Skip to main content

Data Sharing Remote Audit: Oxford University Hospitals NHS Foundation Trust

This report records the key findings of a remote data sharing audit of Oxford University Hospitals NHS Foundation Trust in August 2021.  

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of Oxford University Hospitals NHS Foundation Trust (OUHNHSFT) between 23 and 27 August 2021. It provides an evaluation of how OUHNHSFT conforms to the requirements of both:

  • the data sharing framework contract (DSFC) CON-312001-X8W1Y v2.01
  • the data sharing agreement (DSA) DARS-NIC-135294-P7L0F-v2.2

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Medical Research Information Service (MRIS) – Flagging Current Status Report Identifiable, Sensitive September 2018 to March 2020
MRIS – Cohort Event Notification Report Identifiable, Sensitive September 2018 to March 2020
MRIS - Cause of Death Report Identifiable, Sensitive September 2018 to March 2020
Demographics Pseudo/Anonymised, Sensitive Latest available
Civil Registration - Deaths Pseudo/Anonymised, Sensitive Latest available

 

The Controller is OUHNHSFT and the Processor is the Nuffield Department of Primary Care Health Sciences (NDPCHS) within the Medical Sciences Division (MSD) at the University of Oxford (UoO).

Valvular heart disease (VHD) occurs when one or more valves does not form properly before birth (congenital) or if they are damaged (acquired) during life. In the developing world, infections such as rheumatic fever are still prevalent and can cause valve damage. In the UK and other developed countries, the most common cause of VHD is degeneration over time. The OxValve-Survive study reports on the survival rates of people in the OxValve cohort, with and without VHD.

This report also considers whether OUHNHSFT and NDPCHS conform to their own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.


Audit type and scope

Audit type Routine
Scope areas

Information transfer
Access control
Data use and benefits
Risk management
Operational management and control
Data destruction

Restrictions Access control - limited visibility of physical controls

 

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Medium

This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.


Data recipient’s acceptance statement

OUHNHSFT and NDPCHS have reviewed this report and confirmed that it is accurate. 

Data recipient’s action plan

OUHNHSFT and NDPCHS will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with OUHNHSFT and NDPCHS to confirm the findings have been satisfactorily addressed.


Findings

The following tables identify the 2 agreement nonconformities, 1 organisation nonconformity, 3 observations, and 10 opportunities for improvement raised as part of the audit. 

OUHNHSFT

Ref Finding Link to area Clause Designation Notes
1 Data are being stored at locations not declared on the DSA. Information Transfer DSA, Annex A, Section 2b Agreement nonconformity  
2 OUHNHSFT’s Data Security and Protection Toolkit (DSPT) submission is currently not fully met. A special condition stated in the DSA requires this to be rectified within the specified timeframe. Operational Management DSA, Annex A, Section 6 Observation  
3 OUHNHSFT should consider whether a formal data processing agreement between the Controller and the Processor is required. Operational Management   Opportunity for improvement  
4 OUHNHSFT should consider defining the standard operating process for assessing when a Data Protection Impact Assessment (DPIA) is required. Operational Management   Opportunity for improvement  

NDPCHS

Ref Finding Link to area Clause Designation Notes
5 NDPCHS does not maintain an up-to-date equipment asset register for equipment associated with data supplied by NHS Digital. Operational Management DSFC, Schedule 2 Section A, clause 4.7 Agreement nonconformity  
6 NDPCHS is not adhering to key sections within the UoO Risk Management Policy. Risk Management UoO, Risk Management Policy Organisation nonconformity  
7 An access control review recently performed by NDPCHS did not challenge one account as having access to data supplied by NHS Digital. Through discussions it was identified that this person no longer required access and although the account was active, the person was technically unable to access the data. Access Control DSFC, Schedule 2, Section A, clause 4.1 Observation  
8 The journal paper that was recently published in relation to the study described in the DSA did not include a sufficient acknowledgement to the source of the data as required by the DSFC. It is important that an appropriate acknowledgement is included in future publications, including those currently in draft. Use and Benefits DSFC, Part 2, clause 3.13 Observation  
9 NDPCHS should undertake a risk assessment of the networking infrastructure between storage locations. Risk Management
 
  Opportunity for improvement  

10

 

NDPCHS should consider providing risk management training, to ensure staff are aware of the processes for raising, recording and monitoring risks. Risk Management   Opportunity for improvement  
11 NDPCHS should update the Information Asset Register (IAR) in relation to the Information Asset Owner for the data supplied by NHS Digital. Operational Management   Opportunity for improvement  
12 NDPCHS should determine whether it has collected sufficient information to constitute a Record of Processing Activities (ROPA) for the data provided, as required by General Data Protection Regulations (GDPR). NDPCHS may also wish to define ROPA in its Privacy by Design Policy especially for those instances when it is not acting as Controller and therefore not completing a Data Protection Impact Assessment (DPIA). Operational Management   Opportunity for improvement  
13 The MSD should consider whether in future penetration test reports, the scope could be better defined in terms of inclusions and exclusions.  Access Control  

Opportunity for improvement

 
14 NDPCHS should consider providing specialist training. For example, Senior Information Risk Officer (SIRO) and Information Asset Owner (IAO) training. Operational Management  

Opportunity for improvement

 
15

NDPCHS should consider adding a footnote in its IT Asset Management policy to state that any removable storage devices which hold data provided by NHS Digital must be included in the equipment asset register. 

Operational Management  

Opportunity for improvement

1
16

The Audit Team suggested that all appropriate teams and stakeholders review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant.

Operational Management  

Opportunity for improvement

 

Supplementary notes

Note 1.    It should be noted that no data provided by NHS Digital was being held on removable storage devices and the use of removable storage devices for confidential data is not promoted.

Use of data

NDPCHS confirmed that the dataset was only being processed and used for the purposes defined in the DSA and was only being linked with those datasets explicitly allowed in the DSA.  

Data location

OUHNHSFT confirmed that processing and storage locations, including disaster recovery and backups, of the data were limited to the locations shown in the following table.  These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
OUHNHSFT England & Wales

 

Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
MSD at UoO Disk  Currently 1 year (6 months minimum according to available space)
MSD at UoO Tape 90 days

 

Good practice

During the audit, the Audit Team noted the following area of good practice:

  • NDPCHS were able to clearly demonstrate the value the data supplied under this DSA has had towards researching survival rates of VHD.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 21 January 2022 9:07 am