Skip to main content

NHS Digital Data Sharing Remote Audit: University of Cambridge and Cambridge University Hospitals NHS Foundation Trust

This report records the key findings of a remote data sharing audit of the School of Medical Science at the University of Cambridge and the Cambridge University Hospitals NHS Foundation Trust between November and December 2021.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of the School of Medical Science at the University of Cambridge (UoC) and the Cambridge University Hospitals NHS Foundation Trust (CUHFT) between 29 November and 04 December 2021. It provides an evaluation of how the UoC and the CUHFT conform to the requirements of:

  • the data sharing framework contracts (DSFC)
    • CON-321529-Q1B0S v2.01 (UoC)
    • CON-314354-C8S4C v2.01 (CUHFT)
  • the data sharing agreement (DSA) DARS-NIC24422-R3W3S-v5.9

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Critical Care Identifiable, Non-Sensitive 2016 – 2021_Q4
HES Accident and Emergency Identifiable, Non-Sensitive 2016 – 2019_Q3
HES Admitted Patient Care Identifiable, Sensitive 2016 – 2021_Q4
Medical Research Information Service (MRIS) – Flagging Current Status Report Identifiable, Sensitive July 2017 – June 2019
MRIS – Cohort Event Notification Report  Identifiable, Sensitive July 2017 – June 2019
MRIS – Cause of Death Report Identifiable, Sensitive July 2017 – June 2019
Cancer Registration Data Identifiable, Non-Sensitive Latest Available
Emergency Care Data Set Identifiable, Sensitive 2020 – 2021_Q4
Civil Registration - Deaths Identifiable, Sensitive Latest Available

 

The Joint Controllers are the UoC and the CUHFT.

SIMPLIFIED is a randomised controlled trial which aims to assess the effect of colecalciferol (vitamin D) supplement verses standard healthcare on health outcomes in patients with kidney failure receiving dialysis. Colecalciferol has been used to treat vitamin D deficiency and is cheap and safe, even at high doses. This trial will test the hypothesis that population-wide supplementation with high-dose colecalciferol in patients receiving dialysis will reduce mortality and improve quality of life.

This report also considers whether the UoC School of Medical Science and the CUHFT conform to their own policies, processes and procedures. 

The interviews during the audit were conducted through video conferencing. 

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type Routine
Scope areas

Information transfer
Access control
Data use and benefits
Risk management
Operational management and control
Data destruction
Restrictions

Access control - limited visibility of physical controls
Data Use and Benefits - no research outputs have so far been produced

 

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low

Current risk statement: Medium

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.

Data recipient’s acceptance statement

The UoC School of Medical Science and the CUHFT has reviewed this report and confirmed that it is accurate. 

Data recipient’s action plan

The UoC School of Medical Science and the CUHFT will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the UoC School of Medical Science and the CUHFT to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.

Findings

The following tables identify 5 agreement nonconformities, 6 opportunities for improvement and 2 points for follow-up raised as part of the audit. 

In addressing a finding the data recipient must take account of any referenced supplementary notes.

One finding has been repeated for both UoC and CUHFT as they are joint Controllers, and the finding applies to both organisations.

UoC School of Medical Science

Ref Finding Link to area Clause Designation Notes
1 The DSA needs to be modified to:
  • accurately reflect the distribution and storage of datasets extracted from the data supplied by NHS Digital in the processing section 
  • recognise that extracts of data supplied by NHS Digital are being stored at locations not declared in the DSA 
  • provide additional context to the special condition regarding backups.
 Use and Benefits DSA, Annex A, Clauses 2, 5b and 6 Agreement nonconformity  
2 Data in transit between the processing and storage locations is not encrypted as required by the DSFC. However, the UoC School of Medicine reported that transit is limited to a private network with all associated equipment owned by the UoC. Information Transfer DSFC, Schedule 2, Section A, Clause 4.6

Agreement nonconformity

 1
3 Data supplied by NHS Digital is being processed on unencrypted desktop machines and if the application crashed, then temporary files would be cached on the machines’ local drives. Information Transfer

 

 

 Opportunity for improvement  
4 The UoC should consider adding an additional field to its data destruction form defining the type of disposal required for data bearing assets, should the University seek more than just the default secure erasure. Data Destruction

 

 Opportunity for improvement  
5 The UoC School of Medical Science should consider extending the document used to record user access to the Secure Hosting Data Server (SDHS) to also include access to the project folder holding the pseudonymised datasets not held within the SDHS. The periodicity of the current access reviews should be considered. Access Control   Opportunity for improvement  
6 The UoC School of Medical Science should consider providing role specific training, for example, Information Asset Owner (IAO) training. Operational Management   Opportunity for improvement  
7 The UoC School of Medical Science should consider renaming its “School Information Security Policy” to reflect its content more accurately. Operational Management   Opportunity for improvement  
8 At the post audit review, the Audit Team will examine any changes that are currently being considered by the University to the password policy for its general network.  Operational Management

 

 Follow-up  

CUHFT

Ref Finding Link to area Clause Designation Notes
9 The DSA needs to be modified to:
  • accurately reflect the distribution and storage of datasets extracted from the data supplied by NHS Digital in the processing section 
  • recognise that extracts of data supplied by NHS Digital are being stored at locations not declared in the DSA 
  • provide additional context to the special condition regarding backups.
 Use and Benefits DSA, Annex A, Clauses 2, 5b and 6 Agreement nonconformity  
10 The CUHFT is to inform the Data Access Request Service (DARS) of the outcome of its current Data Security Protection Toolkit (DSPT) assessment. The CUHFT stated it had agreed an action plan with the DSPT team and is currently working to complete the actions. Operational Management DSA, Annex A, Clause 6 Agreement nonconformity  
11 Unencrypted manipulated pseudonymised data is being sent from the UoC School of Medicine to the CUHFT. Information Transfer DSFC, Schedule 2, Section A, Clause 4.6
SIMPLIFIED - NHS Digital -Work Guide		 Agreement nonconformity  
12 CUHFT should consider reviewing and updating the risk assessment for the study.  Risk Management   Opportunity for improvement  
13

At the post audit review, the Audit Team will review evidence supplied by the CUHFT, associated with:

  • operational management and control 
  • information transfer
  • access control
  • data destruction.
 Operational Management   Follow-up  

Supplementary notes

Note 1 - One option to progress this finding, is for a risk assessment to be completed. The risk assessment shall assess the threats to and the vulnerabilities of the un-encrypted connection and identify the mitigating controls in place. This assessment shall be signed off by the organisation’s Senior Information Risk Officer (or equivalent). If the risk is considered acceptable and all aspects of the connection are inside the area of direct control by the UoC, then the link need not be encrypted. NHS Digital reserves the right to review this assessment.

Use of data

The UoC School of Medical Science and the CUHFT confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

The UoC School of Medical Science and the CUHFT confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
UoC School of Medical Science England / Wales
CUHFT England / Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
UoC School of Medical Science Disk – File server 90 days
UoC School of Medical Science Disk – SQL server 5 days
CUHFT See Note  

Note: The backup retention for data held by the CUHFT will be determined during the post audit review.

Good Practice

During the audit, the Audit Team noted the following area of good practice:

  • all identifiable data is kept in the UoC Secure Hosting Data Server, which is certified to ISO 27001.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 14 February 2022 11:34 am