Post audit review: London Borough of Merton Council – Public Health
This report provides the formal closure of the data sharing audit of London Borough of Merton Council – Public Health in May 2018.
Audit summary
This report provides the formal closure of the data sharing audit of London Borough of Merton Council (LBMC) – Public Health on 24 May 2018.
This original audit was carried out against the requirements of both:
- the data sharing framework contract / contracts (DSFC) CON-388468-D6D5J
- the data sharing agreement / agreements (DSA) NIC-388466-F2Z7Q-v4.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Out-patients | Anonymised/Pseudonymised, Non-sensitive | 2007/08 – 2018/19 |
| HES Critical Care | Anonymised/Pseudonymised, Non-sensitive | 2007/08 – 2018/19 |
| HES Admitted Patient Care | Anonymised/Pseudonymised, Non-sensitive | 2007/08 – 2018/19 |
| HES Accident and Emergency | Anonymised/Pseudonymised, Non-sensitive | 2007/08 – 2018/19 |
The Controller is LBMC.
Following a post audit review conducted in August 2019 and a further post audit review in June 2020, one organisation nonconformity remained open.
Further guidance on the terms used in this post audit review report can be found in version 2 of the NHS Digital Data Sharing Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by LBMC in May 2021.
Post audit review outcome
Based on the evidence provided by LBMC, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and LBMC.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
The following table also shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.
Original risk statement: Medium
Previous risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
LBMC has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 5 agreement nonconformities, 1 organisation nonconformity and 7 observations raised as part of the original audit.
Findings 1 to 5 and 7 to 13 were closed as part of the post audit reviews conducted in August 2019 and June 2020.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
LBMC had not supplied NHS Digital with a Certificate of Destruction nor had the Council fully deleted the data as requested by NHS Digital. NHS Digital requested by email on 20 October 2017 that the Council destroy all HES data supplied by NHS Digital under DSA NIC-388466 (superseded by the current DSA) and provide a Certificate of Destruction to confirm destruction. The Council declared to the Audit Team that the data held on the IT network was deleted through a logical delete on 18 October 2017. Following the deletion, the Council was in contact with the DARS team and guidance was provided on completing the certificate. However, the sign off required IT Services to confirm that the NHS Digital data held on the backup tapes was also destroyed. IT Services were unable to sign off the certificate as the data was still available on the backup tapes and were awaiting guidance following GDPR. LMBC confirmed that the data had been deleted off the server prior to the end of year backup being taken. The end of year backup has an indefinite retention period (see Table 3). The Audit Team identified other storage touch points for NHS Digital data that the Council needs to consider when completing the Certificate of Destruction. |
Data destruction |
LBMC provided a copy of a signed data destruction certificate that they declared was submitted to NHS Digital on 25 June 2018 to the Audit Team. |
Agreement nonconformity | Closed |
| 2 |
LBMC did not submit the Information Governance Toolkit (IGT) v14.1 by the 31 March 2018. The IGT scores were ‘confirmed’ by LBMC but not submitted. A special condition in the DSA states that LBMC “must complete v14.1 of the IGT and achieve satisfactory (self- assessed). Should London Borough of Merton Council’s current v14.1 of the IGT be reviewed, it must be reviewed as satisfactory.” |
Access control |
The Audit Team confirmed that the IGT had been submitted and the self-assessed grade was satisfactory. |
Agreement nonconformity | Closed |
| 3 | LBMC has not had a Public Service Network (PSN) connection compliance certificate since January 2016. LBMC declared at the audit, that it has provided a statement to NHS Digital in the IGT v14.1, however at the time of the audit, the IGT version 14.1 had not been submitted. | Access control |
LBMC provided a copy of its PSN connection compliance certificate, issued on 15 October 2018, to the Audit Team. |
Agreement nonconformity | Closed |
| 4 | LBMC is storing NHS Digital data at locations which are not declared in the DSA. | Information transfer |
LBMC provided a copy of the updated DSA to the Audit Team which confirmed that the data storage locations had been updated in line with the required amendments. The current DSA was approved in October 2018. |
Agreement nonconformity | Closed |
| 5 |
The backup tapes that hold NHS Digital data are not encrypted. The DSFC requires that portable media must be encrypted. It should be noted that the tapes are kept at a third-party location. LBMC were unable to supply a signed contract between LBMC and the third-party holding the backup tapes. |
Access control |
LBMC provided:
|
Agreement nonconformity | Closed |
| 6 |
The password policy outlined in the IT Staff Security Policy and the IT Lockdown Policy do not align. One policy states a minimum length of 8 characters and the other states 9 characters. Also, some procedures are still in draft state therefore the documents need to be updated, for example Procedure for Patching PCs. |
Access control |
LBMC provided copies of the updated Staff Password Policy (March 2021) and IT Lockdown Policy (Nov 2020) to the Audit Team. In the IT Lockdown Policy reference to standard password length has been removed. LBMC also provided a copy of its updated Procedure for Patching PCs (v1.1 dated 27 April 2021). |
Organisation nonconformity | Closed |
| 7 | There is no reconciliation between hardware provided to the third-party disposal contractor and the returned certificate of destruction to account for all devices. Any reconciliation is potentially made more difficult by LMBC removing device asset labels prior to transfer to the disposal contractor. | Data destruction |
LBMC has awarded a new contract with an external provider for the provision of IT asset disposal and recycling. As part of its contractual obligations, the supplier provides a certificate of collection and disposal. To ensure that all assets sent to the provider are accounted for, the Council’s Asset and Change Management team has written an asset disposal procedure to monitor and track that all hardware is accounted for. LBMC provided a copy of the procedure to the Audit Team. |
Observation | Closed |
| 8 | LBMC has an arrangement in place with another organisation to hold the Council’s data (including NHS Digital data) for disaster recovery purposes. The Council were unable to supply a valid agreement between the two parties. | Operational management | A copy of the contract supporting this agreement was provided to the Audit Team. | Observation | Closed |
| 9 | There is no documented process to support the review of swipe card access to the data centre on a regularly basis. LBMC confirmed that this check last took place in August 2017. | Access control | LBMC provided a documented procedure for the review of access to the IT rooms which includes the data centre. | Observation | Closed |
| 10 | Currently, accounts with enhanced privileges, including backup operators, are not reviewed. | Access control | LBMC provided a documented procedure to review and track user accounts with enhanced privileges. In addition, evidence was provided to the Audit Team to show that such reviews have been carried out. | Observation | Closed |
| 11 | LBMC carry out year-end backups which are held for an indefinite period. If LBMC retained NHS Digital data indefinitely, that would be a breach of the DSFC. LBMC need to ensure that future end of year backups exclude NHS Digital data. It should be noted that LBMC confirmed that the HES data held previously, was deleted before the end of year backup took place. | Access control |
The NHS Digital Data Access Request Service (DARS) team has provided LBMC with advice around the retention and destruction of backups. |
Observation | Closed |
| 12 | At the time of the audit, NHS Digital data had not been accessed via HDIS. The Audit Team recommended the following items be considered prior to accessing the system:
|
Access control | LBMC provided:
|
Observation | Closed |
| 13 | LBMC were unable to supply a valid contract with a third-party disposal contractor. LMBC stated that the last such contract has expired and was in the process of retendering for the service. | Data destruction |
LBMC has awarded a new contract to an external provider for the provision of IT asset disposal and recycling. A copy of the successful award notification to the successful supplier was provided to the Audit Team. |
Observation | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 30 June 2021 1:45 pm