NHS Digital Data Sharing Remote Audit: NHS North Central London Clinical Commissioning Group
This report records the key findings of a remote data sharing audit of NHS North Central London Clinical Commissioning Group between April and May 2022
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of NHS North Central London Clinical Commissioning Group (NCL CCG) between 25 April and 4 May 2022. It provides an evaluation of how NCL CCG conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-369360-Z5R7D v2.01
- the data sharing agreement (DSA) DARS-NIC-362253-J5V8L-v3.2
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Mental Health Services Data Set | Identifiable, Sensitive | 01/04/2016 - 12/01/2025 |
| SUS for Commissioners | Identifiable, Sensitive | 01/04/2020 - 12/01/2025 |
| National Diabetes Audit | Pseudo/Anonymised, Sensitive | 01/04/2013 - 12/01/2025 |
| e-Referral Service for Commissioning | Pseudo/Anonymised, Sensitive | 01/04/2013 - 12/01/2025 |
| Medicines dispensed in Primary Care (NHSBSA data) | Pseudo/Anonymised, Sensitive | 01/04/2018 – 12/01/2025 |
| Mental Health Minimum Data Set | Pseudo/Anonymised, Sensitive | 01/04/2013 – 31/03/2014 |
| Mental Health and Learning Disabilities Data Set | Pseudo/Anonymised, Sensitive | 01/04/2014 – 31/12/2015 |
| Improving Access to Psychological Therapies Data Set | Pseudo/Anonymised, Sensitive | 01/04/2016 – 12/01/2025 |
| Patient Reported Outcome Measures | Pseudo/Anonymised, Sensitive | 01/04/2013 – 12/01/2025 |
| Diagnostic Imaging Dataset | Pseudo/Anonymised, Sensitive | 01/04/2016 - 12/01/2025 |
| Mental Health Services Data Set | Pseudo/Anonymised, Sensitive | 01/04/2016 - 12/01/2025 |
| Maternity Services Data Set | Pseudo/Anonymised, Sensitive | 01/04/2016 - 12/01/2025 |
| Children and Young People Health | Pseudo/Anonymised, Sensitive | 01/04/2016 – 31/10/2017 |
| SUS for Commissioners | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Acute - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Ambulance - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Community - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Demand for Service - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Diagnostic Services - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Emergency Care - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Experience, Quality and Outcomes - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Mental Health - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Other Not Elsewhere Classified (NEC) - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 – 12/01/2025 |
| Population Data - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 - 12/01/2025 |
| Primary Care Services - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 - 12/01/2025 |
| Public Health and Screening Services - Local Provider Flows | Pseudo/Anonymised, Sensitive | 01/04/2020 - 12/01/2025 |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | 01/04/2013 - 12/01/2025 |
| Civil Registration - Births | Pseudo/Anonymised, Sensitive | 01/04/2013 - 12/01/2025 |
| Personal Demographic Service | Pseudo/Anonymised, Sensitive | 01/05/2011 - 12/01/2025 |
| Community Services Data Set | Pseudo/Anonymised, Sensitive | 01/11/2017 - 12/01/2025 |
| Adult Social Care | Pseudo/Anonymised, Sensitive | 01/01/2015 – 12/01/2025 |
| Summary Hospital level Mortality Indicator | Pseudo/Anonymised, Sensitive | 01/05/2011 – 12/01/2025 |
| National Cancer Waiting Times Monitoring Data Set (NCWTMDS) | Pseudo/Anonymised, Sensitive | 01/04/2009 - 12/01/2025 |
In the DSA, the Controller is NCL CCG, and the Processors are North and East London (NEL) Clinical Support Unit (CSU), North of England CSU (NECS) and Microsoft UK. However, since the DSA was signed, there have been changes to the Processors and their roles, significantly NEL CSU. Currently the Processors are NEL CCG, London Shared Services (LSS), NECS and Microsoft UK. Further changes to these organisations are expected in July 2022 as the CCGs transition to Integrated Care Boards (ICBs) and South West London CCG assumes responsible for the infrastructure from LSS.
Because of these ongoing changes, the audit focused on the commissioning activities undertaken by NCL CCG, supported by NEL CCG and LSS. This audit did not consider the risk stratification and invoice validation activities by NCL CGG, nor did it include NECS which is predominately providing Data Services for Commissioners Regional Office (DSCRO) related services.
Data provided by NHS Digital is used to provide intelligence to support the commissioning of health services. The data is analysed so that health care provision can be planned to support the needs of the population within the CCG area.
This report also considers whether NCL CCG, NEL CCG and LSS conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
NCL CCG and NEL CCG have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
NCL CCG and NEL CCG will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with the NCL CCG to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 5 agreement nonconformities, 1 observation, 5 opportunities for improvement and 3 points for follow-up raised as part of the audit. Given the changing nature of the Processors involved, some of the findings have been allocated to NCL CCG, even though the CCG may not be directly responsible for its action.
NCL CCG
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | Since the DSA was signed on 13 January 2022 there have been changes to the organisations processing the data, and their associated processing and storage locations, which are not reflected on the DSA. Over the coming months further changes are planned. | Information Transfer | DSA, Annex A, Clauses 1 and 2 | Agreement nonconformity |
| 2 | One of the laptops sampled during the audit had a non-functional anti-virus solution which requires re-installation. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity |
| 3 | NCL CCG to review the accuracy of its document management information as several of its policies have errors on the front cover including dates and version numbers. | Operational Management | DSFC, Schedule 2, Section A, Clause 3.1 | Agreement nonconformity |
| 4 | A recent access control review failed to identify a NCL CCG staff member who no longer required access to data provided by NHS Digital, due to an internal move between departments. | Access Control | DSFC, Schedule 2, Section A, Clause 4.1 | Agreement nonconformity |
| 5 | The NCL CCG Information Asset Register (IAR) does not identify the datasets provided by NHS Digital. Currently the IAR is focused on the assets generated by the CCG, for example reports and outputs. | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Agreement nonconformity |
| 6 | A small number of staff with access to the data supplied by NHS Digital are just outside of the 12-month data protection training window. | Operational Management | DSFC, Schedule 2, Section A, Clause 1.2.2 | Observation |
| 7 | At the next review of the NCL CCG Information Governance Framework (currently v0.6), the CCG should review the bulleted list in section 3.1 to ensure it accurately reflects its requirements and the text is clear as to what is to be delivered. | Operational Management | Opportunity for improvement | |
| 8 | NCL CCG to consider developing a risk management training pack as part of its plan to provide risk management training to all staff. | Risk Management | Opportunity for improvement | |
| 9 | NCL CCG could not provide a copy of the latest honorary contract for a member of staff with access to data provided by NHS Digital. NCL CCG should also agree the wording with the Data Access Request Service (DARS) team around any continuing honorary contracts. | Operational Management | Opportunity for improvement | |
| 10 | The Audit Team suggested that NCL CCG should ensure all appropriate new teams and stakeholders review any new DSFC and DSA to ensure that they are fully aware of their responsibilities and are fully compliant. | Operational Management | Opportunity for improvement |
NEL CCG
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 11 | NEL CCG to add the outdated servers to its risk register, along with the mitigation for their current retention. | Access Control | Opportunity for improvement | |
| 12 | At the post audit review, the Audit Team will review the status of the decommissioning or reuse of the on-premises secure file transfer server. | Data Destruction | Follow-up | |
| 13 | At the post audit review, the Audit Team will review the NEL CCG operational risk register. | Risk Management | Follow-up | |
| 14 | At the post audit review, the Audit Team will review evidence of the NEL CCG IAR and Record of Processing Activities (ROPA), as it pertains to the data supplied under the DSA. The Audit Team will also require confirmation of the appointed Information Asset Owner. | Operational Management | Follow-up |
Use of data
NCL CCG confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
NCL CCG and the Processor confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| NEL CCG | England / Wales |
| Microsoft | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Microsoft | Disk | 6 months |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the audit team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 15 June 2022 2:27 pm