NHS Digital Post Audit Review: NHS Warrington Clinical Commissioning Group
This report provides the formal closure of the data sharing audit of NHS Warrington Clinical Commissioning Group in December 2019
Audit summary
This report provides the formal closure of the data sharing audit of NHS Warrington Clinical Commissioning Group (CCG) between 3 and 5 December 2019 against the requirements of both:
- the data sharing framework contact (DSFC) CON-02943-D7T2V
- the data sharing agreement (DSA) NIC-47225-D8S4S-v2.4
This DSA covers the provision of the following dataset:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Secondary User Services (SUS+) for Commissioners |
Identifiable, Sensitive | Ad-hoc irregular dissemination |
The Controller is the CCG and the Processors with respect to invoice validation are Liaison Financial Services Limited (LFS) and Microsoft UK. Microsoft UK supplies cloud storage services to LFS.
Further guidance on the terms used in this post audit review report can be found in version 3 of the NHS Digital Data Sharing Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the CCG and LFS between August 2021 and May 2022. The Audit Team also had a conference call with LFS in April 2022.
Post audit review outcome
Findings 6 and 9 have been closed as the data supplied by NHS Digital held by LFS had been permanently deleted and a completed Certificate of Destruction (CoD) provided to the Data Access Review Service (DARS) team.
Based on the evidence provided by the CCG and LFS, the Audit Team has closed the nonconformities and observations. Although no further action is required by the Audit Team, there is 1 opportunity for improvement still open, and LFS should complete the action against this finding.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Medium
Current risk statement: Low
Data recipient’s acceptance statement
The CCG has reviewed this report and confirmed that it is accurate.
Status
The following tables identifies the 5 agreement nonconformities, 1 organisation nonconformity, 5 observations and 2 opportunities for improvement raised as part of the original audit.
CCG
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
No clear record exists which identifies either the Information Asset Owner (IAO) or Information Asset Administrator (IAA) for the specific dataset supplied under the DSA. Furthermore, there is no entry within the Information Asset Register (IAR) for the dataset supplied. As a consequence, no data flow mapping exercise and information asset risk assessment has been completed as required by the CCG’s documentation. The Audit Team were informed that this work has been included in the Information Governance (IG) workplan for 2019/20. |
Operational Management |
An entry for the dataset supplied under the DSA has been added to the IAR including the name of the IAO. It also includes a risk assessment score and identifies the data recipient. A screenshot from the CCG’s information asset system was supplied to the Audit Team. |
Agreement nonconformity | Closed |
| 2 | No Data Protection Impact Assessment (DPIA) has been completed for the dataset supplied, though a Privacy Impact Assessment (PIA) was completed in 2017. The DPIA should have been completed prior to processing of the SUS+ data by LFS. The Audit Team were informed that this work has been included in the IG workplan for 2019/20. | Operational Management |
A DPIA was completed by the CCG and approved by the Data Protection Officer and Caldicott Guardian in July 2020. A copy of the DPIA was supplied to the Audit Team. |
Agreement nonconformity | Closed |
| 3 | There is no signed and valid data processing agreement between the CCG and LFS as required in the DSA. | Operational Management |
A data processing agreement was signed between the CCG and LFS in June 2020 to support the DSA. A copy of the agreement was supplied to the Audit Team. |
Agreement nonconformity | Closed |
| 4 | The CCG needs to confirm that the privacy notice meets GDPR requirements for the dataset supplied under the DSA. | Operational Management |
The CCG confirmed it had updated the privacy notice so that it was now in line with Information Commission’s Office guidance. A link to the privacy notice was supplied to the Audit Team. |
Observation | Closed |
| 5 | The appropriate teams within LFS have not seen the DSFC, so are unaware of the contractual requirements it need to meet. | Operational Management |
A copy of the DSFC was shared by the CCG with LFS in October 2020. An email which shows that the DSFC was sent to LFS was shared with the Audit Team. |
Observation | Closed |
LFS
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 6 |
Manipulated data is being stored at a location not declared on the DSA. This location is outside the territory of use stated in the DSA. LFS advisors use encrypted laptops to download, process and store manipulated data. This data is automatically backed up to Amazon Web Service (AWS) in Dublin. LFS has stated that the manipulated data on the encrypted laptops did not include the NHS number and a level of data minimisation had already been applied. |
Information Transfer |
LFS has deleted all the data supplied by NHS Digital under this DSA and has completed a NHS Digital CoD. A copy of the CoD was forwarded by the CCG to the DARS team. |
Agreement nonconformity | Closed |
| 7 | No clear IAO was identified for the SUS+ dataset supplied under the DSA. Details of the named IAO supplied with the pre-audit documentation and the details on the IAR did not match. | Operational Management | LFS supplied a screenshot of an extract from the Records of Processing Activities (ROPA) that includes the name of the IAO for the dataset. The named IAO was allocated following a restructure in 2020. | Agreement nonconformity | Closed |
| 8 | The internal process for controlling client data did not reflect current practice. | Information Transfer | LFS has updated the data flowchart to reflect current practice. A copy of the new flowchart was supplied to the Audit Team. | Organisation nonconformity | Closed |
| 9 |
A potential touchpoint for the data could be missed, if NHS Digital requested permanent deletion of all copies of the data. LFS explained that the raw data was viewed via the Data Services for Commissioners Regional Offices (DSCRO) portal. Initial checks, analysis and data minimisation, including removal of the NHS number, is carried out using an encrypted laptop prior to the data being uploaded onto Microsoft UK. However, the Audit Team identified that data supplied is being downloaded via the DSCRO and stored in the download folder on the encrypted laptop, so a potential touchpoint was unknown to the user. LFS confirmed that data held in the laptop ‘download folder’ would not be backed up to AWS. |
Data Deletion |
LFS has deleted all the data supplied by NHS Digital under this DSA and has completed a NHS Digital CoD. A copy of the CoD was forwarded by the CCG to the DARS team. |
Observation | Closed |
| 10 | There was no evidence to show that access to the network folders holding the data is reviewed on a regular basis as required by the DSA. Instead, the joiners, movers and leavers process is relied upon to ensure the accuracy of permissions. It should be noted that LFS have held the data for less than 3 months under this DSA. | Access Control | An email was sent to LFS on the 18 August 2021 by the IT Provider containing a list of users with access to the data as evidence of review. | Observation | Closed |
| 11 | Data supplied by NHS Digital is being processed and analysed in Microsoft Excel. If the application crashed, then temporary files could be cached on the machine’s local drive. LFS should assess any risk and consider additional controls, if required. | Access Control | No risk assessment was conducted, however, LFS provided an email from the IT Provider which stated that a deletion will be performed on the ‘temp’ folder every 30 days via group policies. LFS also stated laptops are encrypted. | Observation | Closed |
| 12 | The Audit Team suggested some improvements to the IAR to provide a better audit trail: • Agreement reference number • datasets received • named Information Asset Owner • locations where the data held • date of destruction. |
Operational Management |
A screenshot was supplied to the Audit Team of the IAR entry that included the location where data is held and date of destruction. A screenshot of the ROPA was also shared, and this captured the IAO details, data assets received, and location where data was held etc. |
Opportunity for Improvement | Closed |
| 13 | LFS should consider standardising the encryption level on its laptops. | Access Control | LFS stated that all laptops are encrypted, however, encryption levels vary. | Opportunity for Improvement | Open, but not for follow-up |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 15 June 2022 4:24 pm