Data Sharing Remote Audit: Oxford University Hospitals NHS Foundation Trust

This report records the key findings of a remote data sharing audit of Oxford University Hospitals NHS Foundation Trust in August 2021.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of Oxford University Hospitals NHS Foundation Trust (OUHNHSFT) between 23 and 27 August 2021. It provides an evaluation of how OUHNHSFT conforms to the requirements of both:

the data sharing framework contract (DSFC) CON-312001-X8W1Y v2.01
the data sharing agreement (DSA) DARS-NIC-135294-P7L0F-v2.2

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Medical Research Information Service (MRIS) – Flagging Current Status Report	Identifiable, Sensitive	September 2018 to March 2020
MRIS – Cohort Event Notification Report	Identifiable, Sensitive	September 2018 to March 2020
MRIS - Cause of Death Report	Identifiable, Sensitive	September 2018 to March 2020
Demographics	Pseudo/Anonymised, Sensitive	Latest available
Civil Registration - Deaths	Pseudo/Anonymised, Sensitive	Latest available

The Controller is OUHNHSFT and the Processor is the Nuffield Department of Primary Care Health Sciences (NDPCHS) within the Medical Sciences Division (MSD) at the University of Oxford (UoO).

Valvular heart disease (VHD) occurs when one or more valves does not form properly before birth (congenital) or if they are damaged (acquired) during life. In the developing world, infections such as rheumatic fever are still prevalent and can cause valve damage. In the UK and other developed countries, the most common cause of VHD is degeneration over time. The OxValve-Survive study reports on the survival rates of people in the OxValve cohort, with and without VHD.

This report also considers whether OUHNHSFT and NDPCHS conform to their own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type	Routine
Scope areas	Information transfer Access control Data use and benefits Risk management Operational management and control Data destruction
Restrictions	Access control - limited visibility of physical controls

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Medium

This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.

Data recipient’s acceptance statement

OUHNHSFT and NDPCHS have reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

OUHNHSFT and NDPCHS will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with OUHNHSFT and NDPCHS to confirm the findings have been satisfactorily addressed.

Findings

The following tables identify the 2 agreement nonconformities, 1 organisation nonconformity, 3 observations, and 10 opportunities for improvement raised as part of the audit.

OUHNHSFT

Ref	Finding	Link to area	Clause	Designation
1	Data are being stored at locations not declared on the DSA.	Information Transfer	DSA, Annex A, Section 2b	Agreement nonconformity
2	OUHNHSFT’s Data Security and Protection Toolkit (DSPT) submission is currently not fully met. A special condition stated in the DSA requires this to be rectified within the specified timeframe.	Operational Management	DSA, Annex A, Section 6	Observation
3	OUHNHSFT should consider whether a formal data processing agreement between the Controller and the Processor is required.	Operational Management		Opportunity for improvement
4	OUHNHSFT should consider defining the standard operating process for assessing when a Data Protection Impact Assessment (DPIA) is required.	Operational Management		Opportunity for improvement

NDPCHS

Ref	Finding	Link to area	Clause	Designation	Notes
5	NDPCHS does not maintain an up-to-date equipment asset register for equipment associated with data supplied by NHS Digital.	Operational Management	DSFC, Schedule 2 Section A, clause 4.7	Agreement nonconformity
6	NDPCHS is not adhering to key sections within the UoO Risk Management Policy.	Risk Management	UoO, Risk Management Policy	Organisation nonconformity
7	An access control review recently performed by NDPCHS did not challenge one account as having access to data supplied by NHS Digital. Through discussions it was identified that this person no longer required access and although the account was active, the person was technically unable to access the data.	Access Control	DSFC, Schedule 2, Section A, clause 4.1	Observation
8	The journal paper that was recently published in relation to the study described in the DSA did not include a sufficient acknowledgement to the source of the data as required by the DSFC. It is important that an appropriate acknowledgement is included in future publications, including those currently in draft.	Use and Benefits	DSFC, Part 2, clause 3.13	Observation
9	NDPCHS should undertake a risk assessment of the networking infrastructure between storage locations.	Risk Management		Opportunity for improvement
10	NDPCHS should consider providing risk management training, to ensure staff are aware of the processes for raising, recording and monitoring risks.	Risk Management		Opportunity for improvement
11	NDPCHS should update the Information Asset Register (IAR) in relation to the Information Asset Owner for the data supplied by NHS Digital.	Operational Management		Opportunity for improvement
12	NDPCHS should determine whether it has collected sufficient information to constitute a Record of Processing Activities (ROPA) for the data provided, as required by General Data Protection Regulations (GDPR). NDPCHS may also wish to define ROPA in its Privacy by Design Policy especially for those instances when it is not acting as Controller and therefore not completing a Data Protection Impact Assessment (DPIA).	Operational Management		Opportunity for improvement
13	The MSD should consider whether in future penetration test reports, the scope could be better defined in terms of inclusions and exclusions.	Access Control		Opportunity for improvement
14	NDPCHS should consider providing specialist training. For example, Senior Information Risk Officer (SIRO) and Information Asset Owner (IAO) training.	Operational Management		Opportunity for improvement
15	NDPCHS should consider adding a footnote in its IT Asset Management policy to state that any removable storage devices which hold data provided by NHS Digital must be included in the equipment asset register.	Operational Management		Opportunity for improvement	1
16	The Audit Team suggested that all appropriate teams and stakeholders review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant.	Operational Management		Opportunity for improvement

Supplementary notes

Note 1. It should be noted that no data provided by NHS Digital was being held on removable storage devices and the use of removable storage devices for confidential data is not promoted.

Use of data

NDPCHS confirmed that the dataset was only being processed and used for the purposes defined in the DSA and was only being linked with those datasets explicitly allowed in the DSA.

Data location

OUHNHSFT confirmed that processing and storage locations, including disaster recovery and backups, of the data were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation	Territory of use
OUHNHSFT	England & Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation	Media type	Period
MSD at UoO	Disk	Currently 1 year (6 months minimum according to available space)
MSD at UoO	Tape	90 days

Good practice

During the audit, the Audit Team noted the following area of good practice:

NDPCHS were able to clearly demonstrate the value the data supplied under this DSA has had towards researching survival rates of VHD.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 21 January 2022 9:07 am