Directorate / Programme Care Services Project Data Sharing Audits Status Approved Director Catherine O Keeffe Version 1.0 Owner Sean Walsh Version issue date 13/10/2017 NHS Digital Post Audit Review of Data Sharing Activities: University College London Copyright 2017 Health and Social Care Centre Page 1 of 6 The Health and Social Care Centre is a non-departmental body created by statute, also known as NHS Digital.
NHS Digital Post Audit Review of Data Sharing Activities: University College London v1.0 Approved 13/10/2017 1 Audit Summary 1.1 Purpose This report provides the formal closure of the data sharing audit of University College London (UCL) on 7 and 8 February 2017 against the requirements of the data sharing framework contract (DSFC) CON-321538-B5D8B and the data sharing agreement (DSA) NIC-148101- R7RSL, including terms set out in letter of novation dated 10 August 2016, with respect to the provision of Office for National Statistics (ONS) data. Further guidance on the terms used in this post audit report can be found in the NHS Digital Audit Guide. 1.2 Post Audit Review This post audit review comprised an assessment of the action plan and supporting evidence supplied by UCL. It involved a WebEx session on 11 August 2017 which allowed evidence held on its systems to be interactively viewed. Additional supporting evidence was supplied via email following the WebEx session. Based on this post audit review, most of the findings have been closed. There is one remaining observation though NHS Digital will not follow this finding up as part of this audit. There are also two observations that were rejected and an explanation has been included in the findings. An observation is a situation where a requirement is not being breached but a possible improvement or deficiency has been identified by the Audit Team. 1.3 Updated Risk Statement In summary, it is the Audit Team s opinion that at the current time and based on evidence presented during the post audit review and the type of data being shared, there is low risk of a breach of information security, duties of care, confidentiality or integrity (including inappropriate access to or loss of data) provided by NHS Digital to UCL under the terms and conditions of the data sharing agreements signed by both parties. 1.4 Response UCL has reviewed this report and confirmed that it is accurate. As NHS Digital has closed the nonconformities and points for follow-up, no further response is required. There is an observation which is still open and UCL should follow this up with the Commissioner's Office until the action is completed. 1.5 Disclaimer NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. Copyright 2017 Health and Social Care Centre Page 2 of 6
2 Status Table 1 identifies the 1 major nonconformity, 3 minor nonconformities, 16 observations and 1 point for follow-up raised as part of the original audit. 1. ONS data was released to a third party developer without prior approval from NHS Digital as required by the DSFC and DSA. UCL did however inform the Commissioner's Office (ICO) and NHS Digital of the data breach through the SIRI tool. UCL has provided an improvement plan to the ICO and is currently working through the defined actions. This nonconformity is being addressed by UCL through the action plan agreed with the ICO. This action plan includes a training plan, which was endorsed on 28 July 2017 by the UCL Services Governance Committee. The plan covers annual data protection training for all UCL staff by 2018. Existing arrangements are in place to provide annual training for those using NHS Digital data. A review of the status with respect to the ICO actions was discussed during the WebEx session. This finding has been closed as any residual actions will be appropriately addressed by the ICO. Major 2. Actions and resulting changes to the network from the last penetration test could not be evidenced. The normal process within UCL is to provide a formal response to a penetration test. UCL stated verbally that some of the findings have been addressed. UCL reported that all actions arising from the penetration test have been completed and provided a copy of the action tracker to support this statement. Minor 3. There is no complete corporate information asset register (IAR) which identifies NHS Digital data held. UCL acknowledged that the Data Protection Officer does not maintain a register for research projects. A screenshot of an IAR implemented in Microsoft Access was supplied to the Audit Team. This screenshot identified a number of agreements including the one covered by this audit. It was reported that a corporate IAR is a deliverable within UCL s planned General Data Protection Regulation (GDPR) work which is expected to be completed by May 2018. Minor Copyright 2017 Health and Social Care Centre Page 3 of 6
4. The training needs analysis document requires update to reflect current practice. 5. The IAR should contain the effective dates of contracts and agreements which could also contain links to other documents such as the information risk register. 6. UCL is conducting annual reviews of folder access. The Audit Team suggested that annual is too long and a more frequent review would be advisable. 7. The collaboration spreadsheet should be updated to include date of information transfer. 8. Principal Investigators (PIs) may not have ready access to all contractual material even though there maybe information governance / information security obligations contained within the material. 9. UCL to record evidence of future data destruction, for example screenshot of Cipher if this is the approach to be taken. This approach has been discussed with NHS Digital as part of the current application. Access Control Data Destruction The training needs analysis document has been updated to reflect current practice and was approved by the Governance Steering Group. This document was provided to the Audit Team. The Microsoft Access database (see Ref 3) identifies the expiry dates for the individual agreements and provides a hyperlink to the SharePoint folder. UCL have confirmed reviews will be done quarterly. Evidence was provided to the Audit Team of a recent review. Columns have been added to the collaboration spreadsheet for the date of information transfer and the date of confirmation that the data was destroyed. The step for providing these dates in the spreadsheet was included in a new British Women's Heart & Health Study (BWHHS) Standard Operating Procedure (SOP) on Compiling and ring Datasets. Copies of the new spreadsheet and the SOP were provided to the Audit Team. Minor The DSFC has been published on the UCL website. An example screenshot from Cipher related to a deletion on 28 July 2017 was shown to the Audit Team. A copy of the Wiki page containing the SOP for data deletion was also presented to the Audit Team. Copyright 2017 Health and Social Care Centre Page 4 of 6
10. The physical risk assessment has not been fully completed for study. The Audit Team questioned the value being added to the overall risk assessment process that it currently gives. Risk The risk assessment for this study has been completed and was provided to the Audit Team. UCL also reported that work is on-going to implement an improved physical risk assessment methodology and tool. 11. A Standard Operating Procedure for handling NHS Digital data should be implemented for the organisation. UCL has decided not to implement a specific SOP for handling NHS Digital data, but is to consider the provision of additional information through its website, for example the publication of the DSFC (Ref 8), on an as required basis. Rejected 12. Specific study training is provided to recognise differing demands around NHS digital supplied data, for example ONS and HES. UCL believes that the training currently given to staff is sufficient, now staff are able to refer to the DSFC (Ref 8). Rejected 13. UCL to consider how Privacy Impact Assessments (PIA) becomes embedded with their standard operating model. As part of GDPR planning, the research registration process will include a PIA for research data assets. UCL reported this would be implemented by May 2018. Open but not to be followed up 14. The collaboration request form to include a field asking whether the requested data includes personal confidential information. A field has been added to the collaboration request form asking whether the requested data includes personal confidential information. A copy of the revised UCL Data Sharing policy was provided to the Audit Team. 15. Training to inform those using the Managed File facility to send data that if they realise the wrong file has been attached that IT can remove the file potentially before it is downloaded by the recipient. A note has been added to the Welcome Pack for Secure Data Handling which states the Data Safe Haven support team can remove the file before it is downloaded. A copy of this document was provided to the Audit Team. 16. Documentation management information to be improved as some details are incorrect, for example, the IG Policy. Documents have been updated. New documents are available on the UCL website under a Recently updated section. Copyright 2017 Health and Social Care Centre Page 5 of 6
17. UCL to implement a mechanism to inform staff of changes to key policies and processes. New documents are available on the UCL website. At the time of the post audit review, three documents were shown under Recently updated (29/03/2017) 18. The PI is involved in agreeing the level of data to be supplied to collaborators but does not check the accuracy of the output. For this study the database from which evidence is extract does not contain original ONS data. The BWHHS team has added a step where the PI, or other authorised team member, checks the dataset before transfer to ensure that variables that could reidentify participants have not been included in error. Columns to document the date of this check and the initials of the person who checked the database have been added to the collaborator spreadsheet. These steps have been included in a new BWHHS SOP on Compiling and ring Datasets. The spreadsheet and SOP were provided to the Audit Team. 19. Published reports to acknowledge use of NHS Digital data where appropriate. Data Use and Benefits The requirement to 'acknowledge use of NHS Digital data in publications' has been included in the new BWHHS SOP on data sharing. Manuscripts arising from collaborations should be shared with the BWHHS team, prior to publication, who will check this acknowledgement has been made. 20. Supply some of the information raised during the audit which talks about processing should be sent to DARS as additional information and in one case corrected previous information. Data Use and Benefits An email was sent to NHS Digital on 9 February 2017 with the suggested slides attached. 21. UCL to clarify the position around the return of failed discs under warranty to manufacturers or obtain written statement from manufacturer. No record of returned discs is kept. Data Destruction UCL has renewed its support contracts to include a Defective Media Retention (DMR) option. A copy of the new contract was provided to the Audit Team Follow-up Table 1: Nonconformities, s and Points for follow-up Copyright 2017 Health and Social Care Centre Page 6 of 6