Skip to main content

NHS Digital Post Audit Review: 3M United Kingdom PLC

This report provides the formal closure of the data sharing audit of 3M United Kingdom Public Limited Company in July 2019.

Audit summary

This report provides the formal closure of the data sharing audit of 3M United Kingdom Public Limited Company (referred to as 3M going forward) on 16 and 17 July 2019 against the requirements of both:

  • the data sharing framework (DSFC) CON-134171-D4S5S   
  • the data sharing agreement (DSA) DARS-NIC-91972-S9W9T 

 This DSA covers the provision of the following datasets: 
 

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Anonymised/Pseudonymised, 
Non-sensitive		 2012/13 - 2016/17
HES Critical Care Anonymised/Pseudonymised, 
Non-sensitive		 2012/13 - 2016/17
HES Outpatients Anonymised/Pseudonymised, 
Non-sensitive		 2012/13 - 2016/17

 

The Controller and Processor is 3M.

Following an initial post audit review conducted in September 2020, 1 item for follow-up remained open.

Further guidance on the terms used in this post audit review report can be found in version 2 of the NHS Digital Data Sharing Audit Guide.

Post audit review

This post audit review comprised of an assessment of the action plan and supporting evidence supplied by 3M in September 2021. It also involved a video conference session which allowed evidence held on 3M’s systems to be interactively viewed.

Post audit review outcome

Based on the evidence provided by 3M, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and 3M.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.

Original risk statement: Medium

Previous risk statement: Low

Current risk statement: Low

Data recipient’s acceptance statement

3M has reviewed this report and confirmed that it is accurate.

Status

The following table identifies the 2 agreement conformities, 1 observation and 1 point for follow-up raised as part of the original audit.

Findings 1 to 3 were closed as part of the post audit review conducted in September 2020.

Ref Finding Link to area Update Designation Status
1

3M does not have an Information Asset Register (IAR) that contains an entry for the data supplied under this DSA, including the identification of the Information Asset Owner (IAO).

It is acknowledged by the Audit Team that the data supplied is specified in the Privacy Impact Assessment and is part of records of processing activities of 3M.

 Operational Management

3M stated that an entry for the data supplied under the DSA, including the identification of the Information Asset Owner (IAO), had been added to the 3M Health Information Systems (HIS) Record of Processing Activities register for Controller activities.

3M presented the register to the Audit Team through a video conference session.

 Agreement nonconformity Closed
2 3M declared in its 2018/19 Data Security Protection Toolkit (DSPT) submission that it was Cyber Essentials Plus certified. The Audit Team found that 3M was only certified to a Cyber Essentials. By declaring certification to Cyber Essential Plus, the DSPT tool doesn’t require evidence to be provided against a number of requirements. Operational Management

The NHS Digital DSPT team advised 3M to resolve the issue in the next submission. In its DSPT submission for 2019/20, 3M has not claimed to be Cyber Essentials Plus certified. This position was confirmed by the DSPT team who provided a screenshot of the 3M submission to the Audit Team.

 Agreement nonconformity Closed
3

Guidance should be developed around the handling and processing of data provided by NHS Digital to provide consistency of approach. Consideration should be given to data destruction (for example, use of the chosen data wiping tool) and the incident reporting process.

 Operational Management 3M has developed additional guidance for how data provided by NHS Digital should be handled. The guidance includes text about data destruction and incident reporting. 
3M presented the guidance to the Audit Team through a video conference session.		 Agreement nonconformity Closed
4 At the time of the audit there had been slippage to deliver the agreed outputs by the expected delivery date and the Audit Team plan to follow this up at the post audit review. Use and Benefits 3M confirmed that it had released the UK version of its Clinical Risk Groups (CRGs) classification system back in February 2020.
In terms of realising benefits from the above product, 3M confirmed:
  • it was making regular submissions of progress and associated outputs to NHS Digital as required by the DSA. 3M was able to show its submissions for January 2021, June 2021, and the draft submission for September 2021 through a video conference session
  • there is continuous engagement with prospective clients and software companies to embed 3M’s CRGs classification system within their solutions. Evidence of engagement was shown through a video conference session
  • it had been accepted onto the London Procurement Partnership via one of its partner organisations who had embedded 3M’s CRGs into its solution. Evidence of the contractual arrangement with the partner and procurement framework was shown through a video conference session
  • it had started a pilot with the Cwm Taf Morgannwg University Health Board to profile their population using 3M’s CRGs. Evidence was shown through a video conference session.
In terms of releasing the All Patient Refined – Diagnosis Related Groups (APR-DRG), its validation and introduction to the UK will commence once the CRGs is established in the UK. The new DSA (v5.4) has been amended accordingly to reflect this.		 Follow-up Closed

Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 30 November 2021 5:26 pm