NHS Digital Post Audit Review: CHKS
This report provides the formal closure of the remote data sharing audit of CHKS in February 2019
Audit summary
This report provides the formal closure of the remote data sharing audit of CHKS on 14 February 2019 against the requirements of both:
- the data sharing framework contact (DSFC) CON-312425-T5J4X
- the data sharing agreement (DSA) DARS-NIC-10891-M2Y6Z-v6.3
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Critical Care | Pseudonymised/Anonymised, Non-sensitive | 2012/13 to 2018/19 (M08) |
| HES Accident and Emergency | Pseudonymised/Anonymised, Non-sensitive | 2010/11 to 2018/19 (M08) |
| HES Admitted Patient Care | Pseudonymised/Anonymised, Non-sensitive | 2010/11 to 2018/19 (M08) |
| HES Outpatients | Pseudonymised/Anonymised, Non-sensitive | 2010/11 to 2018/19 (M08) |
The Controller and Processor is CHKS.
Following a post audit review conducted in May 2021, 1 agreement nonconformity and 2 observations remained open.
Further guidance on the terms used in this post audit review report can be found in version 2 of the NHS Digital Data Sharing Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by CHKS between February and March 2022.
Post audit review outcome
Based on the evidence provided by CHKS, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and CHKS.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.
Original risk statement: Low
Previous risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
CHKS has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 1 agreement nonconformity and 5 observations raised as part of the original audit.
Findings 3 and 6 were closed as part of the post audit review conducted in May 2021.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | It was not clear who the Information Asset Owner (IAO) is for the HES data, nor was the IAO identified in the data register as required by the DSFC. | Operational Management | CHKS provided an extract from its updated Information Asset Register (IAR), dated August 2021, which now identifies the IAO for the HES data. | Agreement nonconformity | Closed |
| 2 | Only a few of the fields in the data register have been populated for the HES data. CHKS should consider populating the blank fields to ensure that adequate information is recorded on the data held. | Operational Management | CHKS provided an extract from its updated IAR which now shows that the blank fields have been populated. | Observation | Closed |
| 3 | CHKS should consider the production and retention of auditable evidence to demonstrate the permanent electronic deletion of data. | Data Destruction |
CHKS provided screenshots of SQL queries to initiate and generate electronic data deletion, the company also provided confirmation that the data purge was completed and that no records exist. CHKS stated data destruction certificates and other evidence of data deletion will be held within its SharePoint site. In addition, CHKS has updated its NHS Digital Data Management Procedure to provide clarity around the procedures for data deletion and retention of auditable evidence. A copy of the procedure was provided to the Audit Team. |
Observation | Closed |
| 4 |
An issue tracking system ticket raised with respect to the recent data deletion exercise specified different methods by which separate instances of the HES data could be deleted; it was not specific as to how data was formally deleted. The ticket should be updated to state the actual methods used. CHKS could also add the agreed methods for electronic data deletion from the different repositories into its NHS Digital Data Management procedure. This addition would also be consistent with the development of local instructions as recommended by the parent company’s Security Standard, clause 2.3.1.4. |
Data Destruction |
CHKS has updated its NHS Digital Data Management Procedure which now provides clarity around the methods for data deletion from the different repositories. A copy of the procedure was provided to the Audit Team. CHKS also provided a screenshot of the tickets evidencing the data deletion process. |
Observation | Closed |
| 5 | CHKS should review and revise clause 2.4 of its NHS Digital Data Management procedure to reflect current practice. | Data Destruction |
During the original audit, CHKS stated backups of the HES data were not being taken due to limited disk space. Section 2.4.2 of both the Management procedure document in Dec 2018 and updated version Feb 2020, indicated that “Backups are Checked”. CHKS has now confirmed that backups are now in place for the HES data therefore the procedures outlined in the procedure document is now being followed.The retention period for the backups is 3 months. |
Observation | Closed |
| 6 | The Audit Team suggested that the address of the data centre be added under processing location in the DSA. The data centre is already identified under storage location. | Operational Management | CHKS has added the address of the data centre as a processing location. A copy of the amended DSA was provided to the Audit Team. | Observation | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 15 June 2022 2:43 pm