NHS Digital Data Sharing Remote Audit: NHS Bedfordshire, Luton and Milton Keynes Integrated Care Board
This report records the key findings of a remote data sharing audit of NHS Bedfordshire, Luton and Milton Keynes Integrated Care Board in October 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of NHS Bedfordshire, Luton and Milton Keynes Integrated Care Board (ICB) between 3 and 7 October 2022. It provides an evaluation of how the ICB conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-433692-X1V5Y-v2.01
- the data sharing agreement (DSA) DARS-NIC-422183-C3K9L-v4.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Secondary Uses Service (SUS) for Commissioners | Identifiable, Sensitive | 01/04/2013 - latest available |
| National Diabetes Audit | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| e-Referral Service for Commissioning | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| Medicines dispensed in Primary Care (NHSBSA data) | Pseudo/Anonymised, Non-sensitive | 01/04/2018 - latest available |
| Mental Health Minimum Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - 31/03/2014 |
| Mental Health Learning Disabilities Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2014 - 31/12/2015 |
| Improving Access to Psychological Therapies Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - latest available |
| Patient Reported Outcome Measures | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| Diagnostic Imaging Dataset | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - latest available |
| Mental Health Services Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - latest available |
| Maternity Services Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - latest available |
| Children and Young People Health | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - 31/10/2017 |
| SUS for Commissioners | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Acute-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Ambulance-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Community-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Demand for Service-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Diagnostic-Services-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Emergency Care-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Experience, Quality and Outcomes-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Mental Health-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Other Not Elsewhere Classified (NEC)-Local Provider Flow | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Population Data-Local Provider Flow | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Primary Care Services-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Public Health and Screening Services-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Civil Registration-Deaths | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| Civil Registration-Births | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| Personal Demographic Service | Pseudo/Anonymised, Non-sensitive | 01/05/2011 - latest available |
| Community Services Data Set | Pseudo/Anonymised, Non-sensitive | 01/11/2017 - latest available |
| Adult Social Care | Pseudo/Anonymised, Non-sensitive | 01/01/2015 - latest available |
| Summary Hospital-level Mortality Indicator | Pseudo/Anonymised, Non-sensitive | 01/05/2011 - latest available |
| National Cancer Waiting Times Monitoring Dataset (NCWTMDS) | Pseudo/Anonymised, Non-sensitive | 01/04/2009 - latest available |
The Controller is the ICB, although the DSA still refers to Clinical Commissioning Groups (CCGs). There are numerous Processors declared in the DSA. However, as this audit was focused on sub-licencing activities, only the following Processors were interviewed as part of the audit: NHS Arden and Greater East Midlands Commissioning Support Unit (CSU) and Hertfordshire, Bedfordshire and Luton Information Technology (HBL ICT). HBL ICT is undeclared in the DSA. Microsoft Limited is also declared as a Processor who provides cloud storage.
The DSA allows the ICB to share data it receives from NHS Digital via a sub-licencing approach with Integrated Care System (ICS) partners. All data sharing is restricted to ICS members within the area the ICB is part of and only for the sole purpose of commissioning.
The ICB needs to share this data to provide intelligence to support the commissioning of health services. The data is also analysed so that health care provision can be planned to support the needs of the population within the ICB area.
Access to the data for the ICS partners is via the CSU’s Business Intelligence Tools: GEMIMA and the Data Management Environment.
This report also considers whether the ICB and its Processors conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Focussed The audit was focused on sub-licensing arrangements as outlined in the DSA. The interviews were limited to representatives from the ICB, the CSU and HBL ICT. |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The ICB and the CSU have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The ICB and the CSU will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with the ICB and the CSU to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 7 agreement nonconformities, 1 organisation nonconformity, 1 observation, 4 opportunities for improvement and 6 points for follow-up raised as part of the audit.
ICB
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | The ICB has not updated its privacy notice to take into account the sub-licensing arrangements as required by the DSA. | Operational Management |
DSA, Annex A, Section 5b DSA, Annex A, Section 10 - Sub-licensing |
Agreement nonconformity |
| 2 |
There are no valid sub-licensing agreements at an organisation level between the ICB and the ICS partners. In some cases, an agreement had been signed by the ICS partner, however, the sign off section for the ICB was not complete. Honorary contracts were put in place to allow public health staff to work under the CCG arrangements, whilst the ICB was being set up and ICS partnership arrangements including the sub-licensing arrangements were being finalised, however, at the time of the audit the honorary contracts had expired. |
Use and Benefits |
DSA, Annex A, Section 5b DSA, Annex A, Section 10 - Sub-licensing |
Agreement nonconformity |
| 3 |
The data are being processed and stored at locations not declared in the DSA. All the locations are within England. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Data Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS Digital on request. |
Information Transfer |
DSA, Annex A, Sections 2a and 2b |
Agreement nonconformity |
| 4 | The ICB has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. | Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (GDPR) | Agreement nonconformity |
| 5 | Some users that had access to the GEMIMA platform, had not completed data protection training in the last 12 months. | Operational Management | DSFC, Schedule 2, Section A, Clause 1.2.2 | Agreement nonconformity |
| 6 | The ICB is using a third-party IT provider to manage its IT infrastructure and the backups. This Processor is not declared in the DSA. | Access Control |
DSA, Annex A, Section 1c |
Agreement nonconformity |
| 7 | The ICB should remind sub-licensees that any reports created using the data and externally shared must be aggregated and small numbers suppressed in line with NHS Digital guidance. | Use and Benefits | DSA, Annex A, Section 5b | Observation |
| 8 | The ICB should consider providing Information Asset Owner (IAO) and Information Asset Administrator (IAA) refresher training as it is a new organisation. The last time the training was provided by the CCG was in April 2020. | Operational Management | Opportunity for improvement | |
| 9 | The ICB should consider requesting assurance from sub-licensees that they are meeting the specific sub-licensing conditions set out in the DSA. | Use and Benefits | Opportunity for improvement | |
| 10 | At the post audit review, the Audit Team will review the updated Information Asset Register (IAR). This work has been scheduled following the transition from the CCGs to the ICB. | Operational Management | Follow-up | |
| 11 | At the post audit review, the Audit Team will review the progress made on reidentifying data for direct patient care purposes by one of the ICS partners. | Use and Benefits | Follow-up | |
| 12 | The ICB is reviewing its own processes and the following points should be taken into consideration:
The above items will be followed up by the Audit Team at the post audit review. |
Operational Management | Follow-up | |
| 13 | At the post audit review, the Audit Team will review the updated Data Protection Impact Assessment (DPIA). | Operational Management | Follow-up |
CSU
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 14 | The CSU has not completed a ROPA for the data supplied under the DSA. Instead, information specific to the DSA datasets is spread across different documents. | Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (GDPR) | Agreement nonconformity |
| 15 | The CSU has not conducted a bi-annual review of user access to personal confidential data for the GEMIMA platform as required by its documentation. The last review was conducted in February 2022. | Access Control | Arden & GEM CSU, GEMIMA - User Approval Process Version 4.0, Clause 4.7 | Organisation nonconformity |
| 16 | The CSU could enhance its account management process for the GEMIMA platform by carrying out more frequent audits to identify dormant accounts. Currently, the CSU conducts this audit on an annual basis. |
Access Control |
Opportunity for improvement | |
| 17 | The CSU runs security assessments on an ad-hoc basis, however, there are plans to make this more regular. | Access Control | Opportunity for improvement | |
| 18 | At the post audit review, the Audit Team will review the progress made to setup proactive alerts to review the re-identification request logs. Currently re-identification request logs are collated and only analysed on a reactive basis. | Use and Benefits | Follow-up | |
| 19 | At the post audit review, the Audit Team will review the plan to replace the software used within the sub–licencing environment. | Access Control | Follow-up |
Use of data
The ICB confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
The ICB, the CSU and HBL ICT confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| ICB (HBL ICT) | England / Wales |
| CSU | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| ICB (HBL ICT) | Disk | 12 months |
| CSU | Disk | 90 days |
| Microsoft Limited | Cloud | 7 days |
Good Practice
During the audit, the Audit Team noted the following areas of good practice:
- the ICB has engaged with General Practitioner (GP) Data Protection Officers early to inform and share the requirements in the DSA
- the CSU is certified to Cyber Essential Plus.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 12 December 2022 10:32 am