Skip to main content

NHS England Post Audit Review: NHS Dorset Clinical Commissioning Group

This report provides the formal closure of the remote data sharing audit of NHS Dorset Clinical Commissioning Group (CCG) in January 2022.

Audit summary

Purpose

This report provides the formal closure of the remote data sharing audit of NHS Dorset Clinical Commissioning Group (CCG) between 10 and 14 January 2022 against the requirements of:

  • the data sharing framework contract CON-338307-D8Z0G
  • the data sharing agreement (DSA) DARS-NIC-54727-S3Y1T-v4.3
  • the organisation’s own policies, processes and procedures

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
SUS for Commissioners Pseudo/Anonymised, Sensitive 2008/09 – 2021/22
Emergency Care - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Acute - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Ambulance - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Community - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Demand for Service - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Diagnostic Services - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Experience, Quality and Outcomes - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Mental Health - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Other Not Elsewhere Classified (NEC) - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Population Data - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Primary Care Services - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Public Health and Screening Services - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Mental Health Minimum Data Set Pseudo/Anonymised, Sensitive 2014/15 - 31/12/2015 
Mental Health and Learning Disabilities Data Set Pseudo/Anonymised, Sensitive 2013/14
Improving Access to Psychological Therapies Data Set Pseudo/Anonymised, Sensitive 2016/17 – 2021/22
Diagnostic Imaging Dataset Pseudo/Anonymised, Sensitive 2016/17 – 2021/22
Mental Health Services Data Set Pseudo/Anonymised, Sensitive 01/01/2016 – 2021/22
Maternity Services Data Set Pseudo/Anonymised, Sensitive 2016/17 – 2021/22
Children and Young People Health Pseudo/Anonymised, Sensitive 2016/17 - 31/10/2017
Civil Registration - Deaths Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Civil Registration - Births Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Community Services Data Set Pseudo/Anonymised, Sensitive 01/11/2017 – 2021/22
National Cancer Waiting Times Monitoring Data Set (CWT) Pseudo/Anonymised, Sensitive 2009/10 – 2021/22
National Diabetes Audit Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Patient Reported Outcome Measures Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Hospital Episode Statistics (HES) Admitted Patient Care Pseudonymised/Identifiable, Non-sensitive 2015/16 – 2019/20 M12
HES Critical Care Pseudonymised/Identifiable, Non-sensitive 2015/16 – 2019/20 M12
HES Outpatients Pseudonymised/Identifiable, Non-sensitive 2015/16 – 2019/20 M12
HES Accident and Emergency Pseudonymised/Identifiable, Non-sensitive 2015/16 – 2019/20 M12
Civil Registration of Death Secondary Care Cut Pseudonymised, Sensitive Historic Data Request Latest Available

 

The Controller is the CCG and the Processors are the Dorset Healthcare University NHS Foundation Trust (DHC) and Microsoft Limited. Microsoft Limited supplies cloud storage services, via the Microsoft Azure platform, and doesn’t process the data. The Dorset Intelligence & Insight Service (DiiS) reporting solution is hosted on Azure and managed by DHC.

Following the first post audit review published in February 2023, 3 agreement nonconformities, 1 organisation nonconformity, 4 opportunities for improvement and 2 points for follow-up remained open.

It should be noted at the time of the first and second post audit reviews, the CCG had been replaced by the newly formed NHS Dorset Integrated Care Board (ICB) on the 1 July 2022. This report, going forward, will refer to the Controller as the ICB. 

As the original audit took place before the merger of NHS Digital and NHS England, this report references both organisations as part of the post audit review.

Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.

Post Audit Review

This second post audit review comprised of a desk-based assessment and video calls of the action plan and supporting evidence supplied by the ICB between August and November 2023.

Post Audit Review Outcome

Based on the evidence provided by the ICB and the DHC, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and the ICB.

Updated Risk Statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.

Original risk statement: Medium

Previous risk statement: Medium

Current risk statement: Low

Data recipient’s acceptance statement

The ICB has reviewed this report and confirmed that it is accurate. 

Status

The following tables identifies the 6 agreement nonconformities, 1 organisation nonconformity, 7 opportunities for improvement and 3 points for follow-up raised as part of the audit. 

Findings 3, 4, 5, 7, 12, 14 and 15 were closed as part of the first post audit review conducted in February 2023.

ICB

Ref Finding Link to area Update Designation Status
1 Some of the core dashboards available to authorised end users display pseudonymised record-level data which is not consistent with the data sharing statements in the DSA. Use and Benefits A new DSA has now been agreed and signed following the establishment of the ICB. Agreement nonconformity Closed
2

The active DSA needs to be updated as it does not reflect current practice, including (but not limited to):

  • the role of DiiS and the reporting solution
  • the use of a cloud provider to store the data supplied by NHS Digital
  • the datasets made available 
  • the use of a pseudonymisation tool 
  • the re-identification process for users with responsibility for direct care for that patient
  • permitted linkage to other datasets.
 Use and Benefits A new DSA has now been agreed and signed following the establishment of the ICB. Agreement nonconformity Closed
3

The DPIA needs to be updated to reflect current practice including:

  • DiiS analysts can re-identify the NHS number, however, the DPIA currently states that developers and analyst cannot reidentify the NHS number. DiiS stated this service is provided on behalf of GPs who required assistance in reidentifying NHS number for patients in their direct care 
  • the data available on some of the dashboards is pseudonymised record level data, however, the DPIA currently states aggregated data
  • clarification that signed confidentiality agreements are only required by external contractors. The DPIA is not clear and could be interpreted as it applied to all users.
 Operational Management

The ICB has updated the Data Protection Impact Assessment (DPIA) and circulated it for review by the Dorset IG leads. The 3 points in the finding have been updated to reflect current practice in the DPIA.

A copy of the DPIA v2.8 was shared with the Audit Team.		 Agreement nonconformity Closed
4 The Information Asset Register (IAR) and Record of Processing Activities (ROPA) need to be updated to reflect current practice. Operational Management The ICB has updated both the IAR and the ROPA to reflect current practice. Copies of the revised IAR and ROPA were supplied to the Audit Team. Agreement nonconformity Closed
5 The Audit Team suggested that any new DSA and DSFC be reviewed by all stakeholders to ensure that they are aware of their responsibilities and obligations. Operational Management

DiiS reported that the DSA and DSFC are now a standing agenda item for the Pan Dorset Information Governance meeting, where a number of stakeholders are involved including the ICS partners.

The monthly virtual meeting includes a number of services including DiiS. An example of topics areas discussed in relation to DiiS was shared with the Audit Team.		 Opportunity for improvement Closed
6 The CCG should establish formal agreements between the Controller(s) and each partner organisations who have users that can access the dashboards. Operational Management

A template for the Joint Controller Information Sharing Agreement to the DiiS Digital Platform was supplied to the Audit Team.

The Audit Team also reviewed a completed valid agreement signed by both the Controllers and the partner organisations.

 Opportunity for improvement Closed

DHC / DiiS

Ref Finding Link to area Update Designation Status
7 Some of the configuration settings on the Azure platform are not in line with the DSA, DSFC and DiiS documentation.  Information Transfer The ICB provided evidence that data in transit is encrypted, and auditing for the Azure SQL database is enabled. Agreement nonconformity Closed
8 Security testing had not been carried out on the Azure platform where the data is held. DiiS confirmed that such testing is being planned for later in 2022. Access Control

The DiiS has worked with DHC as the host, to commission a security test which was performed in May 2023.  

The Audit Team reviewed the outcome of the security test via screensharing on a Microsoft Teams call.		 Agreement nonconformity Closed
9 Data supplied by NHS Digital held on the SQL database had not been marked to indicate its source as defined in the DiiS Solution Architecture. Operational Management The DiiS provided evidence to confirm the coding had been updated. Organisation nonconformity Closed
10 DiiS should consider developing documentation that outlines the technical re-identification process (for example, the systems involved) and the business re-identification process (for example, the authorisation approval process). Operational Management

The DiiS has produced a DiiS Solution Architecture document and a DiiS Role Based Access Control (RBAC) Process documentation set.

The Audit Team reviewed copies of these documents via screensharing on a Microsoft Teams call.		 Opportunity for improvement Closed
11 DiiS should review the following elements to identify any gaps in controls around:
  • the management of the salt, pseudonym and NHS Number
  • monitoring access to the salt, pseudonym and NHS Number.
 Operational Management

The DiiS Solution Architecture document has been updated to address the gaps identified in the finding.

The Audit Team reviewed a copy of the DiiS Solution Architecture document via screensharing on a Microsoft Teams call.		 Opportunity for improvement Closed
12 DiiS should consider if any additional Azure services should be enabled to improve the security and management of the platform. Access Control DiiS reported there are ongoing reviews of the Azure architecture to improve security and management of the platform. Evidence of the security features that have been enabled was supplied to the Audit Team. Opportunity for improvement Closed
13 DiiS should clarify which supervisory checks for users with access to the Azure environment are to be carried out. The results of these checks should be documented to provide an audit trail.  Access Control

The DiiS reported that the security documentation has been updated and checks have been commissioned with the local support partner.

The Audit Team reviewed evidence to support this via screensharing on a Microsoft Teams call.		 Opportunity for improvement Closed
14 DiiS should remind all dashboard users that they are only allowed to access the dashboard within England and Wales. This is defined in the DSA as the territory of use.  Operational Management DiiS shared a screenshot of a message shown on the DiiS portal that stated access is limited to England and Wales. Opportunity for improvement Closed
15 At the post audit review, the Audit Team will review the process developed around managing user access. For example, regular checks on last login, check for dormant accounts, movers/leavers process, etc. Access Control

DiiS reported that it has implemented a process to review user accounts on a 3 monthly basis. This will help to identify dormant accounts.

This process is outlined in DiiS Role Based Access Control v1.0. A copy of the process document was supplied to the Audit Team.		 Follow-up Closed
16 At the post audit review, the Audit Team will review the work to refine the permissions for authorised dashboard users. DiiS reported that the same permissions had been applied to all authenticated dashboard end users given access to the core reports and there was work planned to refine the permissions even further. Access Control

DiiS reported that various access levels are enabled depending on the role.

The Audit Team reviewed evidence to demonstrate this via screensharing on a Microsoft Teams call.		 Follow-up Closed
17 At the post audit review, the Audit Team will review the user access list to the mapping table held at DHC. Access Control Audit Team received evidence to confirm that access is limited only to specific approved users. Follow-up Closed

Disclaimer

NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 14 December 2023 3:21 pm