NHS Digital Post Audit Review: University Hospital Bristol NHS Foundation Trust and the University of Bristol

This report provides an update on progress of the remote data sharing audit of the University Hospital Bristol NHS Foundation Trust and the University of Bristol in February 2020.

Audit summary

This report provides an update on progress of the remote data sharing audit of the University Hospital Bristol NHS Foundation Trust (UHBFT) and the University of Bristol (UoB) between 25 and 27 February 2020 against the requirements of both:

the data sharing framework contracts (DSFC):
- CON-313966-Y9B5S (UHBFT)
- CON-304765-H4P3X (UoB)
the data sharing agreement (DSA): NIC-147901-2XMLG-v1.15

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Medical Research Information Service (MRIS) – Members and Postings Report	Identifiable, Sensitive	Historic held (August 2011 - April 2019) plus latest available
MRIS - Flagging Current Status Report	Identifiable, Sensitive	Historic held (August 2011 - April 2019) plus latest available
MRIS - Cohort Event Notification Report	Identifiable, Sensitive	Historic held (August 2011 - April 2019) plus latest available
MRIS - Cause of Death Report	Identifiable, Sensitive	Historic held (August 2011 - April 2019) plus latest available

The Joint Controllers are the UHBFT and the UoB.

In April 2020, the UHBFT merged with Weston Area Health NHS Trust to form University Hospitals Bristol and Weston NHS Foundation Trust. In this report, we will continue to reference the Trust as UHBFT.

Following a post audit review conducted in March 2021, 2 agreement nonconformities, 1 organisation nonconformity, 2 opportunities for improvement and 1 point for follow-up remained open.

Further guidance on the terms used in this post audit review report can be found in version 3 of the NHS Digital Data Sharing Audit Guide.

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the UHBFT between July and November 2021. There was also a video call with the UHBFT in July 2021.

Post audit review outcome

Based on the evidence, the Audit Team has found that the UHBFT has not suitably addressed the findings. 1 agreement nonconformity,1 opportunity for improvement and 1 point for follow-up remain open and require further review by the Audit Team. The UHBFT is therefore required to update its action plan to align with this post audit review report.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.

Original risk statement: High

Previous Risk statement: Medium

Current risk statement: Medium

Data recipient’s acceptance statement

The UHBFT and the UoB have reviewed this report and confirmed that it is accurate.

Status

The following tables identify the 7 agreement nonconformities, 4 organisation nonconformities, 4 opportunities for improvement and 1 point for follow-up raised as part of the original audit.

Findings 2 - 4, 7 - 9, 11, 13, 15 and 16 were closed as part of the post audit review conducted in March 2021.

UHBFT

Ref	Finding	Link to area	Update	Designation	Status
1	The UHBFT has not mitigated against identified critical and high findings from a security report in a timely manner.	Access Control	A new security test was planned for the end of August 2021 with a report expected to be available in September 2021. However, due to the pandemic, this test has been delayed and is now expected to be completed in early 2022.	Agreement nonconformity	Open
2	Data supplied by NHS Digital is being stored at a secondary location not declared on the DSA. This location is a data centre owned and located at the UHBFT. It should be noted that the primary location was declared in the DSA.	Information Transfer	The DSA has been updated with a secondary storage location. A copy of the updated DSA was supplied to the Audit Team.	Agreement nonconformity	Closed
3	There is no regular review of user access for the folder holding data supplied under the DSA. Furthermore, the Audit Team found that a legacy administration group had access to the folder for IT administration purposes, however it was no longer required. It should be noted that the files that contain the data are password protected, which is not known by the IT teams.	Access Control	The UHBFT stated that a system of regular checks has now been set up and a log maintained of when the checks took place and any issues identified. A copy of the log was provided to the Audit Team. A review of the admin groups and group members was carried out on 25 January 2021 by UHBFT to confirm that it met the IT operational requirements. No issues were identified. An email was supplied to the Audit Team to support this statement.	Agreement nonconformity	Closed
4	The portable encrypted drive used to transfer data between the UHBFT and UoB was not listed on an equipment asset register.	Access Control	The UHBFT reported the portable encrypted drive has now been recorded on the IT asset register. A screenshot of the asset register with the encrypted drives used to transfer the data was supplied to the Audit Team.	Agreement nonconformity	Closed
5	The UHBFT has not carried out a formal risk assessment of the physical access controls at the Trust’s data centres.	Access Control	The Trust has completed a risk assessment which covers both UHBFT data centres. A copy of the risk assessment was supplied to the Audit Team.	Agreement nonconformity	Closed
6	The file storage system holding the data supplied under the DSA has not been patched since September 2019. There have been patches released by the manufacturer since that date however these have not been applied. There has been no risk assessment to determine whether these should be applied in line with Trust policy.	Access Control	The file storage system has been updated and had the latest patch installed at the time of the interview. A screenshot was supplied to the Audit Team to support this. The Trust also plans to introduce an assessment process for patches.	Organisation nonconformity	Closed
7	The desktop computers used to access data supplied by NHS Digital are not encrypted as required by Trust policy.	Access Control	The UHBFT stated the desktop computers, used by the Head and Neck 5000 team, had been encrypted. Screenshots of the Windows Bitlocker settings on the desktop computers were supplied to the Audit Team.	Organisation nonconformity	Closed
8	The Trust has a Training Needs Analysis for specialist information governance (IG) training; however, this is not being followed for Information Asset Owners (IAO) or Information Asset Administrators (IAA). The Audit Team noted that there was an entry in the Information Risk Register which identified this issue with a remedial action to develop bespoke training for these roles.	Operational Management	The IAO and IAA have completed specialist role-based training using the NHS IAO Guidance handbook. The training was completed in November and December 2020. Training records for these roles were supplied to the Audit Team. The UHBFT reported that further bespoke training for these roles is still being arranged, however this has been delayed due to the Trust’s Covid-19 pandemic response.	Organisation nonconformity	Closed
9	The Information Asset Register (IAR) is not being suitably updated. The IAR indicated that no Data Privacy Impact Assessment (DPIA) had been completed, however, a DPIA had been completed and approved by the Data Protection Officer (DPO) in January 2020.	Operational Management	The UHBFT stated the IAR for Head and Neck 5000 has been updated and a regular quarterly system of checking the entry has been set up. A screenshot of the IAR which shows that the DPIA has been completed was supplied to the Audit Team.	Organisation nonconformity	Closed
10	The UHBFT should consider conducting regular reviews of who has access to the data centre, where data supplied under the DSA is held, and this review should be documented. Currently, this review is carried out on an ad-hoc basis and is not documented.	Access Control	A review of access was carried out by the UHBFT in October 2020, January 2021, and April 2021. This review is carried out every 3 months. A copy of the log to support the reviews and process notes were seen by the Audit Team during a video conference call in July 2021.	Opportunity for Improvement	Closed
11	The UHBFT should consider carrying out a sample check to confirm that the degauss process for Hard Disk Drives (HDD) has been successful. HDD are removed from end of life machines and then degaussed before they are provided to a disposal contractor for destruction. The Audit Team noted that there is no verification check to confirm that the degaussing has been successful.	Data Destruction	The UHBFT reported that the HDD destruction process has changed, and the Trust no longer degauss HDDs. The Trust is now using wiping software to wipe the hard drives. A screen shot of the report was provided to the Audit Team.	Opportunity for Improvement	Closed
12	The arrangement between the UoB and UHBFT as Joint Controller, was setup in the current DSA. Both parties should consider the guidance on Joint Controller arrangements available on the Information Commissioners Office website.	Operational Management	The Joint Controller agreement is still under discussion. The UHBFT stated there has been a slight delay due to a change of staff.	Opportunity for Improvement	Open
13	The Trust should establish a mechanism that clearly demonstrates how the risks identified in the DPIA have been actioned and mitigated.	Operational Management	The UHBFT has updated the DPIA workbook which includes a more detailed risk section and details of mitigations. A copy of the UHBFT DPIA Workbook v2.0 was supplied to the Audit Team.	Opportunity for Improvement	Closed
14	The password policy documented in the Trust policy does not currently align with attributes enforced by the system, due to limitations within the system. There is ongoing work to address this including updating the documented password policy and supporting systems to allow system enforced changes.	Access Control	The UHBFT reported that the domain controller has been updated, however, the Audit Team has not seen any evidence to support this. At the next post audit review, the Audit Team will check that the system enforced attributes are aligned to the documented password policy.	Follow-up	Open

UoB

Ref	Finding	Link to area	Update	Designation	Status
15	The IAR does not include the data assets supplied under the DSA.	Operational Management	The data supplied under the DSA has been added to the local IAR while a wider approach is determined. A copy of the IAR was supplied to the Audit Team.	Agreement nonconformity	Closed
16	No DPIA screening has been completed for the data supplied under the DSA.	Operational Management	A DPIA for the Head and Neck 5000 study has been completed. A copy of the UoB DPIA was supplied to the Audit Team.	Agreement nonconformity	Closed

Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 14 February 2022 11:45 am