Skip to main content

NHS Digital Post Audit Review: St George's, University of London

This report provides the formal closure of the remote data sharing audit of St George’s, University of London in January 2021.

Audit summary

This report provides the formal closure of the remote data sharing audit of St George’s, University of London (SGUL) between 25 and 29 January 2021 against the requirements of both:

  • the data sharing framework contract (DSFC) CON-341863-L0X2Y
  • the data sharing agreement (DSA) DARS-NIC-147843-8NKTW-v4.2

 This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Medical Research Information Service (MRIS) –
Members and Postings Report
Identifiable, Sensitive October 1996 - March 2020
MRIS - Flagging Current Status Report Identifiable, Sensitive October 1996 - March 2020
MRIS - Cohort Event Notification Report Identifiable, Sensitive October 1996 - March 2020
MRIS - Cause of Death Report Identifiable, Sensitive October 1996 - March 2020
Demographics Identifiable, Sensitive Latest available release
Civil Registration - Deaths Identifiable, Sensitive Latest available release
Cancer Registration Data Identifiable, Sensitive Latest available release

 

The Controller is SGUL.

Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide. 

Post audit review

This post audit review comprised a desk-based assessment and video conference meeting of the action plan and supporting evidence supplied by SGUL between October and November 2021.

Post audit review outcome

Based on the evidence provided by SGUL, the Audit Team has closed the nonconformities and point for follow-up. Although no further action is required by the Audit Team, there are 2 opportunities for improvement still open, and SGUL should complete the actions against these findings.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: Low

Current risk statement: Low


Data recipient’s acceptance statement

SGUL has reviewed this report and confirmed that it is accurate.


Status

The following tables identify the 2 agreement nonconformities, 1 organisation nonconformity, 5 opportunities for improvement and 1 point for follow-up raised as part of the original audit.

SGUL

Ref Finding Link to area Update Designation Status
1 Data is being stored and processed at a SGUL location not declared on the DSA. Information Transfer A new DSA is currently in progress, DARS-NIC-147843-8NKTW-v5.8. The Audit Team confirmed via the Data Access Request Service (DARS) management system that the missing location has been included in the latest in-progress version. Agreement nonconformity Closed
2 SGUL does not maintain a static up-to-date asset register, at least for equipment associated with data supplied by NHS Digital. Creating this register would also allow items sent for destruction to be recorded and reconciled with records supplied by a third-party disposal company. Access Control

On the University’s Information Governance for Health Research webpage, Principal Investigators are requested to only use the Data Safe Haven (DASH) to hold data supplied by NHS Digital. As this equipment is captured through other registers and systems then the Audit Team is satisfied that no additional asset register is required.

However, it was stated by the Audit Team that should an exception be given for data supplied by NHS Digital to be stored outside of the DASH, then it is important the nature of the original finding is addressed.

Agreement nonconformity Closed
3 Some password requirements in the Data Safe Haven (DASH) User Guide were different to the technical controls observed being enforced through group policy. Access Control The DASH User Guide has been updated and the key password requirements are now aligned with the technical controls observed and are being enforced through group policy. A copy of the revised User Guide was supplied to the Audit Team. Organisation nonconformity Closed
4 SGUL should consider a formal position as to how it treats lower-level security risks (medium and below) arising from its security assessments. Access Control This finding was to be discussed at a service review in 2021, however, the service review has been delayed due to ongoing merger discussions. Opportunity for Improvement Open, but not for follow-up
5 Although SGUL reported that the DASH is picked up in its security assessments, SGUL should explicitly include the DASH environment within the scope of future security assessments. Access Control A copy of a report for a security assessment conducted in June 2021 was shown to the Audit Team. In this report, the DASH environment was explicitly specified. No findings were recorded against this environment. It was reported by SGUL, that the next assessment will also include the DASH within its scope. Opportunity for Improvement Closed
6 SGUL should finalise and implement its approach to reviewing user access to project files at regular periods. Access Control SGUL has established a review process, though has decided not to formally document it. A copy of an email from IT, dated 16 September 2021, which identified current staff with access to DASH was shown to the Audit Team. Opportunity for Improvement Closed
7 SGUL should finish its rationalisation with respect to its information asset registers (IAR) thereby achieving a centralised view of all assets and avoid duplication. Operational Management The rationalisation of the IARs has been completed and endorsed by SGUL’s Information Governance Steering Group (IGSG). A copy of the IGSG minutes from June 2021 was shown to the Audit Team. Copies of the current Personal Data IAR and System IAR were also provided to the Audit Team. Opportunity for Improvement Closed
8 SGUL should review its approach to sending system alerts to IT staff. Access Control This finding was to be discussed at a service review in 2021, however, the service review has been delayed due to ongoing merger discussions. Opportunity for Improvement Open, but not for follow-up

 

QMUL

Ref Finding Link to area Update Designation Status
9 At the post audit review, the Audit Team will confirm the paper copies of data being stored at Queen Mary, University of London have been destroyed. Data Destruction A copy of a document destruction certificate, dated 17 March 2021, for the secure shredding of paper held by Queen Mary, University of London was provided to the Audit Team. Follow-up Closed

 


Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 17 January 2022 1:36 pm