NHS England Data Sharing Remote Audit: NHS Cheshire and Merseyside Integrated Care Board
This report records the key findings of a remote data sharing audit of NHS Cheshire and Merseyside Integrated Care Board and Graphnet Health Limited in September 2022.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of NHS Cheshire and Merseyside Integrated Care Board (ICB) and Graphnet Health Limited (Graphnet) between 12 and 20 September 2022. It provides an evaluation of how the ICB and Graphnet conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-331374-L9K3P-v2.01
- the data sharing application in progress (DSA) DARS-NIC-396095-H1P1D-v3.4
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Acute-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Ambulance-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Children and Young People Health | Identifiable, Sensitive | 01/04/2016 - 31/10/2017 |
| Civil Registration - Births | Identifiable, Sensitive | 01/04/2013 - latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | 01/04/2013 - latest available |
| Community Services Data Set | Identifiable, Sensitive | 01/11/2017 - latest available |
| Community-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Demand for Service-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Diagnostic Imaging Dataset | Identifiable, Sensitive | 01/04/2016 - latest available |
| Diagnostic Services-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Emergency Care-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Experience, Quality and Outcomes-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Improving Access to Psychological Therapies Data Set | Identifiable, Sensitive | 01/04/2016 - latest available |
| Maternity Services Data Set | Identifiable, Sensitive | 01/04/2016 - latest available |
| Mental Health and Learning Disabilities Data Set | Identifiable, Sensitive | 01/04/2014 - 31/12/2015 |
| Mental Health Minimum Data Set | Identifiable, Sensitive | 01/04/2013 - 31/03/2014 |
| Mental Health Services Data Set | Identifiable, Sensitive | 01/01/2016 - latest available |
| Mental Health-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| National Cancer Waiting Times Monitoring Data Set (NCWTMDS) | Identifiable, Sensitive | 01/04/2009 - latest available |
| National Diabetes Audit | Identifiable, Sensitive | 01/04/2013 - latest available |
| Other Not Elsewhere Classified (NEC)-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Patient Reported Outcome Measures | Identifiable, Sensitive | 01/04/2013 - latest available |
| Population Data-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Primary Care Services-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Public Health and Screening Services-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Shielded Patient List | Identifiable, Sensitive | 1/10/2020 - latest available |
| SUS for Commissioners | Identifiable, Sensitive | 01/04/2015 - latest available |
The Controller is ICB, and the Processors are Graphnet and Microsoft Limited. Microsoft Limited are the cloud storage providers for Graphnet. The Audit Team acknowledge that the ICB came into formation on the 1 July 2022, following the merger of the Clinical Commissioning Groups.
The DSA declares a number of processors and processing activities; however, this audit was limited to Graphnet and the processing undertaken on behalf of the ICB.
The overarching purpose for this application is to support a set of COVID related population health analytics designed to inform both population level planning for COVID recovery and to support the targeting of direct care to vulnerable populations across the ICB.
A set of automated dashboards have been developed in the areas of COVID site reporting covering Capacity and Demand, Epidemiology, and Population Stratification have been made available to authorised end users. The dashboards will enable end users to support the local system including the COVID recovery cells, public health teams, Hospital and Out of Hospital cells across the Cheshire and Merseyside estate as well as local GPs with COVID planning, which includes support to General Practice and Primary Care Networks in intelligence required.
Graphnet were able to demonstrate that 3 out of 4 dashboards were displaying aggregated data, the remaining dashboard was offline. The ICB are liaising with Data Services for Commissioners Regional Office (DSCRO) to find a solution to perform re-identification through the DSCRO platform (see finding 10).
This report also considers whether the ICB and Graphnet conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing. As these interviews took place before the merger of NHS Digital and NHS England, this report references both organisations.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type |
Focused The audit was limited to Graphnet as a Processor and key governance documents between the ICB and Graphnet. |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by the Controller and NHS Digital. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The ICB has reviewed this report and confirmed that it is accurate.
During the audit, Graphnet informed the Audit Team that the DSA and DSFC had not been received prior to the audit from the ICB, which was confirmed by the ICB. Therefore, findings were raised which would have been expected to be addressed if Graphnet was aware of the requirements. See findings 1 and 2 for details.
Data recipient’s action plan
The ICB will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with the ICB to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 4 agreement nonconformities, 4 opportunities for improvement and 4 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | The terms and conditions of the DSFC and DSA did not flow down into the data processing agreement. | Operational Management | DSA, Annex A, section 6 Special Conditions | Agreement nonconformity |
| 2 | The ICB had not made Graphnet aware of the obligations in the DSA and DSFC. | Operational Management |
DSFC, Part 2: Terms and Conditions, clause 4.1.6 DSA, section 6 Special Conditions |
Agreement nonconformity |
| 3 | In relation to processing by Graphnet on behalf of the ICB, Graphnet stated that it did not backup data but reasonably relied on replication across multiple sites in order to maintain availability. The DSFC requires a backup copy of the source data to be kept, not least since NHS England may not be in a position to resupply the data. | Access Control |
DSFC, Schedule 2, Section A, clause 4.5 DSA, section 5.3 |
Agreement nonconformity |
| 4 |
In relation to processing by Graphnet on behalf of the ICB, the following issues were noted regarding account management:
As the user has legitimate access to the data this finding is focused on the organisation’s housekeeping of accounts/groups.
|
Access Control |
DSA, sections 5.3 and 7.1 |
Agreement nonconformity |
| 5 | The ICB should remind dashboard users that access is only allowed within England and Wales as stated in the territory of use. | Operational Management | Opportunity for improvement | |
| 6 | Although the ICB has a Cheshire and Merseyside Population Health Programme Record of Processing Activity (ROPA), the Audit Team advise that improvements could be made to bring it in line with Information Commissioner’s Office (ICO) requirements. | Operational Management | Opportunity for improvement | |
| 7 | The ICB should ensure that Processors are aware of the copyright requirements outlined in the DSFC. | Use and Benefits | Opportunity for improvement | |
| 8 | In relation to processing by Graphnet on behalf of the ICB, Graphnet should consider changing the period for reviewing administrator accounts from 12 months as stated in the Graphnet Access Control Policy, to every 6 months. | Operational Management | Opportunity for improvement | |
| 9 | At the post audit review, the Audit Team will follow up with the ICB on the progress of the Data Protection Impact Assessment (DPIA). | Operational Management | Follow-up | |
| 10 | At the post audit review, the Audit Team will follow up with the ICB on the statement in the application regarding the direct care re-identification tool that is expected to be developed by the DSCRO. | Operational Management | Follow-up | |
| 11 | At the post audit review, the Audit Team will follow up with Graphnet regarding the progress on the specialist training for the Information Asset Owner and Information Asset Administrator. | Operational Management | Follow-up | |
| 12 | At the post audit review, the Audit Team will follow up with Graphnet on the work to further enhance its security posture in Defender for Cloud, and the actions taken to address the 2 medium level recommendations identified on Microsoft Azure. | Access Control | Follow-up |
Use of data
The ICB confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
The ICB confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| Graphnet | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media Type | Media type |
|---|---|---|
| Microsoft Limited | Disk | No backups undertaken for unprocessed data (see finding 3) |
| Microsoft Limited | Disk | SQL server - 7 days |
Good Practice
During the audit, the Audit Team noted the following areas of good practice:
- the value of the data supplied under this DSA was demonstrated through the use of the dashboards that have been developed under instruction of the ICB
- the data held by Graphnet on the cloud storage is geo-replicated within England and Wales in order to provide high availability.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 May 2023 2:56 pm