NHS Digital Post Audit Review: Intensive Care National Audit & Research Centre
This report provides the formal closure of the remote data sharing audit of the Intensive Care National Audit & Research Centre in October 2021.
Audit summary
This report provides the formal closure of the remote data sharing audit of the Intensive Care National Audit & Research Centre (ICNARC) between 18 and 22 October 2021. It provides an evaluation of how ICNARC conforms to the requirements of both:
- the data sharing framework contact (DSFC) CON-303700-Q1B6H v2.01
- the data sharing agreement (DSA) DARS-NIC-46844-W5V5G-v2.3
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) – Cohort Event Notification Report | Identifiable, Sensitive | Nov 2017 – Jan 2018 |
| MRIS – Flagging Current Status Report | Identifiable, Sensitive | Nov 2017 – Jan 2018 |
The Controller is ICNARC, and the Processors are Nasstar and Exponential-e (not named on the active DSA). Although Iron Mountain is also named as a Processor on the active DSA, the company is no longer being used and was therefore excluded from this audit.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by ICNARC between June and July 2022.
Post audit review outcome
Based on the evidence provided by ICNARC, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and ICNARC.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
ICNARC has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 3 agreement nonconformities, 1 observation, 5 opportunities for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | There is no evidence to show that NHS Digital was informed in a reasonable timeframe of the significant changes to the Processors and processing infrastructure in 2019/2020, which ICNARC stated it made with the aim of enhancing the security of the data. Although NHS Digital was informed in October 2021, it is important that these changes are formally recognised and accepted. | Access control |
ICNARC has revised its Procurement Policy (v1.2, January 2022) requiring it to notify NHS Digital of any change to its Processors. ICNARC informed the Data Access Request Service (DARS) team of the changes to the Processors that were identified during the original audit. A revised DSA, DARS-NIC-46844-W5V5G-v3.5 (in-progress), shows the inclusion of Exponential-e and the removal of Iron Mountain. ICNARC also provided a copy of an email (March 2022) sent to DARS which proposes a future change to one of its Processors. |
Agreement nonconformity | Closed |
| 2 | The data processing and storage locations specified on the active DSA and the in-progress application do not accurately reflect the current locations. | Information transfer | An in-progress DSA, DARS-NIC-46844-W5V5G-v3.5, shows the revised processing and storage locations. The narrative in section 5b also recognises the changes to processing by its current Processors. | Agreement nonconformity | Closed |
| 3 | There was no evidence to show that user access to the locations holding data supplied by NHS Digital is reviewed on a regular basis. | Access control | ICNARC provided minutes of its Change Advisory Board (CAB) which states that access permissions will be reviewed quarterly and access logs reviewed fortnightly. The minutes also show such access permissions and access logs were reviewed several times during 2022. A copy of a report generated by the Processor showing folder permissions (4 July 2022) was supplied to the Audit Team. | Agreement nonconformity | Closed |
| 4 | If processing of the data supplied by NHS Digital resumes, then ICNARC will need to ensure that all staff with access to the data supplied by NHS Digital have completed the data protection training within the last 12 months. | Operational Management | ICNARC provided an export of its staff Information Governance training log showing when the Data Security and Protection Toolkit training was last completed by staff. This log showed that all staff with access to the folder holding the data supplied by NHS Digital had completed their training in the last 12 months. | Observation | Closed |
| 5 | ICNARC should review its general privacy notice and any study specific privacy notice to ensure there is limited opportunity for confusion due to differing commitments. | Operational Management |
ICNARC provided copies of its revised general privacy notice and the POPPI (Provision of Psychological support to People in Intensive care) study (study covered by this DSA) privacy notice. The text “Where your rights are different for individual research studies compared to the ICNARC privacy policy, the individual research study privacy policy takes priority.” had been added to the general privacy notice. The POPPI privacy notice includes changes proposed to the DSA (see finding 1). |
Opportunity for improvement | Closed |
| 6 |
Although ICNARC is currently tracking and reviewing all identified vulnerabilities, the Audit Team suggested that the Network Security Policy is amended, to recognise that medium and low risks are also evaluated and addressed. |
Operational Management | The Network Security Policy has been amended to state, “Medium and low risks will also be evaluated and addressed”. A copy of the revised policy (v1.1) was provided to the Audit Team. | Opportunity for improvement | Closed |
| 7 | The Audit Team suggested that some documentation should be maintained for its service review meetings with the infrastructure provider. Risk management should be added as a standing agenda item at these meetings. | Operational management | The monthly service pack with the infrastructure provider now includes a review of the risk register. A copy of the May 2022 service pack was supplied to the Audit Team. | Opportunity for improvement | Closed |
| 8 | The Audit Team suggested that “providers of data” is added to the notification section in the Information Security Incident Management document. | Operational Management | The revised Information Security Incident Management document now recognises the need to inform providers of data in the event of certain incidents. A copy of the revised document was provided to the Audit Team. | Opportunity for improvement | Closed |
| 9 | ICNARC should review the asset information reporting it receives from its Processor to ensure its relevance and accuracy. | Operational Management | ICNARC stated that asset information received from its Processor has been reviewed, and will remain under regular review, to ensure and maintain optimal relevance and accuracy. An example of a patching report created by the new Processor in June 2022 was supplied to the Audit Team. | Opportunity for improvement | Closed |
| 10 | At the post audit review the Audit Team will review the evidence associated with the destruction of equipment and tapes that previously held data supplied by NHS Digital. The destruction is planned for later in 2021. | Data Destruction | ICNARC provided a copy of an email sent to DARS in December 2021 listing the server discs and tapes that were destroyed. It also supplied a copy of the associated NHS Digital certificate of destruction sent to DARS in July 2022. | Follow-up | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 September 2022 4:25 pm