Skip to main content

Data Sharing Remote Audit: University of Aberdeen

This report records the findings of a remote data sharing audit of the University of Aberdeen in April 2021.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit at the University of Aberdeen (UoA) between 19 and 23 April 2021. It provides an evaluation of how the UoA conforms to the requirements of both:

  • the data sharing framework contract (DSFC) CON-313306-V2W6S
  • the data sharing agreement (DSA) DARS-NIC-322051-S8N9N-v2.4

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Identifiable, Non-sensitive 2007/08 – 2010/11
Medical Research Information Service (MRIS) – Flagging Current Status Report Identifiable, Sensitive October 2004 – June 2017
MRIS - Cohort Event Notification Report Identifiable, Sensitive October 2004 – June 2017
HES – Admitted Patient Care Identifiable, Non-sensitive 2011/12 – 2019/20
Demographics Identifiable, Sensitive Latest available release

 

The UoA and the University of Oxford (UoO) are joint Controllers.

The Knee Arthroplasty Trial (KAT) was funded by the National Institute for Health Research (NIHR) Health Technology Assessment (HTA) programme in 1998, to examine the clinical effectiveness and cost-effectiveness of four aspects of knee replacement surgery. It is the largest randomised trial of knee replacement surgery ever undertaken, involving 2352 participants.

This report also considers whether the UoA conform to its own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type Routine
Scope areas

Information transfer
Access control
Data use and benefits
Risk management
Operational management and control
Data destruction
Restrictions Access control - limited visibility of physical controls

 

As the DSA only allows the data supplied by NHS Digital to be processed at the UoA, the audit focussed predominantly on the controls maintained by this joint Controller. The UoO is responsible for producing the outputs from the aggregated data. 

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium – Low.

Current risk statement: Low

This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.

Data recipient’s acceptance statement

The UoA and UoO have reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

The UoA will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the UoA to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.

Findings

The following table identifies the 2 agreement nonconformities, 5 opportunities for improvement and 1 point for follow-up raised as part of the audit.

Ref Finding Link to area Clause Designation Notes
1 Data is being stored at locations not declared on the DSA. Both locations were UoA buildings. Information Transfer DSA, Annex A, Section 2

Agreement nonconformity

  
2 2 individuals with access to the data supplied by NHS Digital have not completed their annual Information Governance training. Operational Management DSFC, Schedule 2, Section A, Clause 1.2.2

Agreement nonconformity

  
3 The Controllers should either complete a Data Protection Impact Assessment (DPIA) or document the rational for not completing a DPIA. Operational Management

 

Opportunity for Improvement

  
4 The UoA should consider completing a Record of Processing Activities (ROPA) for the data provided, as recommended in the Information Commissioner’s Office (ICO) Accountability Framework. Operational Management  

Opportunity for Improvement

  
5 The UoA should log all requests to add or remove user access to NHS Digital data via the Service Desk tool, rather than relying on email trails in personal mailboxes. Access Control  

Opportunity for Improvement

  
6 The System Level Security Policy (SLSP) should include document version control and be reviewed annually, or whenever a change is made to the system. Operational Management  

Opportunity for Improvement

  
7 The Audit Team suggested that all appropriate teams within the UoA review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant. Operational Management   Opportunity for Improvement  
8 At the post audit review, the Audit Team will review the University’s revised approach to risk management, regarding updates to the corporate risk register and the associated risk criteria. Risk Management   Follow-up  

 

Supplementary notes

No notes

Use of data

The UoA confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.

Data location

The UoA confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
The UoA UK

 

Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
The UoA Disk 14 days
The UoA Tape 24 months

 

Good practice

During the audit, the Audit Team noted the following area of good practice:

  • The UoA was able to clearly demonstrate the value the data supplied under this DSA has had towards influencing surgical practice. The results are one of the key sources for the American Academy of Orthopaedic Surgeons surgical management of osteoarthritis of the knee evidence-based clinical practice guidelines.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 4 March 2022 2:19 pm