NHS Digital Data Sharing Remote Audit: NHS Dorset Clinical Commissioning Group
This report records the key findings of a remote data sharing audit of NHS Dorset Clinical Commissioning Group in January 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of NHS Dorset Clinical Commissioning Group (CCG) between 10 and 14 January 2022. It provides an evaluation of how the CCG conforms to the requirements of both:
- the data sharing framework contract CON-338307-D8Z0G
- the data sharing agreement (DSA) DARS-NIC-54727-S3Y1T-v4.3
This DSA covers the provision of the following datasets, though not all are supplied to the CCG:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| SUS for Commissioners | Pseudo/Anonymised, Sensitive | 2008/09 – 2021/22 |
| Emergency Care - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Acute - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Ambulance - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Community - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Demand for Service - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Diagnostic Services - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Experience, Quality and Outcomes - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Mental Health - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Other Not Elsewhere Classified (NEC) - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Population Data - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Primary Care Services - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Public Health and Screening Services - Local Provider Flows | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Mental Health Minimum Data Set | Pseudo/Anonymised, Sensitive | 2014/15 - 31/12/2015 |
| Mental Health and Learning Disabilities Data Set | Pseudo/Anonymised, Sensitive | 2013/14 |
| Improving Access to Psychological Therapies Data Set | Pseudo/Anonymised, Sensitive | 2016/17 – 2021/22 |
| Diagnostic Imaging Dataset | Pseudo/Anonymised, Sensitive | 2016/17 – 2021/22 |
| Mental Health Services Data Set | Pseudo/Anonymised, Sensitive | 01/01/2016 – 2021/22 |
| Maternity Services Data Set | Pseudo/Anonymised, Sensitive | 2016/17 – 2021/22 |
| Children and Young People Health | Pseudo/Anonymised, Sensitive | 2016/17 - 31/10/2017 |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Civil Registration - Births | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Community Services Data Set | Pseudo/Anonymised, Sensitive | 01/11/2017 – 2021/22 |
| National Cancer Waiting Times Monitoring Data Set (CWT) | Pseudo/Anonymised, Sensitive | 2009/10 – 2021/22 |
| National Diabetes Audit | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
| Patient Reported Outcome Measures | Pseudo/Anonymised, Sensitive | 2013/14 – 2021/22 |
The Controller is the CCG, and the Processors are the Dorset Healthcare University NHS Foundation Trust (DHC) and Microsoft Limited. Microsoft Limited supplies cloud storage services, via the Microsoft Azure platform, and don’t process the data.
The Dorset Intelligence & Insight Service (DiiS) reporting solution is hosted on Azure and managed by DHC. The DHC and Dorset County Hospital NHS Foundation Trust are both Joint Controllers for DiiS. The above datasets are supplied directly to the DiiS platform by NHS Digital.
The CCG was working in the spirt of an Integrated Care System (ICS) in advance of the changes when the CCG will be absorbed into an ICS. The ICS is expected to take on the commissioning responsibility that currently sits with the CCG. It will also be responsible for broader aims such as strategic planning for the area. The DiiS is expected to be part of the ICS and help support its responsibilities across Dorset.
The pseudonymised data supplied by NHS Digital, along with health data from other providers, is used to provide intelligence across the Dorset ICS (“Our Dorset”) and its constituent Primary Care Networks to support population health management. The DiiS reporting solution brings together data from multiple organisations across Dorset to support the needs of the population within the CCG area.
Towards the end of 2021, NHS Digital identified specific concerns with respect to the ‘Our Dorset’ Power BI dashboards published by the CCG on the internet. NHS Digital was of the view that these dashboards were displaying pseudonymised patient data without small number suppression, without adequate Role-Based Access Controls (RBAC) and with a risk of re-identification.
As part of the planned development and phased roll out of the solution, RBAC had been implemented and small number suppression was implemented for aggregated presentations prior to the audit. Thereby the audit being carried out was undertaken on the latest version of the solution.
Based on these concerns, this audit was restricted to the dashboards published by DiiS and therefore excluded other Processors named in the DSA that provide support to the wider commissioning services.
This report also considers whether the CCG and relevant Processors conforms to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Heightened Concern: NHS Digital identified specific concerns with respect to the ‘Our Dorset’ Power BI dashboards published by the CCG on the internet. NHS Digital is of the view that these dashboards are displaying pseudonymised patient data without small number suppression, without adequate role-based access controls and with a risk of re-identification. |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
The above scope areas are limited to the DiiS PowerBI dashboards |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The CCG has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The CCG and DHC will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with the CCG to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identifies the 6 agreement nonconformities, 1 organisation nonconformity, 7 opportunities for improvement and 3 points for follow-up raised as part of the audit.
CCG
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | Some of the core dashboards available to authorised end users display pseudonymised record-level data which is not consistent with the data sharing statements in the DSA. | Use and Benefits | DSA, Annex A, Section 5b | Agreement nonconformity |
| 2 |
The active DSA needs to be updated as it does not reflect current practice, including (but not limited to):
|
Use and Benefits | DSA, Annex A, Sections 3 and 5 | Agreement nonconformity |
| 3 |
The DPIA needs to be updated to reflect current practice including:
|
Operational Management |
DSFC, Schedule 3, Applicable Law and Guidance - General Data Protection Regulation |
Agreement nonconformity |
| 4 | The Information Asset Register (IAR) and Record of Processing Activities (ROPA) need to be updated to reflect current practice. | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 DSFC, Schedule 3, General Data Protection Regulation (GDPR) |
Agreement nonconformity |
| 5 | The Audit Team suggested that any new DSA and DSFC be reviewed by all stakeholders to ensure that they are aware of their responsibilities and obligations. | Operational Management | Opportunity for improvement | |
| 6 | The CCG should establish formal agreements between the Controller(s) and each partner organisations who have users that can access the dashboards. | Operational Management |
|
Opportunity for improvement |
DHC / DiiS
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 7 | Some of the configuration settings on the Azure platform are not in line with the DSA, DSFC and DiiS documentation. | Information Transfer | DSFC, Schedule 2, Section A, Clause 4.6 DSA, Annex A, Sections 5b DiiS Solution Architecture document |
Agreement nonconformity |
| 8 | Security testing had not been carried out on the Azure platform where the data is held. DiiS confirmed that such testing is being planned for later in 2022. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity |
| 9 | Data supplied by NHS Digital held on the SQL database had not been marked to indicate its source as defined in the DiiS Solution Architecture. | Operational Management | DiiS, Solution Architecture, v3.0, 21 June 2021 | Organisation nonconformity |
| 10 | DiiS should consider developing documentation that outlines the technical re-identification process (for example, the systems involved) and the business re-identification process (for example, the authorisation approval process). | Operational Management | Opportunity for improvement | |
| 11 | DiiS should review the following elements to identify any gaps in controls around:
|
Operational Management | Opportunity for improvement | |
| 12 | DiiS should consider if any additional Azure services should be enabled to improve the security and management of the platform. | Access Control | Opportunity for improvement | |
| 13 | DiiS should clarify which supervisory checks for users with access to the Azure environment are to be carried out. The results of these checks should be documented to provide an audit trail. | Access Control | Opportunity for improvement | |
| 14 | DiiS should remind all dashboard users that they are only allowed to access the dashboard within England and Wales. This is defined in the DSA as the territory of use. | Operational Management | Opportunity for improvement | |
| 15 | At the post audit review, the Audit Team will review the process developed around managing user access. For example, regular checks on last login, check for dormant accounts, movers/leavers process, etc. | Access Control | Follow-up | |
| 16 | At the post audit review, the Audit Team will review the work to refine the permissions for authorised dashboard users. DiiS reported that the same permissions had been applied to all authenticated dashboard end users given access to the core reports and there was work planned to refine the permissions even further. | Access Control | Follow-up | |
| 17 | At the post audit review, the Audit Team will review the user access list to the mapping table held at DHC. | Access Control | Follow-up |
Use of data
The datasets were not being processed or used for the purposes defined in the DSA, see findings 1 and 2. The datasets were only being linked with those datasets explicitly allowed in the DSA.
Data location
The CCG and DHC confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| Microsoft | England/Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Microsoft | Disk | 7 days |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the DiiS team and dashboard end user (Dorset General Practitioner) were able to clearly demonstrate the value the data supplied under this DSA has had with proactively benefiting health and social care within Dorset area.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 11 March 2022 5:12 pm