1 |
Data supplied by NHS Digital, which are being stored in England, was accessed by 4 GSK data analysts based in North America. Such access is outside the territory of use (England and Wales) declared in the DSA.
GSK stated that access to the data was removed for the data analysts in North America during the audit. |
Use and Benefits |
GSK confirmed that access for the 4 GSK data analysts based in North America was revoked on 20 August 2021, and access is now restricted to 4 users based in England and Wales. GSK is now carrying out regular checks to confirm the list of users with access to the data.
GSK supplied screenshots of the user access list before and after the users were revoked, and copies of reports to confirm checks took place in September 2021, December 2021, and January 2022.
|
Agreement nonconformity |
Closed |
2 |
Data supplied by NHS Digital are being processed and stored at locations not declared in the DSA. These locations are GSK sites in England. |
Information Transfer |
GSK informed DARS of the missing locations by email on 2 September 2021.
The Audit Team confirmed via the DARS system the missing processing and storage locations had been added to the DSA (DARS-NIC-297783-V4P6H-v2.2).
|
Agreement nonconformity |
Closed |
3 |
Data in transit between the processing and storage locations is not encrypted as required by the DSFC. GSK reported that the transit is via GSK’s private network. |
Information Transfer |
GSK has updated its operational process, so that files containing data supplied by NHS Digital are always encrypted and only decrypted at the processing workstation where it will be analysed, thereby ensuring the data is encrypted in transit. GSK confirmed that the data on the workstation is not backed up. |
Agreement nonconformity |
Closed |
4 |
The Audit Team found that some staff with access to the data had not completed annual data protection training within the last 12 months as required by the DSFC. |
Operational Management |
GSK confirmed that the 4 users with access to the data completed the data protection training in January 2022.
The training material and associated training records were seen by the Audit Team.
|
Agreement nonconformity |
Closed |
5 |
Issues that had been identified by vulnerability scanning for the infrastructure holding data supplied by NHS Digital were not being resolved in a reasonable timescale, and also were not in line with GSK’s policy on vulnerability management. |
Access Control |
GSK confirmed that it had completed a root cause analysis and details were provided to the Audit Team on the action taken.
A rescan was conducted by GSK in April 2022. The results and the supporting action plan were shared with the Audit Team.
|
Agreement nonconformity |
Closed |
6 |
GSK does not have a coherent Information Asset Register (IAR) which covers the data types as per the DSA. Instead, information specific to the DSA datasets is spread across different documents. |
Operational Management |
GSK has created a data asset register which includes details of the data assets supplied under this DSA. A copy of the register was shared with the Audit Team. |
Agreement nonconformity |
Closed |
7 |
The firmware on the file network storage server had not been updated to the latest version due to the hardware being scheduled for replacement. A risk assessment was shared with the Audit Team, however, it did not cover the file network storage to an adequate level of detail and the risk had been closed, even though the server had not been updated. |
Access Control |
GSK confirmed that the firmware on the file network storage had been upgraded. A screenshot of the new version was supplied to the Audit Team. |
Organisation nonconformity |
Closed |
8 |
GSK confirmed that it will not be able to deliver the outputs defined in the DSA unless it renews the DSA by 19 October 2021. At the time of the audit, GSK had not taken any steps to renew the DSA. |
Use and Benefits |
GSK stated that the DSA was renewed in October 2021.
The Audit Team checked the DARS system in February 2022 and confirmed the DSA (DARS-NIC-297783-V4P6H-v2.2) had been renewed.
|
Observation |
Closed |
9 |
There is a mismatch in the definition of ‘manipulated data’ in the Data Protection Impact Assessment (DPIA) and the DSFC, which could lead to NHS Digital data being disseminated outside the scope of the DSA.
GSK updated the wording in the DPIA to ‘aggregated / summarised’ during the audit. |
Operational Management |
GSK had updated the wording in the DPIA to ‘aggregated / summarised’ during the original audit in August 2021. |
Observation |
Closed |
10 |
GSK should include the Intrepid study in its future internal audit programme to ensure it is fully compliant with the requirements of the DSFC and DSA. |
Operational Management |
GSK has considered this finding and after consideration has decided to reject it.
GSK stated that it uses a risk rating process to assess all clinical studies in order to identify those studies where an audit would be warranted. This data assessment study was not selected for audit. However, GSK stated future studies similar in nature will be considered for local management monitoring which is a self-assessment activity undertaken by the business owner.
|
Opportunity for improvement |
Rejected |
11 |
GSK should disable the ability to add local drives in the Microsoft Remote Desktop Protocol (RDP) session for staff with access to the data. |
Access Control |
GSK confirmed that the ability to add local drives in the Microsoft Remote Desktop Protocol session had been disabled. A screenshot of the configuration settings to support this change was provided to the Audit Team. |
Opportunity for improvement |
Closed |
12 |
GSK should create a risk register for this study if the DSA is renewed to capture ongoing risks including those identified during discussions with the Processor. |
Risk Management |
GSK has developed a risk register for the study, and confirmed it plans to maintain and review the risks on a regular basis.
A copy of the risk register was supplied to the Audit Team.
|
Opportunity for improvement |
Closed |
13 |
GSK should consider developing procedures or enhancing existing documentation to cover electronic data destruction where the media is not going to be physically destroyed. For example, on a targeted area of a file server or Storage Area Network (SAN) to ensure the data is permanently deleted. |
Data Destruction |
GSK does not plan to develop further procedures. However, GSK stated the business owner will be responsible for determining the method by which data is permanently deleted electronically and how this will be documented in line with the latest guidance from DARS at the end of the study. This will be in line with requirements in the DSFC and DSA. |
Opportunity for improvement
|
Closed |
14 |
At the post audit review, the Audit Team will look at procedures to support data deletion following withdrawal of consent. |
Operational Management |
GSK shared details about its withdrawal of consent process and was able to walk through the process during a video call. |
Follow up |
Closed |