NHS Digital Post Audit Review: South London and Maudsley NHS Foundation Trust
This report provides an update on progress of the remote data sharing audit of South London and Maudsley NHS Foundation Trust in September and October 2021.
Audit summary
This report provides an update on progress of the remote data sharing audit of South London and Maudsley NHS Foundation Trust (SLaM) between 27 September and 1 October 2021. It provides an evaluation of how SLaM conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-00107-Q0L0N-v2.01
- the data sharing agreement (DSA) DARS-NIC-292279-Z2S5T-v6.6
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 1997/98 – 2019/20 |
| HES Critical Care | Pseudo/Anonymised, Non-sensitive | 2008/09 – 2019/20 |
| HES Outpatients | Pseudo/Anonymised, Non-sensitive | 2003/04 – 2019/20 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2007/08 – 2018/19 |
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | October 2005 - March 2020 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | October 2005 - March 2020 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | October 2005 - March 2020 |
| Demographics | Pseudo/Anonymised, Sensitive | Latest Available, Annually |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | Latest Available, Annually |
The Controller is SLaM and the Processor is Microsoft UK.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by SLaM between June and November 2022. A video call was also held in July 2022 to review some of the evidence.
Post audit review outcome
Based on the evidence, the Audit Team has found that SLaM has not fully addressed 1 finding. An agreement nonconformity remains open and requires further review by the Audit Team.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
SLAM has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 1 agreement nonconformity, 3 observations, 3 opportunities for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | SLaM had not conduct security testing of the cloud infrastructure prior to data being transferred. Security testing had been conducted for its on-premise infrastructure. | Access Control |
Internal analysis of the cloud infrastructure was undertaken in March 2022 and a copy of the action log along with a patch report from August 2022 was supplied to the Audit Team. Further testing following completion of the cloud migration project is expected in early 2023. |
Agreement nonconformity | Open |
| 2 | Following further assessment and agreement of the nature of passwords, the SLaM Information Security Policy will need to be updated as the current policy is inconsistent with the password settings technically enforced. Passwords were amended during the Covid-19 pandemic to be consistent with Government guidelines. | Access Control |
The SLaM Information Security Policy (v9, May 2022) has been updated to recognise the nature of passwords and the need to align with the policy. A copy of the new policy was supplied to the Audit Team. The implementation of the policy has been approved by the Change Approval Board (CAB) and is to be communicated to staff. The amendment to the password settings is being done in stages so that impacts can be assessed. A copy of the CAB approval and the draft staff communication was supplied to the Audit Team. |
Observation | Closed |
| 3 | A deprecated hash algorithm is used to encrypt the patient identifier in the anonymised datasets made available to approved researchers. | Access Control | The hash algorithm has been changed to a secure version. | Observation | Closed |
| 4 | SLaM had completed a Data Protection Impact Assessment (DPIA), however, it did not contain the most up to date information. The DPIA is due to be updated following release of the new Data Sharing Agreement (DSA). | Operational Management | The DPIA was revised in February 2022. A copy of the latest DPIA was supplied to the Audit Team. | Observation | Closed |
| 5 | SLaM should consider including a reminder to acknowledge the use of HES data in publications, within the guidance provided to users of the Clinical Record Interactive Search (CRIS) system. | Operational Management | The CRIS guidance documents have been revised to request users to include a statement acknowledging the use of HES data in publications. A copy of the revised guidance documentation was supplied to the Audit Team. | Opportunity for improvement | Closed |
| 6 | SLaM should reassess its use of built-in administrator accounts as recommended by Microsoft. | Access Control | SLaM has amended its use of built-in administrator accounts. Screenshots from the tools being used to manage privileged accounts were supplied to the Audit Team. | Opportunity for Improvement | Closed |
| 7 | SLaM should consider what specialist training is provided to staff employed in named positions, for example, Information Asset Owner (IAO) and Information Asset Administrator (IAA). | Access Control | SLAM reported that filming for IAO and IAA training is due to be completed in August and then will be implemented. SLaM stated that any IAOs or IAAs who had not completed the training but were named in a DPIA would be required to complete the training before the DPIA could be approved. | Opportunity for Improvement | Closed |
| 8 | At the post audit review, the Audit Team will review evidence of data destruction in relation to data previously stored on-premise. | Data Destruction | A Certificate of Destruction for the data previously held on-premise was received and approved by DARS in March 2022. | Follow-up | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 13 December 2022 6:38 pm