NHS Digital Post Audit Review: GlaxoSmithKline

This report provides the formal closure of the remote data sharing audit of GlaxoSmithKline in August 2021

Audit summary

This report provides the formal closure of the remote data sharing audit of GlaxoSmithKline (GSK) between 9 and 19 August 2021 against the requirements of both:

the data sharing framework contract (DSFC) CON-329103-F4Y8W
the data sharing agreement (DSA) DARS-NIC-297783-V4P6H-v0.15

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Hospital Episode Statistics (HES) - Admitted Patient Care	Pseudo/Anonymised, Non-sensitive	2017/18 - 2019/20
HES - Outpatients	Pseudo/Anonymised, Non-sensitive	2017/18 - 2019/20
HES - Accident and Emergency	Pseudo/Anonymised, Non-sensitive	2017/18 - 2019/20
HES - Critical Care	Pseudo/Anonymised, Sensitive	2017/18 - 2019/20

The Controller is GSK, and the Processors are Ignite Data Limited (Ignite) and Microsoft Limited. Microsoft supplies cloud storage services to Ignite.

Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by GSK and Ignite between January and April 2022. A video call to review some of the evidence was held in April 2022.

Post audit review outcome

GSK requested that Ignite delete its copy of the data supplied by NHS Digital to comply with data minimisation requirements. As a result, there was no need to address findings assigned to Ignite as the data had been permanently destroyed and a completed certificate of destruction provided to the Data Access Review Service (DARS) team. The certificate has been approved by DARS.

The findings in the original report may be subject to further review by NHS Digital if Ignite are reengaged as a Processor under this DSA.

Based on the evidence provided by GSK and Ignite, the Audit Team has closed 25 out of 26 findings. One of the findings classified as an opportunity for improvement was rejected. Therefore, no further action is required by the Audit Team and GSK.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: High

Current risk statement: Low

Data recipient’s acceptance statement

GSK and Ignite have reviewed this report and confirmed that it is accurate.

Status

The following tables identify the 10 agreement nonconformities, 3 organisation nonconformities, 3 observations, 8 opportunities for improvement and 2 follow up items raised as part of the original audit.

GSK

Ref	Finding	Link to area	Update	Designation	Status
1	Data supplied by NHS Digital, which are being stored in England, was accessed by 4 GSK data analysts based in North America. Such access is outside the territory of use (England and Wales) declared in the DSA. GSK stated that access to the data was removed for the data analysts in North America during the audit.	Use and Benefits	GSK confirmed that access for the 4 GSK data analysts based in North America was revoked on 20 August 2021, and access is now restricted to 4 users based in England and Wales. GSK is now carrying out regular checks to confirm the list of users with access to the data. GSK supplied screenshots of the user access list before and after the users were revoked, and copies of reports to confirm checks took place in September 2021, December 2021, and January 2022.	Agreement nonconformity	Closed
2	Data supplied by NHS Digital are being processed and stored at locations not declared in the DSA. These locations are GSK sites in England.	Information Transfer	GSK informed DARS of the missing locations by email on 2 September 2021. The Audit Team confirmed via the DARS system the missing processing and storage locations had been added to the DSA (DARS-NIC-297783-V4P6H-v2.2).	Agreement nonconformity	Closed
3	Data in transit between the processing and storage locations is not encrypted as required by the DSFC. GSK reported that the transit is via GSK’s private network.	Information Transfer	GSK has updated its operational process, so that files containing data supplied by NHS Digital are always encrypted and only decrypted at the processing workstation where it will be analysed, thereby ensuring the data is encrypted in transit. GSK confirmed that the data on the workstation is not backed up.	Agreement nonconformity	Closed
4	The Audit Team found that some staff with access to the data had not completed annual data protection training within the last 12 months as required by the DSFC.	Operational Management	GSK confirmed that the 4 users with access to the data completed the data protection training in January 2022. The training material and associated training records were seen by the Audit Team.	Agreement nonconformity	Closed
5	Issues that had been identified by vulnerability scanning for the infrastructure holding data supplied by NHS Digital were not being resolved in a reasonable timescale, and also were not in line with GSK’s policy on vulnerability management.	Access Control	GSK confirmed that it had completed a root cause analysis and details were provided to the Audit Team on the action taken. A rescan was conducted by GSK in April 2022. The results and the supporting action plan were shared with the Audit Team.	Agreement nonconformity	Closed
6	GSK does not have a coherent Information Asset Register (IAR) which covers the data types as per the DSA. Instead, information specific to the DSA datasets is spread across different documents.	Operational Management	GSK has created a data asset register which includes details of the data assets supplied under this DSA. A copy of the register was shared with the Audit Team.	Agreement nonconformity	Closed
7	The firmware on the file network storage server had not been updated to the latest version due to the hardware being scheduled for replacement. A risk assessment was shared with the Audit Team, however, it did not cover the file network storage to an adequate level of detail and the risk had been closed, even though the server had not been updated.	Access Control	GSK confirmed that the firmware on the file network storage had been upgraded. A screenshot of the new version was supplied to the Audit Team.	Organisation nonconformity	Closed
8	GSK confirmed that it will not be able to deliver the outputs defined in the DSA unless it renews the DSA by 19 October 2021. At the time of the audit, GSK had not taken any steps to renew the DSA.	Use and Benefits	GSK stated that the DSA was renewed in October 2021. The Audit Team checked the DARS system in February 2022 and confirmed the DSA (DARS-NIC-297783-V4P6H-v2.2) had been renewed.	Observation	Closed
9	There is a mismatch in the definition of ‘manipulated data’ in the Data Protection Impact Assessment (DPIA) and the DSFC, which could lead to NHS Digital data being disseminated outside the scope of the DSA. GSK updated the wording in the DPIA to ‘aggregated / summarised’ during the audit.	Operational Management	GSK had updated the wording in the DPIA to ‘aggregated / summarised’ during the original audit in August 2021.	Observation	Closed
10	GSK should include the Intrepid study in its future internal audit programme to ensure it is fully compliant with the requirements of the DSFC and DSA.	Operational Management	GSK has considered this finding and after consideration has decided to reject it. GSK stated that it uses a risk rating process to assess all clinical studies in order to identify those studies where an audit would be warranted. This data assessment study was not selected for audit. However, GSK stated future studies similar in nature will be considered for local management monitoring which is a self-assessment activity undertaken by the business owner.	Opportunity for improvement	Rejected
11	GSK should disable the ability to add local drives in the Microsoft Remote Desktop Protocol (RDP) session for staff with access to the data.	Access Control	GSK confirmed that the ability to add local drives in the Microsoft Remote Desktop Protocol session had been disabled. A screenshot of the configuration settings to support this change was provided to the Audit Team.	Opportunity for improvement	Closed
12	GSK should create a risk register for this study if the DSA is renewed to capture ongoing risks including those identified during discussions with the Processor.	Risk Management	GSK has developed a risk register for the study, and confirmed it plans to maintain and review the risks on a regular basis. A copy of the risk register was supplied to the Audit Team.	Opportunity for improvement	Closed
13	GSK should consider developing procedures or enhancing existing documentation to cover electronic data destruction where the media is not going to be physically destroyed. For example, on a targeted area of a file server or Storage Area Network (SAN) to ensure the data is permanently deleted.	Data Destruction	GSK does not plan to develop further procedures. However, GSK stated the business owner will be responsible for determining the method by which data is permanently deleted electronically and how this will be documented in line with the latest guidance from DARS at the end of the study. This will be in line with requirements in the DSFC and DSA.	Opportunity for improvement	Closed
14	At the post audit review, the Audit Team will look at procedures to support data deletion following withdrawal of consent.	Operational Management	GSK shared details about its withdrawal of consent process and was able to walk through the process during a video call.	Follow up	Closed

Ignite

Ref	Finding	Link to area	Update	Designation	Status
15	Generic login credentials were used by a small number of staff members to access an Azure container holding the data supplied by NHS Digital. As a result, there is no way to identify individual access to the data. Additionally, the capture of access related events was not enabled, and logging information had not been recorded at the time of the audit.	Access Control	Ignite has deleted the data supplied by NHS Digital and has completed a NHS Digital Certificate for Destruction (CoD). The Audit Team was supplied with a copy of the completed CoD, screenshots to verify that the data had been deleted and an email to confirm it had been approved by the DARS team.	Agreement nonconformity	Closed
16	Security testing had not been carried out on the Microsoft Azure cloud storage where the data are held.	Access Control	The data has been deleted so no further action is required by Ignite. See finding 15.	Agreement nonconformity	Closed
17	Ignite had not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA.	Operational Management	Ignite has completed a ROPA and an extract was supplied to the Audit Team in February 2022.	Agreement nonconformity	Closed
18	Ignite has not formally recognised the Information Asset Owner (IAO) in the IAR for the data supplied by NHS Digital.	Operational Management	Ignite confirmed that it had included details of the IAO in the IAR. An extract of the IAR was supplied to the Audit Team.	Agreement nonconformity	Closed
19	The Data Protection Policy Statement references documents that are no longer available.	Operational Management	The data has been deleted so no further action is required by Ignite. See finding 15.	Organisation nonconformity	Closed
20	Ignite has not performed reviews to check operating system patches are being applied to corporate computers.	Access Control	The data has been deleted so no further action is required by Ignite. See finding 15.	Organisation nonconformity	Closed
21	Should the DSA be extended, Ignite is to review the DPIA to resolve the inaccuracies identified during the audit and to ensure that the DPIA is correct.	Operational Management	The data has been deleted so no further action is required by Ignite. See finding 15.	Observation	Closed
22	The Audit Team identified that one of Microsoft Azure's settings was not in line with Microsoft’s recommended guidance. Ignite updated the setting during the audit.	Access Control	The data has been deleted so no further action is required by Ignite. See finding 15.	Opportunity for improvement	Closed
23	The IAO should consider undertaking specialist role-based training.	Operational Management	The data has been deleted so no further action is required by Ignite. See finding 15.	Opportunity for improvement	Closed
24	Procedures should be developed, or existing documentation updated, to cover: recording and managing security breaches electronic destruction using the deletion tool (for example, confirmation of the number of passes) and completion of the NHS Digital certificate of destruction.	Operational Management	The data has been deleted so no further action is required by Ignite. See finding 15.	Opportunity for improvement	Closed
25	Antivirus was not enabled on the Azure cloud storage. Therefore, there was a reliance on the client antivirus to detect a virus associated with a saved file, or on expansion of zip files as they are opened from the server. During the audit Ignite enabled antivirus on the cloud storage.	Access Control	During the audit Ignite enabled the antivirus on the cloud storage.	Opportunity for improvement	Closed
26	At the post audit review, the Audit Team will look at: documentation that records the available access privileges for each of the organisation’s operating systems, applications and other systems as detailed in the Access Control Procedure.	Operational Management	The data has been deleted so no further action is required by Ignite. See finding 15.	Follow Up	Closed

Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 9 May 2022 4:10 pm