes were implemented from July 2020 by SAHSU. SAHSU was able to provide email correspondence which outlined the changes that had been agreed with DARS. As a result, SAHSU was assessed against the current DSA, and the changes agreed with DARS.

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care	Identifiable, Sensitive	1990/91 - 2021/22_M06
HES Critical Care	Identifiable, Sensitive	2008/09 - 2021/22_M06
HES Accident and Emergency	Identifiable, Sensitive	2008/09 - 2018/19
Emergency Care Data Set (ECDS)	Identifiable, Sensitive	2018/19 - 2021/22_M06
HES: Civil Registration (Deaths) bridge	Identifiable, Non-sensitive	Latest available
Civil Registration (Deaths) - Secondary Care Cut	Identifiable, Sensitive	Latest available

The Controller is ICL.

SAHSU was established in 1987 as a recommendation of the Black inquiry into the incidence of leukaemia and lymphoma in children and young adults near the Windscale/Sellafield nuclear power plant. The main role of SAHSU is to assess the risk to the health of the population from environmental factors by analysing health and population data at a small area scale.

SAHSU is funded by Public Health England to contribute to public health in the UK.

This report also considers whether SAHSU conform to its own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type	Routine
Scope areas	Information transfer Access control Data use and benefits Risk management Operational management and control Data destruction
Restrictions	Access control - limited visibility of physical controls

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium – Low.

Current risk statement: High

This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.

Data recipient’s acceptance statement

SAHSU has reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

SAHSU will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the SAHSU to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.

Findings

The following table identifies the 6 agreement nonconformities, 1 organisation nonconformity, 2 observations, 9 opportunities for improvement and 1 point for follow-up raised as part of the audit.

Ref	Finding	Link to area	Clause	Designation
1	The database holding data supplied by NHS Digital has not been patched for some time.	Access control	DSFC Part 2, Schedule 2, Section A, clause 1.1	Agreement nonconformity
2	Data in transit between the primary datacentre and the backup sites is not fully encrypted as required by the DSFC.	Information transfer	DSFC, Schedule 2, Section A, clause 4.6	Agreement nonconformity
3	Vulnerability scans have not been conducted on elements of the infrastructure.	Access control	DSFC Part 2, Schedule 2, Section A, clause 1.1	Agreement nonconformity
4	Findings from validation testing have not been cleared within a reasonable timescale and no formal remediation plan has been established.	Access control	DSFC Part 2, Schedule 2, Section A, clause 1.1	Agreement nonconformity
5	ICL has not carried out a formal risk assessment of the physical controls at ICL’s data centres.	Access control	DSFC, Part 2,Schedule 2, Section A, Clause 3	Agreement nonconformity
6	Two master students had been given access to data supplied by NHS Digital, which is not permitted by the DSA. During the audit access to the data by the master students was suspended by SAHSU, and a request was made to DARS to update the DSA.	Use and benefits	DSA, Annex A, Section 5b	Agreement nonconformity
7	The data supplied by NHS Digital has not been classified in line with SAHSU Information Classification Policy.	Operational management	SAHSU Information Classification Policy	Organisation nonconformity
8	Although the DSA requires all PhD students to have substantive contracts in place with Imperial College London, no such contracts could be provided for any of the PhD students in the Unit.	Use and benefits	DSA, Annex A, Section 5b	Observation
9	Anti-virus alerts for the servers holding data supplied by NHS Digital are only forwarded to a single IT contact. If the contact was unavailable, then no action would be taken against the alerts. It was, however, stated that SAHSU plan to utilise the anti-virus solution used by the rest of ICL, where events would be captured in a log management tool and alerts issued to a group email address.	Access control	DSFC Part 2, Schedule 2, Section A, clause 1.1	Observation
10	SAHSU should consider developing procedures or enhancing existing documentation to cover the following: the local storage of Active Directory (AD) administrator account passwords firewall management, for example, responsibilities, rule changes and configuration changes assessing security incidents and informing NHS Digital where appropriate electronic destruction of data supplied by NHS Digital	Operational management		Opportunity for improvement
11	SAHSU should proactively monitor the database logs.	Operational management		Opportunity for improvement
12	The Information Asset Owner (IAO) should consider completing specialist IAO training.	Operational management		Opportunity for improvement
13	SAHSU should consider adding appropriate document management information to its Data Protection Impact Assessment (DPIA).	Operational management		Opportunity for improvement
14	SAHSU should consider deactivating user accounts that have not been accessed for more than six months.	Access control		Opportunity for improvement
15	SAHSU risk management process could be improved by regular review of the risk register at a group meeting, including the IAO. SAHSU should also consider formal risk management training.	Risk management		Opportunity for improvement
16	SAHSU should consider automatically blocking remote connections in certain circumstances.	Access control		Opportunity for improvement
17	ICL should consider proactive review of swipe card access to the datacentre as currently this is only done when users join or leave the organisation.	Access control		Opportunity for improvement
18	SAHSU should consider carrying out a risk assessment on the statistical server as it may store temporary files if there is any abnormal shutdown of the statistical tools.	Risk management		Opportunity for improvement
19	At the time of audit, ‘old’ servers had not been destroyed but still contained data supplied by NHS Digital. At the post audit review, the Audit Team will review the data destruction process and view a completed certificate of destruction.	Data destruction		Follow-up

Supplementary notes

No notes

Use of data

SAHSU confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

SAHSU confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation	Territory of use
ICL	England/ Wales (temporary approval of access across UK during the pandemic)

Backup retention

The duration for which data may be retained on backup media is:

Organisation	Media type	Period
ICL	Disk	3 months
ICL	Tape	6 months

Good practice

During the audit, the Audit Team noted the following area of good practice:

SAHSU has developed and ask users to complete a homeworking risk assessment
SAHSU was able to demonstrate the benefits to health and social care from the outputs it had produced using data supplied by NHS Digital.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 18 August 2021 9:19 am