NHS Digital Data Sharing Remote Audit: Liverpool Heart and Chest NHS Foundation Trust

This report records the key findings of a remote data sharing audit of the Liverpool Heart and Chest NHS Foundation Trust and the University Hospital Southampton NHS Foundation Trust in December 2021.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of the Liverpool Heart and Chest NHS Foundation Trust (LHCFT) and the University Hospital Southampton NHS Foundation Trust (UHSFT) between 7 and 14 December 2021. It provides an evaluation of how the LHCHT and the UHSFT conform to the requirements of:

the data sharing framework contracts (DSFC)
- CON-317153-H1H47 (LHCHT)
- CON-321802-G4C6W (UHSFT)
the data sharing agreement (DSA) DARS-NIC-303379-H4C8H v0.6

This DSA covers the provision of the following datasets:

Dataset	Classification of Data	Dataset period
Bridge file: Hospital Episode Statistics (HES) to Diagnostic Imaging Dataset	Identifiable, Non-sensitive	Historic Data Request
HES Admitted Patient Care	Identifiable, Non-sensitive	2016/17 - 2019/20_M11
HES Critical Care	Identifiable, Non-sensitive	2016/17 - 2019/20_M11
HES Outpatients	Identifiable, Non-sensitive	2016/17 - 2019/20_M11
HES Accident and Emergency	Identifiable, Non-sensitive	2016/17 - 2019/20_M11
Diagnostic Imaging Dataset	Identifiable, Non-sensitive	1Historic Data Request
HES: Civil Registration (Deaths) bridge	Identifiable, Non-sensitive	Latest available
Civil Registration (Deaths) - Secondary Care Cut	Identifiable, Sensitive	Historic Data Request

The joint Controllers are the LHCFT and the UHSFT. As all the processing and storage of data is conducted by the LHCFT, the audit focussed predominantly on the controls maintained by this joint Controller. The UHSFT does not receive, process, or store any data, but the Chief investigator is employed by this Trust. The UHSFT is the Sponsor and primary source of funding for the research project RIPCORD2.

RIPCORD 2 is randomised controlled trial across 17 percutaneous coronary intervention centres in the UK. The data was requested to assess the feasibility and management impact of routine assessment of fractional flow reserve in patients undergoing angiography for diagnosis and management of stable chest pain. The trial involves a cohort of 1,100.

This report also considers whether LHCFT conforms to its own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.0

Audit type and scope

Audit type	Routine
Scope areas	Information transfer Access control Data use and benefits Risk management Operational management and control Data destruction
Restrictions	Access control - limited visibility of physical controls

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low

Current risk statement: Medium

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.

Data recipient’s acceptance statement

The LHCFT and the UHSFT have reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

The LHCFT and the UHSFT will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the LHCFT and the UHSFT to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings

Findings

The following tables identify the 7 agreement nonconformities, 2 organisation nonconformities, 2 observations, 5 opportunities for improvement and 1 point for follow-up raised as part of the audit.

In addressing a finding the data recipient must take account of any referenced supplementary notes.

LHCFT

Ref	Finding	Link to area	Clause	Designation	Notes
1	A third-party data centre, not declared on the DSA, is being used to store the data supplied by NHS Digital. The hardware in the datacentre is, however, owned by the LHCFT.	Information Transfer	DSA, Annex A, Section 2b	Agreement nonconformity
2	The file containing the data supplied by NHS Digital is not encrypted. The DSA states this file will be encrypted.	Access Control	DSA, Annex A, Section 5b	Agreement nonconformity
3	The LHCFT has not included the data received from NHS Digital on an Information Asset Register (IAR), nor has the LHCFT clearly identified the Information Asset Owner (IAO).	Operational Management	DSFC, Schedule 2, Section A, Clause 3.2	Agreement nonconformity
4	Although the LHCFT stated the findings from the recent security testing had been addressed, there was no evidence to show findings were actively managed and addressed.	Access Control	DSFC, Schedule 2, Section A, Clause 1.1	Agreement nonconformity
5	The LHCFT has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA.	Operational Management	DSFC, Schedule 3, General Data Protection Regulation (GDPR)	Agreement nonconformity
6	Data in transit between the processing and storage locations is not encrypted as required by the DSFC. LHCFT stated that data is transferred on a dedicated network from the primary data centre to the secondary (disaster recovery) data centre.	Information Transfer	DSFC, Schedule 2, Section A, Clause 4.6	Agreement nonconformity	1
7	There was no evidence to show that access to the folders holding data supplied by NHS Digital is reviewed on a regular basis.	Access Control	DSFC, Schedule 2, Section A, Clause 4.1 LHCFT, Security Standard 11 – User Access Control/Password Policy, section viii.	Agreement nonconformity
8	The Data Protection Impact Assessment (DPIA) states that the scope of the data processing will also include mental health related hospital admissions. However, the DSA does not include the provision of any mental health datasets. LHCFT should also consider updating the DPIA with appropriate version control and dates.	Operational Management	LHCFT, DPIA template, 20180622, v0.4	Organisation nonconformity
9	Data held by the LHCFT are not being classified in accordance with the document classification types, which define the required controls.	Operational Management	LHCFT, ISMS, Security Standard 2, Security Control of Assets Policy	Organisation nonconformity
10	The LHCFT did not meet all the Data Security Protection Toolkit (DSPT) requirements in its recent submission but is working towards full compliance.	Operational Management	DSA section 6, Special Conditions	Observation
11	The LHCFT should consider developing a backup Standard Operating Procedure (SOP) and a vulnerability assessment SOP. These processes are in place but not documented.	Access Control		Opportunity for improvement
12	The LHCFT should consider implementing an alert functionality when administration or privileged rights have been granted.	Access Control		Opportunity for improvement
13	The appointed IAO should consider completing specialist IAO training.	Operational Management		Opportunity for improvement
14	The LHCFT should consider carrying out a risk assessment on the unencrypted desktop PCs used to access and process the data as there is a risk that temporary files could be cached on the machines	Operational Management		Opportunity for improvement
15	At the post audit review, the Audit Team will assess whether the anomalies identified during the reconciliation process for the disposal and destruction of hardware assets have been addressed.	Data Destruction		Follow-up

UHSFT

Ref	Finding	Link to area	Clause	Designation	Notes
16	In its recent submission the UHSFT has not met all the DSPT requirements.	Operational Management	DSA section 6, Special Conditions	Observation
17	The UHSFT as a joint Controller should consider reviewing and counter signing the DPIA completed by the LHCFT.	Operational Management		Opportunity for improvement

Supplementary notes

Note 1 - One option to progress this finding, is for a risk assessment to be completed. The risk assessment shall assess the threats to and the vulnerabilities of the un-encrypted connection and identify the mitigating controls in place. This assessment shall be signed off by the organisation’s Senior Information Risk Officer (or equivalent) and this should be submitted to the Data Access Request Service (DARS) team. If the risk is considered acceptable and all aspects of the connection are inside the area of direct control by the LHCFT, then the link need not be encrypted. NHS Digital reserves the right to review this assessment.

Use of data

The LHCFT confirmed that the datasets were only being processed and used for the purposes defined in the DSA and was only being linked with those datasets explicitly allowed in the DSA.

Data location

The LHCFT confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation	Territory of use
LHCFT	England / Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation	Media type	Period
LHCFT	Disk	12 months

Good Practice

During the audit, the Audit Team noted the following area of good practice:

the LHCFT showed their presentation slides used at a recent International Cardiology Conference which clearly demonstrates the benefits of the data received and processed.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 14 February 2022 11:41 am