NHS Digital Post Audit Review: Royal National Orthopaedic Hospital NHS Trust

This report provides the formal closure of the data sharing audit of the Royal National Orthopaedic Hospital NHS Trust in July 2019.

Audit summary

Purpose

This report provides the formal closure of the data sharing audit of the Royal National Orthopaedic Hospital NHS Trust (RNOHT) on 30 and 31 July 2019 against the requirements of both:

the data sharing framework contract (DSFC) CON-319457-L4G2Q
the data sharing agreement (DSA) DARS-NIC-14440-Q2G4W v3.9

with respect to the provision of:

Dataset	Classification of data	Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care	Anonymised/Pseudonymised, Non-sensitive	2012/13 - 2018/19 M10
HES Critical Care	Anonymised/Pseudonymised, Non-sensitive	2012/13 - 2018/19 M10

The Controller is RNOHT and the Processor was Neil Wilson Associates LLP (NAW).

Further guidance on the terms used in this post audit review report can be found in version 3 of the NHS Digital Data Sharing Audit Guide.

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by RNOHT between March 2021 and September 2022. There was also a Microsoft Teams call in July 2021.

Post audit review outcome

RNOHT has deleted the data supplied by NHS Digital as it no longer has an active DSFC. As a result, the findings assigned to RNOHT have either been closed through the provision of supporting evidence or have been assigned “open but not to follow up” due to the data being permanently destroyed and a completed Certificate of Destruction (CoD) provided to the Data Access Request Service (DARS) team.

Based on the evidence provided by the RNOHT, no further action is required by the Audit Team and RNOHT.

The findings in the original report may be subject to further review by NHS Digital if RNOHT are reengaged as a Controller under this DSA.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: Medium

Current risk statement: Low

Data recipient’s acceptance statement

RNOHT has reviewed this report and confirmed that it is accurate.

Status

The following tables identify the 5 agreement nonconformities, 3 organisation nonconformities, 3 observations, 6 opportunities for improvement and 1 point for follow-up raised as part of the original audit.

RNOHT

Ref	Finding	Link to area	Update	Designation	Status
1	A number of users with enhanced privileges had access to the data supplied by NHS Digital even though there was no business necessity. The Trust did acknowledge users with enhanced privileges have been granted access for administrative purposes only and all access is fully auditable.	Access Control	An email was supplied to the Audit Team from the IAO that confirmed that the list of users was accurate and those identified required enhanced privileges.	Agreement nonconformity	Closed
2	Access to the network folder holding the raw data and the SQL database was granted automatically by IT and not through a request authorised by the Information Asset Owner (IAO).	Access Control	An email sent to IT Services by the IAO was shared with the Audit Team. The email included a list of users that were authorised by the IAO to access the data and the SQL database.	Agreement nonconformity	Closed
3	A portable device sampled at random by the Audit Team was not recorded in the equipment asset register.	Operational Management	Although this finding has not been addressed, the Audit Team will not follow-up this finding since RNOHT has deleted the data supplied by NHS Digital and has completed an NHS Digital CoD.	Agreement nonconformity	Open, but not for follow-up
4	The encrypted backup tapes that hold data supplied by NHS Digital are stored at a third-party location. The contract between RNOHT and the third-party was signed in 2009. RNOHT needs to review the contract and get appropriate assurances from the third-party that it is General Data Protection Regulation (GDPR) compliant.	Access Control	A copy of the contract between RNOHT and the third party was supplied to the Audit Team. A section within the contract covers data protection. The contract was signed by both parties in November 2019.	Agreement nonconformity	Closed
5	A number of project support documents need to be reviewed and updated to resolve current inaccuracies, including the Data Protection Impact Assessment (DPIA).	Operational Management	The DPIA was updated following the audit. A copy of the DPIA was supplied to the Audit Team.	Agreement nonconformity	Closed
6	Some requirements of the Digital Services Acceptable Use Policy were different to the technical controls being enforced through group policies on the domain controller. Furthermore, there were two policies available to staff that had conflicting password requirements (‘Digital Services Acceptable Use Policy’ and ‘IT Systems User Account Access and Password Policy’), though it was stated that the latter had been rescinded since being supplied to the Audit Team prior to the audit.	Access Control	A screenshot of the domain controller password settings was supplied to the Audit Team. These settings align with the Digital Services Acceptable Use Policy provided at the original audit.	Organisation nonconformity	Closed
7	RNOHT did not hold signed copies of the honorary contracts for NAW staff. One contract had expired in March this year. One contract was signed whilst the Audit Team was on-site.	Operational Management	RNOHT supplied copies of the Get It Right First Time (GIRFT) honorary contracts to the Audit Team. The copies were in date, signed and complete.	Organisation nonconformity	Closed
8	The Audit Team were informed that there was a data centre visitor log though this could not be found at the time of the visit to the data centre.	Access Control	Screenshots of the data centre visitor log were supplied to the Audit Team as evidence that a log exists.	Organisation nonconformity	Closed
9	At the time of the audit, conflicting information was provided on the data destruction process and there was a lack of paperwork to support the process. However, no assets holding data supplied by NHS Digital have been destroyed. RNOHT in reviewing and revising its hardware disposal process should: establish a signed contract or service level agreement between RNOHT and a third-party disposal contractor which clearly specifies the responsibilities of both parties, as recommended by the ICO guidance for IT asset destruction conduct an onsite audit of the third-party disposal contractor develop an up-to-date documented procedure to support the IT asset disposal process and data destruction process maintain a list of serial numbers for media holding data provided to the third-party disposal contractor reconcile the lists of media holding data with the certificate of destruction provided by the third-party disposal contractor to account for all assets destroyed.	Data Destruction	RHOHT has considered the suggestions in the finding and made changes to its processes. A copy of the following documentation was supplied to the Audit Team to support the actions taken: Secure Destruction and Disposal or Deletion of IT Equipment and Media Containing Sensitive Data Policy approved in February 2020. Third party contract - Terms of Engagement. This is not a contract as RNOHT prefers to request such service via a purchase order. Copy of certificate of destruction plus itemised breakdown including serial numbers for hard disk drives.	Observation	Closed
10	Validation testing of required security controls has not been conducted.	Access Control	Although this finding has not been addressed, the Audit Team will not follow-up this finding since RNOHT has deleted the data supplied by NHS Digital and has completed an NHS Digital CoD.	Observation	Open, but not for follow-up
11	RNOHT needs to review its backup policy to meet the timing requirements of NHS Digital for data destruction. Currently, the data supplied by NHS Digital is backed up and available on the monthly backup tapes retained for 13 months. Without any changes being made to the backup schedules, the data will be included on the annual tapes in April 2020 which are kept for 8 years.	Operational Management	RNOHT reported that the backup retention is 12 months.	Observation	Closed
12	All staff should be made aware when information governance policies and procedures are updated.	Operational Management	A communication email sent to all staff was shared with the Audit Team that showed that information governance policies had been updated.	Opportunity for Improvement	Closed
13	RNOHT should review whether the roles of Information Asset Owner (IAO) and Information Asset Administrator (IAA) are undertaken by staff that only hold honorary contracts, given the responsibilities within RNOHT documentation that need to be fulfilled. For example, quarterly risk assessments by the IAO and reporting any risk to the SIRO.	Operational Management	The IAO and IAA roles have now been reassigned to staff directly working for the Trust. A copy of the IAR was supplied to support this action.	Opportunity for Improvement	Closed
14	RNOHT should ensure that appropriate teams and stakeholders review any new DSFC and DSA to ensure that all parties are aware of its responsibilities and are fully compliant.	Operational Management	An email was supplied that indicated that stakeholders were made aware of proposed changes to the DSA.	Opportunity for Improvement	Closed
15	RNOHT should consider developing some guidance on the handling and processing of data supplied by NHS Digital to provide consistency. This guidance could include: regular review of access to folders and databases containing data supplied by NHS Digital a section on data destruction, including the use of specialist software to ensure permanent deletion of data.	Operational Management	RNOHT decided not to develop any guidance as it has now deleted the data. RNOHT did, however, supply an extract of the Secure Destruction and Disposal or Deletion of IT Equipment and Media Containing Sensitive Data Policy that outlined the deletion process. Further details on the process were also provided by IT in a statement.	Opportunity for Improvement	Closed
16	RNOHT should consider regular review of who has access to the data centre that holds NHS Digital data, which is managed through swipe card access.	Access Control	RNOHT supplied evidence to indicate a review of swipe card access for the datacentre had taken place in October and November 2020.	Opportunity for Improvement	Closed
17	The Audit Team will need to see evidence at the post audit review with respect to the Secure File Transfer Protocol (SFTP) transfer configuration from NAW to Trust, thereby confirming the touchpoints for the data and the encryption algorithm used.	Information transfer	NAW is no longer involved as a Processor therefore the Audit Team consider this finding closed.	Follow up	Closed

NAW

Ref	Finding	Link to area	Update	Designation	Status
18	NAW has completed a DPIA which covers more than one DSA. NAW should either: consider an individual DPIA for each DSA, as each DSA has unique objectives for processing, processing activities and expected output(s) make it clear on the DPIA that it covers multiple agreements.	Operational Management	The DPIA was updated in April 2020 and now indicates that it covers multiple agreements. A copy of the DPIA was supplied to the Audit Team.	Opportunity for improvement	Closed

Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 14 October 2022 10:01 am