Skip to main content

NHS England Post Audit Review: Merck Sharp & Dohme Limited

This report provides an update on progress of the remote data sharing audit of Merck Sharp & Dohme and Manchester University NHS Foundation Trust in October 2021.

Audit summary

Purpose

This report provides an update on progress of the remote data sharing audit of Merck Sharp & Dohme (MSD) and Manchester University NHS Foundation Trust (MFT) between 4 and 8 October 2021 against the requirements of both:

  • the data sharing framework contracts (DSFC) 
    • MSD: CON-290527-P5COY
    • MFT: CON-324681-Z8K6R
  • the data sharing agreement (DSA) DARS-NIC-290527-P5COY-v1.3

This DSA covers the provision of the following datasets: 

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Identifiable, Non-sensitive 2010/11 – 2020/21_M02
HES Outpatients Identifiable, Non-sensitive 2010/11 – 2020/21_M02
Diagnostic Imaging Dataset (DID) Identifiable, Non-sensitive Historic Data Request
Bridge file: HES to DID Identifiable, Non-sensitive Latest Available - 08/2020

 

The Controllers are MSD and MFT and the Processors are NorthWest EHealth Limited (NWEH), Salford Royal NHS Foundation Trust (SRFT) and Microsoft Limited.

Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide. 

Post audit review

This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by NWEH between June and December 2022. Note, this desk-based review took place before the merger of NHS Digital and NHS England. Therefore, this report references both organisations.

Post audit review outcome

Based on the evidence provided by the 3 organisations, the Audit Team has found that MFT and NWEH have not suitably addressed the findings. 3 agreement nonconformities, 1 observation, 2 opportunities for improvement and 1 point for follow up remain open and require further review by the Audit Team. MFT and NWEH are therefore required to update the action plan to align with this post audit review report.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low. 

Original Risk Statement: Medium

Current Risk Statement: Low

Data recipient’s acceptance statement

MSD, MFT and NWEH have reviewed this report and confirmed that it is accurate.

Status

The following tables identifies the 4 agreement nonconformities, 3 observations, 9 opportunities for improvement and 3 points for follow-up raised as part of the original audit.

Some of the findings have been repeated for MSD and MFT as they are joint Controllers, and the finding applies to both organisations.

MSD

Ref Finding Link to area Update Designation Status
1 The Legitimate Interests Assessment (LIA) completed by MSD and MFT in 2019, and NWEH’s Data Protection Impact Assessment (DPIA) are in need of a refresh by all parties as there is inconsistent information. A copy of the updated DPIA should be provided to the Data Protection Officers (DPO) for approval. Operational Management

Both the LIA (13/06/2022 v2.0) and DPIA (MSD Cough DPIA v7) have been updated and copies were supplied to the Audit Team.

These documents were reviewed and approved by MSD’s Data Privacy Manager.

 Observation Closed
2 Staff need to be aware of the DSFC and DSA requirements. The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements. Operational Management

NWEH reported it had completed a compliance check and introduced a regular check of all contractual documents as part of the project start up process.

NWEH supplied a Project Initiation Checklist document (NWEH-FOR-115 v3) which showed that a contractual check has now been included for all subsequent projects.

NWEH also provided an email that indicated that a review of the DSFC and DSA requirements was included as an agenda item for a meeting between MSD and NWEH.

 Opportunity for improvement Closed
3 The DSA should be reviewed and updated as it was confirmed at the audit:
  • SRFT are managing the Microsoft Azure platform on behalf of NWEH
  • source data verification by an MSD employee for the purpose of monitoring has not taken place and there are no plans for it to take place (confirmed by NWEH).
 Operational Management

The DSA has been updated and the points raised in the finding have been taken into account.

A copy of the DSA DARS-NIC-290527-P5C0Y-v2.2 was reviewed by the Audit Team.

 Opportunity for improvement Closed
4 MSD’s Supplier Privacy Assessment on NWEH should be reviewed and updated. This includes:
  • completing the section on cloud computing
  • identifying the type of data being held and the data storage location.
 Operational Management The Supplier Privacy Assessment has been reviewed by MSD. Copies of the assessment, supporting comments and sign off document were supplied to the Audit Team. Opportunity for improvement Closed
5 MSD’s Privacy Advisor Impact Assessment on the study should be reviewed and updated. Potential areas for change include:
  • statement on Clinical Research Associate
  • type of data being processed
  • data retention.
 Operational Management The Privacy Advisor Impact Assessment has been reviewed by MSD. Copies of the assessment, supporting comments and sign off document were supplied to the Audit Team. Opportunity for improvement Closed

 

MFT

Ref Finding Link to area Update Designation Status
6 The Legitimate Interests Assessment (LIA) completed by MSD and MFT in 2019, and NWEH’s DPIA are in need of a refresh by all parties as there is inconsistent information. A copy of the updated DPIA should be provided to the Data Protection Officers (DPO) for approval. Operational Management

Both the LIA (13/06/2022 v2.0) and DPIA (MSD’s DPIA v7) have been updated and copies supplied to the Audit Team.

The documents have not yet been approved by MFT’s DPO, or suitable representative.

 Observation Open
7 Staff need to be aware of the DSFC and DSA requirements.
The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements.		 Operational Management

NWEH reported it had completed a compliance check and introduced a regular check of all contractual documents as part of the project start up process.

Whilst NWEH has changed its processes, the Audit Team has not received any confirmation from MFT that it is informing its staff about the requirements of the DSFC and DSA.

 Opportunity for improvement Open
8 The DSA should be reviewed and updated as it was confirmed at the audit:
  • SRFT are managing the Microsoft Azure platform on behalf of NWEH
  • source data verification by an MSD employee for the purpose of monitoring has not taken place and there are no plans for it to take place (confirmed by NWEH).
 Operational Management

The DSA has been updated and the points raised in the finding have been taken into account.

A copy of the DSA DARS-NIC-290527-P5C0Y-v2.2 was reviewed by the Audit Team.

 Opportunity for improvement Closed

 

NWEH

Ref Finding Link to area Update Designation Status
9 Users from NWEH with access to data supplied by NHS Digital held on Microsoft Azure did not hold valid honorary contracts with SRFT. The DSA requires the NWEH Database Administrator and Statistics team to hold honorary NHS contracts with SRFT. Use and Benefits

NWEH has been working with the Northern Care Alliance NHS Foundation Trust (NCA) (which replaced SRFT) to form a basis for a Memorandum of Understanding to replace the honorary contract model for NWEH staff.

Progress has been slow due to a reorganisation at NCA, however, honorary contracts were discussed at the September 2022 Information Governance Steering Group. A copy of the minutes was supplied to the Audit Team.

 Agreement nonconformity Open
10 NWEH did not complete the Data Security Protection Toolkit (DSPT) in 2019/20 and 2020/21 as required by the MSD’s System Level Security Policy (SLSP) that was agreed with NHS Digital in February 2020. Access Control

NWEH notified the Data Access Request Service (DARS) team in July 2022 that it had not completed the DSPT submission for 2021/22, due to internal resource issues.

NWEH reported that it has recruited an additional member of staff and is progressing with the DSPT submission for 2022/23.

 Agreement nonconformity Open
11 No justification to support the presence of a domain administrator account on the Microsoft Azure platform was provided. SRFT stated that it should be disabled. Access Control

NWEH reported that the account has now been removed. A screenshot was supplied for Defender for Cloud, however, this did not show that the account had been removed.

NWEH further reported a review of all accounts had been performed and security processes in relation to Azure Account management are being updated.

 Agreement nonconformity Open
12 NWEH to review and update its Record of Processing Activities (ROPA) as it includes inaccurate information. This includes fields on special category data, missing joint controller information and missing data source. Operational Management The ROPA has been updated to correct the information held. A copy of the ROPA was shared with the Audit Team. Agreement nonconformity Closed
13 There is an inconsistency between the MSD’s SLSP and NWEH Security Testing policy with respect to the penetration testing of the Azure platform. The SLSP states that testing will be carried out annually and the NWEH policy states that it will be every 2 years.
The last penetration test was conducted in the last 12 months.		 Access Control NWEH has updated the statement in the SLSP to be consistent with other documents. A copy of SLSP v2 was supplied to the Audit Team. Observation Closed
14 MSD’s SLSP includes a statement that IP filtering based on “Deny-all first” principle will be in place and is managed by the SRFT via a change management process. Both SRFT and NWEH should consider reviewing the rules setup to ensure that they are up to date. Access Control NWEH reported SRFT has IP filtering rules in place, however, NWEH has postponed the implementation of rule changes until the first quarter in 2023 due to ongoing projects and to limit disruption. Opportunity for improvement Open
15 NWEH should consider if technical controls could be implemented to prevent users transferring data from the Azure platform to their own corporate machines. Access Control NWEH supplied details on the technical controls that have been implemented. Screenshots of the settings were shared with the Audit Team. Opportunity for improvement Closed
16 NWEH should consider including additional fields in the Information Asset Register (IAR) such as details on the datasets received (type of data and classification), date of receipt, date of data deletion, linking to which version of the DSA it came with and certificate of destruction. Operational Management NWEH has considered and decided to use one of the suggested fields. A copy of the revised IAR was shared with the Audit Team. Opportunity for improvement Closed
17 A Microsoft Azure vulnerability security scan covering various parts of the platform has been recently conducted which highlighted a number of findings. At the post audit review, the Audit Team will ensure that all of the highlighted vulnerabilities have been adequately addressed. Access Control NWEH shared an internal report which included the actions taken to address the findings, however, some actions are still in progress. Follow-up Open
18 The DSA includes a statement that NWEH should only hold data in accordance with the consent material provided 5 years before and 2 years after diagnosis. All data outside this window should be securely deleted and evidence provided to NHS Digital by 31/7/2021. At the time of the audit, this has not been completed as NWEH was waiting for further data and should seek further guidance from the Data Access Request Service team. Data Destruction NWEH deleted the data and completed a Certificate of Destruction (CoD) in June 2022. The DARS team has confirmed that the CoD was approved in July 2022. A copy of the CoD was shared with the Audit Team. Follow-up Closed
19 At the post audit review, the Audit Team will review the following:
  • audit reports conducted on the Microsoft Azure platform 
  • documented procedures to support the management of privilege accounts.
 Access Control NWEH shared an Azure access audit report and the updated access control procedure that covered the 2 points in the findings with the Audit Team. Follow-up Closed

 

Disclaimer

NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 17 February 2023 10:09 am