Skip to main content

NHS Digital Post Audit Review: Barts Cancer Institute, Queen Mary University of London

This report provides the formal closure of the remote data sharing audit of the Barts Cancer Institute at Queen Mary University of London in March 2021

Audit summary

This report provides the formal closure of the remote data sharing audit of the Barts Cancer Institute (BCI) at Queen Mary University of London (QMUL) between 8 and 12 March 2021 against the requirements of both:

  • the data sharing framework contract (DSFC) CON-315125-P6G9X  
  • the data sharing agreement (DSA) DARS-NIC-147747-KRTQ8-v3.4

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Medical Research Information Service (MRIS) –
Members and Postings Report
Identifiable, Sensitive February 2005 – June 2016
MRIS - Flagging Current Status Report Identifiable, Sensitive February 2005 – June 2016
MRIS - Cohort Event Notification Report Identifiable, Sensitive February 2005 – June 2016
MRIS - Cause of Death Report Identifiable, Sensitive February 2005 – June 2016
Demographics Identifiable, Sensitive Latest available release
Civil Registration - Deaths Identifiable, Sensitive Latest available release
Cancer Registration Data Identifiable, Sensitive Latest available release

 

The Controller is the QMUL.

Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide. 

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by BCI between August 2021 and March 2022.  A video call to review some of the evidence was held in March 2022.

Post audit review outcome

Based on the evidence provided by the BCI, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and the BCI.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: Low

Current risk statement: Low


Data recipient’s acceptance statement

The BCI has reviewed this report and confirmed that it is accurate. 


Status

The following table identifies the 2 agreement nonconformities and 5 opportunities for improvement raised as part of the original audit.

Ref Finding Link to area Update Designation Status
1. Data is being processed and stored at locations not declared on the DSA.  Information Transfer A new DSA is currently in progress, DARS-NIC-147747-KRTQ8-v4.3. The Audit Team confirmed via the Data Access Request Service (DARS) management system that the missing locations have been included in the latest in-progress application. Agreement nonconformity Closed
2. No Data Protection Impact Assessment (DPIA) has been completed for the dataset supplied. Operational Management A copy of an approved DPIA, dated 6 April 2021, was supplied to the Audit Team. Agreement nonconformity Closed
3. The BCI should implement further technical controls to identify changes to Active Directory administration groups. Access Control

The BCI stated that an email is now automatically generated and sent to all system administrators once a group change has been made to Active Directory.

A copy of the template used to create the email was supplied to the Audit Team and an example was displayed during the video call.

Opportunity for Improvement Closed
4. The BCI should increase awareness of the risk management training videos available on the staff intranet. Risk Management The BCI supplied a copy of its “Information Governance March 2021 Bulletin” to the Audit Team which included a link to the Information Risk Management video on the staff intranet. Opportunity for Improvement Closed
5. The BCI should consider providing further guidance around the roles and responsibility of Senior Information Asset Owner (SIAO) and Information Asset Administrator (IAA).  Operational Management The BCI supplied an extract from its staff intranet around information asset registers which outlines the responsible of an IAO and an IAA. Opportunity for Improvement Closed
6. The BCI should collate evidence with respect to periodic system reviews to support future internal and external audits. Operational Management

In the latest version of the Information Security Policy (ISP), v3.3 dated 25 February 2022, the requirements around access reviews, which formed the basis of the original finding, have been removed.

Going forward, the BCI should ensure that such access checks are considered as part of its internal audits (ISP, section 8.3) and third-party audits (ISP, section 8.2).

Opportunity for Improvement Closed
7. The Audit Team suggested that all appropriate teams review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant. Operational Management An email was sent to all BCI staff on 4 August 2021 reminding them that the DSA and DSFC must be circulated to all appropriate teams to review to ensure that all parties are fully aware of their responsibilities and are fully compliant. Opportunity for Improvement Closed

 


Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 22 April 2022 2:16 pm