NHS Digital Post Audit Review: Westminster City Council
This report provides the formal closure of the remote data sharing audit of Westminster City Council and Royal Borough of Kensington and Chelsea in November 2021.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Westminster City Council (WCC) and Royal Borough of Kensington and Chelsea (RBKC) between 8 and 12 November 2021 against the requirements of:
- the data sharing framework contracts (DSFC):
- CON-55596-J4J4B (WCC)
- CON-161738-S2G0Z (RBKC)
- the data sharing agreement (DSA) DARS-NIC-75133-N8S0N-v2.5
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Vital Statistics Service | Aggregated with small numbers not suppressed, Non-sensitive Pseudo/Anonymised, Non-sensitive |
1993 - 2022 |
| Primary Care Mortality Data | Identifiable, Sensitive | 1996 - 2024 |
| Civil Registration - Births | Identifiable, Sensitive | 1995 - 2023 |
The Joint Controllers are WCC and RBKC; RBKC does not process the data. The Processor is BT (undeclared in the DSA) who provides cloud services to WCC. The data supplied by NHS Digital is stored on BT’s cloud infrastructure. BT also provide IT service management support to WCC including the management of the IT infrastructure and undertaking backups.
Following the audit, WCC has deleted the data held with BT and migrated to Microsoft’s cloud storage services. See update for finding 1 for more details.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by WCC between June and October 2022. There was also a video call in July 2022.
Post audit review outcome
Based on the evidence provided by WCC, the Audit Team has closed the nonconformities, observation and points for follow-up. Although no further action is required by the Audit Team, there is 1 opportunity for improvement still open, and WCC should complete the action against this finding.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Medium
Current Risk Statement: Low
Data recipient’s acceptance statement
WCC and RBKC have reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 7 agreement nonconformities, 1 observation, 6 opportunities for improvement and 2 points for follow-up raised as part of the original audit.
WCC
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
A third-party cloud provider (BT) is being used to process and store the data supplied by NHS Digital. The provider also manages the IT infrastructure and the backups. This Processor is not declared in the current DSA even though WCC has been using this provider for over six years. WCC stated it had notified NHS Digital on the 18 October 2021 that it was using an undeclared third-party provider. |
Access Control |
WCC has terminated the contract with BT as a Processor and is no longer using BT’s cloud services to hold data supplied by NHS Digital. As a result, WCC transferred the data to Microsoft cloud services in April 2022. WCC supplied a completed Certificate of Destruction (CoD) to the Data Access Request Service (DARS) team on 5 August 2022 to cover the data held under the DSA on BT’s cloud storage. A copy of the CoD was supplied to the Audit Team. Prior to the move, WCC completed NHS Digital’s cloud provider checklist for the new provider and a copy was sent to the DARS team on the 30 March 2022. A copy was shared with Audit Team. The DSA has been updated to include the new Processor, along with the associated processing and storage addresses. A copy of the new DSA, DARS-NIC-75133-N8S0N-v3.5, was shared with the Audit Team. |
Agreement nonconformity | Closed |
| 2 |
The data processing and storage locations specified on the active DSA do not accurately reflect the current locations. WCC stated it had notified NHS Digital on the 18 October 2021 of the new processing and storage locations. |
Information Transfer |
The DSA has been updated to include the new Processor, along with the associated processing and storage addresses. A copy of the new DSA, DARS-NIC-75133-N8S0N-v3.5, was shared with the Audit Team. |
Agreement nonconformity | Closed |
| 3 | The Data Protection Impact Assessment (DPIA) needs to be reviewed and updated as information on the third-party cloud provider is missing. Also, the DPIA had not been signed off by the Information Asset Owner (IAO) or Senior Information Risk Officer (SIRO) as required by the guidance within the DPIA. | Operational Management |
The DPIA has been updated and now includes details on the new cloud storage provider. The DPIA was signed off by the IAO and Caldicott Guardian in June 2022. A copy of the DPIA was supplied to the Audit Team. |
Agreement nonconformity | Closed |
| 4 | There was no evidence to show that access to the network folder holding the data supplied by NHS Digital is reviewed on a regular basis. | Access Control |
WCC reported that it is carrying out quarterly checks on who has access to data supplied by NHS Digital. This is in addition to checks when staff leave. An email from IT with names of users with access to data supplied by NHS Digital from June 2022 was shared with the Audit Team. WCC confirmed that no issues were identified. |
Agreement nonconformity | Closed |
| 5 | Validation testing of required security controls has not been conducted. | Access Control |
A validation test was completed in October 2022, and an action plan is in place to address the issues identified. A paper that outlined the testing and findings was shared with the Audit Team. |
Agreement nonconformity | Closed |
| 6 | Data in transit between the primary and secondary location is not encrypted as required by the DSFC. BT have reported that transit is via a private link. | Information Transfer |
WCC has moved to the new cloud provider and confirmed it has provided assurances as part of the cloud provider checklist to the DARS team that data in transit is encrypted. A screenshot of the configuration setting was supplied to the Audit Team that showed an appropriate encryption setting had been enabled. |
Agreement nonconformity | Closed |
| 7 |
Key documents that are referenced in the Information Security Policy (version 0.5 approved on 23 May 2020) were either not available or were in draft at the time of the audit. These documents include:
|
Access Control |
WCC supplied the following documents to the Audit Team:
WCC stated the IT Third Party Management Policy had been replaced by a third-party supplier assurance assessment document, v1.41, 15 February 2022. WCC confirmed that the reference to the Data Classification Policy has been removed from the Information Security Policy, v1.0, as the policy is not available. |
Agreement nonconformity | Closed |
| 8 |
Some policies require review as they are past their review date. For example:
|
Operational Management |
WCC has reviewed and updated the following policies:
|
Observation |
Closed |
| 9 | Authorised personnel at both WCC and RBKC should sign off the overarching Joint Controller agreement that commenced in July 2018. The document had been signed off by the legal department but was missing the signatures for the authorised personnel. | Operational Management | WCC and RBKC reported that they have instructed the legal departments to review and update Schedule 7 within the S113 Agreement for signature by the Caldicott Guardians. WCC reported that this document is the equivalent to an agreement between both Controllers. |
Opportunity for improvement |
Open |
| 10 | Staff need to be aware of the DSFC and DSA requirements. The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements. | Operational Management |
It was reported that training was delivered to all staff with access to the data on 21 October 2021. The training covered the requirements in both the DSFC and DSA. The Audit Team was shown the meeting agenda to support the training. WCC also confirmed that requirements of the DSA and DSFC will be reviewed when they are due for renewal. |
Opportunity for improvement |
Closed |
| 11 | WCC should consider including additional fields in the Information Asset Register (IAR) such as details on the datasets received (type of data and classification), date of receipt, version of the DSA, date of data deletion and certificate of destruction. | Operational Management |
WCC has updated the IAR to include details such as the datasets received (type of data and classification), date of receipt, version of the DSA, date of data deletion and certificate of destruction. An extract copy of IAR was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 12 | The IAO should consider undertaking specialist role-based training. | Operational Management | WCC has booked external trainers to provide specific Local Authority training for the IAO. The nominated training dates were confirmed by email. | Opportunity for improvement | Closed |
| 13 | WCC should consider implementing a system that allows security logs to be proactively monitored. | Access Control |
WCC has considered this finding and decided to use available internal tools to increase real time monitoring. WCC provided details including screenshot of the management console to the Audit Team. Whilst the solution increases monitoring, it still does not provide proactive monitoring. |
Opportunity for improvement |
Closed |
| 14 | WCC should refer to the Data Access Request Service (DARS) team for the latest guidance on data destruction before deleting any further data. WCC should retain auditable evidence to demonstrate the permanent deletion of electronic data. Such records could be used as supporting evidence for a certificate of destruction submitted to NHS Digital. | Data Destruction |
WCC reported it had discussed the data destruction process with the DARS team prior to the deletion of data held on BT and migration to Microsoft cloud storage. WCC supplied a completed CoD to the DARS team on 5 August 2022 to cover the data held under the DSA on BT’s cloud storage. A copy of the CoD was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 15 | At the post audit review, the Audit Team will review the documented procedures to support the leavers process and the review of dormant accounts. | Access Control | WCC provided statements to support the leavers process, and the handling of dormant accounts to the Audit Team. | Follow-up | Closed |
BT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 16 |
The following documentation will be examined at the post audit review:
|
Operational Management |
NHS Digital data is no longer held on BT cloud storage. WCC supplied a completed CoD to the DARS team on 5 August 2022 to cover the data held under the DSA on BT’s cloud storage. A copy of the CoD was supplied to the Audit Team. |
Follow-up | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 23 November 2022 9:30 am