NHS Digital Data Sharing Remote Audit: Merck Sharp & Dohme Limited

This report records the key findings of a remote data sharing audit of Merck Sharp & Dohme Limited and Manchester University NHS Foundation Trust in October 2021.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of Merck Sharp & Dohme Limited (MSD) and Manchester University NHS Foundation Trust (MFT) between 4 and 8 October 2021. It provides an evaluation of how MSD and MFT conform to the requirements of:

the data sharing framework contracts (DSFC)

o MSD: CON-290527-P5C0Y

o MFT: CON-324681-Z8K6R

the data sharing agreement (DSA) DARS-NIC-290527-P5C0Y-v1.3

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care	Identifiable, Non-sensitive	2010/11 – 2020/21_M02
HES Outpatients	Identifiable, Non-sensitive	2010/11 – 2020/21_M02
Diagnostic Imaging Dataset (DID)	Identifiable, Non-sensitive	Historic Data Request
Bridge file: HES to DID	Identifiable, Non-sensitive	Latest Available - 08/2020

The Joint Controllers are MSD and MFT and the Processors are NorthWest EHealth Limited (NWEH), Salford Royal NHS Foundation Trust (SRFT) and Microsoft Limited. The Joint Controllers do not process the data. Microsoft Limited supplies cloud storage services, via the Microsoft Azure platform, to SRFT. SRFT manages the Microsoft Azure platform on behalf of NWEH. The data supplied by NHS Digital under this DSA is processed and stored on Microsoft Azure.

The study aims to increase the understanding of the profile and characteristics of patients with unexplained Refractory Chronic Cough (RCC) by analysing the healthcare resource utilisation (HRU) and treatment patterns of these patients. RCC is a condition which is notoriously difficult to diagnose as its associated symptoms, such as gastroesophageal reflux, heartburn, and regurgitation, can easily be attributed to other conditions.

The rationale for the study is to analyse the cost of the healthcare resource utilisation (for example, how much and what healthcare services are used) by patients with RCC and better understand the burden (for example, the cost in both money and time) of managing patients diagnosed with RCC to the greater health care system.

This is a stand-alone study commissioned by the sponsor MSD, in collaboration with the Principal Investigator (PI) who is employed by MFT. The consented cohort of patients have been recruited from a specialist clinic led by the PI which is part of MFT.

This report also considers whether MSD and MFT and its Processors conform to their own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type	Routine
Scope areas	Information Transfer Access Control Data Use and Benefits Risk Management Operational Management and Control Data Destruction
Restrictions	Access Control - Limited visibility of physical controls Data Use and Benefits - No outputs had been produced at the time of the audit

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Medium

This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.

Data recipient’s acceptance statement

MSD, MFT and NWEH have reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

MSD, MFT and NWEH will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the MSD, MFT and NWEH to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.

Findings

The following tables identifies the 4 agreement nonconformities, 3 observations, 9 opportunities for improvement and 3 points for follow-up raised as part of the audit.

Some of the findings have been repeated for MSD and MFT as they are joint Controllers, and the finding applies to both organisations.

MSD

Ref	Finding	Link to area	Clause	Designation
1	The Legitimate Interests Assessment (LIA) completed by MSD and MFT in 2019, and NWEH’s Data Protection Impact Assessment (DPIA) are in need of a refresh by all parties as there is inconsistent information. A copy of the updated DPIA should be provided to the Data Protection Officers (DPO) for approval.	Operational Management	MFT and MSD’s LIA NWEH’s DPIA	Observation
2	Staff need to be aware of the DSFC and DSA requirements. The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements.	Operational Management		Opportunity for improvement
3	The DSA should be reviewed and updated as it was confirmed at the audit: SRFT are managing the Microsoft Azure platform on behalf of NWEH source data verification by an MSD employee for the purpose of monitoring has not taken place and there are no plans for it to take place (confirmed by NWEH).	Operational Management		Opportunity for improvement
4	MSD’s Supplier Privacy Assessment on NWEH should be reviewed and updated. This includes: completing the section on cloud computing identifying the type of data being held and the data storage location.	Operational Management		Opportunity for improvement
5	MSD’s Privacy Advisor Impact Assessment on the study should be reviewed and updated. Potential areas for change include: statement on Clinical Research Associate type of data being processed data retention.	Operational Management		Opportunity for improvement

MFT

Ref	Finding	Link to area	Clause	Designation
6	The Legitimate Interests Assessment (LIA) completed by MSD and MFT in 2019, and NWEH’s DPIA are in need of a refresh by all parties as there is inconsistent information. A copy of the updated DPIA should be provided to the Data Protection Officers (DPO) for approval.	Operational Management	MFT and MSD’s DPIA and LIA NWEH’s DPIA	Observation
7	Staff need to be aware of the DSFC and DSA requirements. The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements.	Operational Management		Opportunity for improvement
8	The DSA should be reviewed and updated as it was confirmed at the audit: SRFT are managing the Microsoft Azure platform on behalf of NWEH source data verification by an MSD employee for the purpose of monitoring has not taken place and there are no plans for it to take place (confirmed by NWEH).	Operational Management		Opportunity for improvement

NWEH

Ref	Finding	Link to area	Clause	Designation	Notes
9	Users from NWEH with access to data supplied by NHS Digital held on Microsoft Azure did not hold valid honorary contracts with SRFT. The DSA requires the NWEH Database Administrator and Statistics team to hold honorary NHS contracts with SRFT.	Use and Benefits	DSA, Annex A, Section 5b	Agreement nonconformity
10	NWEH did not complete the Data Security Protection Toolkit (DSPT) in 2019/20 and 2020/21 as required by the MSD’s System Level Security Policy (SLSP) that was agreed with NHS Digital in February 2020.	Access Control	DSA, Annex A, Section 1b SLSP, version 1.0, Section 4.0, DSPT	Agreement nonconformity	1
11	No justification to support the presence of a domain administrator account on the Microsoft Azure platform was provided. SRFT stated that it should be disabled.	Access Control	DSFC, Schedule 2, Section A, Clause 1.1	Agreement nonconformity
12	NWEH to review and update its Record of Processing Activities (ROPA) as it includes inaccurate information. This includes fields on special category data, missing joint controller information and missing data source.	Operational Management	DSFC, Schedule 3, General Data Protection Regulation (GDPR)	Agreement nonconformity
13	There is an inconsistency between the MSD’s SLSP and NWEH Security Testing policy with respect to the penetration testing of the Azure platform. The SLSP states that testing will be carried out annually and the NWEH policy states that it will be every 2 years. The last penetration test was conducted in the last 12 months.	Access Control	MSD, SLSP, Section F, Penetration Testing / Vulnerability Testing NWEH - Security Testing Policy, Section 5.3.2	Observation
14	MSD’s SLSP includes a statement that IP filtering based on “Deny-all first” principle will be in place and is managed by the SRFT via a change management process. Both SRFT and NWEH should consider reviewing the rules setup to ensure that they are up to date.	Access Control		Opportunity for improvement
15	NWEH should consider if technical controls could be implemented to prevent users transferring data from the Azure platform to their own corporate machines.	Access Control		Opportunity for improvement
16	NWEH should consider including additional fields in the Information Asset Register (IAR) such as details on the datasets received (type of data and classification), date of receipt, date of data deletion, linking to which version of the DSA it came with and certificate of destruction.	Operational Management		Opportunity for improvement
17	A Microsoft Azure vulnerability security scan covering various parts of the platform has been recently conducted which highlighted a number of findings. At the post audit review, the Audit Team will ensure that all of the highlighted vulnerabilities have been adequately addressed.	Access Control	DSFC, Schedule 2, Section A, Clause 1.1	Follow Up
18	The DSA includes a statement that NWEH should only hold data in accordance with the consent material provided 5 years before and 2 years after diagnosis. All data outside this window should be securely deleted and evidence provided to NHS Digital by 31/7/2021. At the time of the audit, this has not been completed as NWEH was waiting for further data and should seek further guidance from the Data Access Request Service team.	Data Destruction	DSA, Annex A, Section 6 - Special Conditions	Follow Up
19	At the post audit review, the Audit Team will review the following: audit reports conducted on the Microsoft Azure platform documented procedures to support the management of privilege accounts.	Access Control		Follow Up

Supplementary notes

Note 1. NWEH is ISO 27001 certified.

Use of data

MSD and MFT confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

MSD, MFT and NWEH have confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation	Territory of use
Microsoft Limited	England/ Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation	Media type	Period
Microsoft Limited	Cloud storage	7 days

Good practice

During the audit, the Audit Team noted the following area of good practice:

the PI was able to explain the benefits to health and social care that this study will have with RCC patients. This includes better understanding of the cost to the health economy and treatment patterns for these patients.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 13 January 2022 12:22 pm