NHS Digital Data Sharing Remote Audit: University of Manchester

This report records the key findings of a remote data sharing audit of the University of Manchester in February 2022.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of the University of Manchester (UoM) where the interviews were conducted between 21 and 25 February 2022. It provides an evaluation of how the UoM conforms to the requirements of:

the data sharing framework contracts (DSFC)
- CON-326191-T0T6B (UoM)
- CON-240079-Q7Y0S (British Society for Rheumatology)
the data sharing agreement (DSA) DARS-NIC-148353-G88Q7-v3.2

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Medical Research Information Service (MRIS) - Members and Posting report	Identifiable, Sensitive	January 2003 - March 2020
MRIS - Flagging Current Status report	Identifiable, Sensitive	January 2003 - March 2020
MRIS - Cohort Event Notification Report	Identifiable, Sensitive	January 2003 - March 2020
MRIS - Cause of Death Report	Identifiable, Sensitive	January 2003 - March 2020
Demographics	Identifiable, Sensitive	Latest available
Civil Registration - Deaths	Identifiable, Sensitive	Latest available
Cancer Registration Data	Identifiable, Sensitive	Latest available

The Joint Controllers are the UoM and the British Society for Rheumatology (BSR). All the data processing is undertaken by the UoM; the BSR does not have any access to the data. As a result, the audit focussed on the controls at the UoM.

The UoM uses the data from NHS Digital to enhance the data already captured in the BSR Biologics Register for Rheumatoid Arthritis (BSRBR-RA). This is a long-term observational study to monitor the safety of new biologic and targeted therapies prescribed for rheumatoid arthritis in routine healthcare, specifically to understand if these new drugs increase the risks of developing cancer or premature death above the expected risks in a population with similar disease characteristics not receiving these therapies.

This report also considers whether the UoM conforms to its own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type	Routine
Scope areas	Information transfer Access control Data use and benefits Risk management Operational management and control Data destruction
Restrictions	Access control - limited visibility of physical controls

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Medium

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.

Data recipient’s acceptance statement

The UoM has reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

The UoM will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with the UoM to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.

Findings

The following tables identify the 4 agreement nonconformities, 1 organisation nonconformity, 1 observation, 4 opportunities for improvement and 1 point for follow-up raised as part of the audit.

UoM

Ref	Finding	Link to area	Clause	Designation
1	There is no coherent Information Asset Register (IAR) to cover the data supplied under the DSA. Instead, information is spread across different documents.	Operational Management	DSFC, Schedule 2, Section A, Clause 3.2	Agreement nonconformity
2	There was no evidence to show that user permissions to the network folder holding NHS Digital data had been reviewed on a regular basis, nor was there any evidence of privilege access reviews being conducted in accordance with UoM documentation.	Access Control	DSFC, Schedule 2, Section A, Clause 4.1 UoM, Investigator Agreement for the use of Personnel Information and Confidential Data, July 2021 UoM, Password Technical Security Standard, v1.8, August 2021, clause 4.2.4	Agreement nonconformity
3	The UoM has not completed a Data Protection Impact Assessment (DPIA) for the Data Safe Haven.	Operational Management	DSFC, Schedule 3, General Data Protection Regulation (GDPR)	Agreement nonconformity
4	The UoM is not undertaking certain compliance checks prescribed in its documentation.	Operational Management	For example: UoM, Data Protection Policy, v1.9, December 2017 UoM, Training Needs Analysis, v6.0, June 2021, clause 3 UoM, Information Security Classification, Ownership and Secure Information Handling Standard Operating Procedure, v1.3, March 2020, clause 4.2	Organisation nonconformity
5	A number of policies and procedures have not been reviewed within their expected timescales. The UoM recognised that these reviews had been delayed due to the pandemic but were now tracking those that require updating.	Operational Management	For example: UoM, Information Security and Data Protection Incident Reporting Standard Operating Procedure, v1.4, January 2018 UoM, Records Management Policy, v1.5, December 2018 UoM, Risk Assessment Standard Operating Procedure, v3.0, June 2019	Observation
6	The Audit Team suggested that the UoM review the naming convention for the Data Safe Haven platform and update relevant documentation where appropriate.	Operational Management		Opportunity for improvement
7	The UoM may wish to increase the backup retention period for the data supplied by NHS Digital to 28 days and reflect this on any future certificate of destruction.	Operational Management		Opportunity for improvement
8	The Audit Team suggested that Terms of Reference for the Data Safe Haven Operations Group be developed.	Operational Management		Opportunity for improvement
9	As part of future reviews, the UoM should ensure certain statements in the Data Safe Haven System Level Security Policy (SLSP) and BSRBR-RA standard operating procedures are corrected.	Operational Management		Opportunity for improvement
10	At the post audit review, the Audit Team will review the progress on closing the findings from the last security assessment.	Access Control		Follow-up

BSR

Ref	Finding	Link to area	Clause	Designation
11.	The BSR had not completed and submitted a Data Security Protection Toolkit (DSPT) assessment in the requested timeframe.	Operational Management	DSA, Annex A, Clause 1b	Agreement nonconformity

Use of data

The UoM confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

The UoM confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation	Territory of use
UoM	England / Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation	Media type	Period
UoM	Disk	14 days

Good Practice

During the audit, the Audit Team noted the following areas of good practice:

the UoM and the Study Team have developed a wide-ranging set of documentation to facilitate governance of their practices
the UoM was able to clearly demonstrate the value of the data supplied under this DSA has had towards benefitting the provision of health and social care in England.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 24 April 2022 4:41 pm