NHS Digital Data Sharing Remote Audit: i5 Health Limited
This report records the key findings of a remote data sharing audit of i5 Health Limited in October 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of i5 Health Limited (i5 Health) between 10 and 14 October 2022. It provides an evaluation of how i5 Health conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-311985-R7R3V-v2.01
- the data sharing agreement (DSA) DARS-NIC-14709-Z2H2R-v6.9
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| HES Outpatients | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| HES Accident and Emergency | Anonymised, Non-sensitive | 2012/13 – 2019/20_M12 |
| Secondary Uses Service (SUS) Payment by Results Episodes | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| SUS Payment By Results Spells | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| SUS Payment By Results Outpatients | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| SUS Payment By Results Accident & Emergency | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| Emergency Care Data Set (ECDS) | Anonymised, Non-sensitive | 2018/19 – 2020/21 |
| HES-ID to MPS-ID HES Admitted Patient Care | Anonymised, Non-sensitive | 2016/17 |
| HES-ID to MPS-ID HES Outpatients | Anonymised, Non-sensitive | 2016/17 |
The Controller is i5 Health.
i5 Health provides consultancy services to support to Clinical Commissioning Groups, Commissioning Support Units, Sustainability and Transformation Plans, Acute services, NHS England, and Local Authorities in their decision-making for commissioning. It uses the SUS, ECDS and HES historic data to build full and accurate medical histories, then uses analysis to monitor the progression of diseases. This allows i5 Health to create prediction models that can forecast the onset of a disease, or the prognosis and likely outcomes when the models are applied to patient data.
This report also considers whether i5 Health conforms to its own policies, processes, and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Focussed |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality, and integrity, as appropriate.
Data recipient’s acceptance statement
i5 Health has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
i5 Health will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with i5 Health to confirm the findings have been satisfactorily addressed.
Findings
The following table identifies the 4 organisation nonconformities, 1 observation and 5 opportunities for improvement raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | There was an inaccuracy noted in a policy between the documented level of encryption and the actual level on devices. | Access Control | Data Encryption Policy, section 3.4 | Organisation nonconformity |
| 2 |
Patching had not been consistently conducted in accordance with the IT Patch Management Policy. |
Access Control | IT Patch Management Policy, section 2 | Organisation nonconformity |
| 3 |
Business continuity and disaster recovery plans have not been developed as required by the Information Security Policy. |
Operational Management |
Information Security Policy, section 5.18 |
Organisation nonconformity |
| 4 | The risk register is not compliant with the requirement of the Risk Management Policy and Risk Assessment Template. | Risk Management | Risk Management Policy and Risk Assessment Template, section 11; Appendix A sections 3 and 4 | Organisation nonconformity |
| 5 | Appendix A of the Disposal and Destruction of Electronic Equipment Policy states that “A contract will be established that will meet all legal and regulatory requirements for secure confidential disposal of assets.” i5 Health confirmed that a contract was not currently in place. | Data Destruction | Disposal and Destruction of Electronic Equipment Policy, Appendix A | Observation |
| 6 | There was an inaccuracy noted in the Password Management Policy between the documented password settings and the actual settings on devices. The actual level was stronger. | Access Control |
|
Opportunity for improvement |
| 7 | Although i5 Health is performing its own assessments, the Audit Team suggested that an independent security assessment is undertaken. | Access Control | Opportunity for improvement | |
| 8 | The Audit Team suggested that the retention period of access logs is reviewed. Also, offline backups of the logs should be taken to ensure they can be accessed to facilitate investigations. | Access Control | Opportunity for improvement | |
| 9 | There are inconsistencies regarding how the data supplied by NHS Digital is referred to across i5 Health’s documentation (for example, some documents refer to it as “HES” and some “SUS”). The terminology should be standardised to ensure consistent reference. | Operational Management | Opportunity for improvement | |
| 10 | The version control information for the Data Protection Impact Assessment (DPIA), Record of Processing Activities (ROPA) and HES risk register documents should be corrected on the next review of these documents. | Operational Management | Opportunity for improvement |
Use of data
i5 Health confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
i5 Health confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. This location conforms with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| i5 Health | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| i5 Health | Disk | 1 year |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- the value of the data supplied under this DSA was demonstrated through the projects i5 Health have undertaken with NHS organisations.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 12 December 2022 10:58 am