NHS England Data Sharing Remote Audit: Institute of Occupational Medicine
This report records the key findings of a remote data sharing audit of the Institute of Occupational Medicine (IOM) in August 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Institute of Occupational Medicine (IOM) between 14 and 22 August 2023. It provides an evaluation of how the IOM and the Health and Safety Executive (HSE) and its Processor conform to the requirements of:
- the data sharing framework contracts
- (DSFC) CON-321875-F9Z2M-v2.02 – HSE
- (DSFC) CON-306818-J4Y5L-v2.02 – IOM
- the data sharing agreement (DSA) DARS-NIC-169971-Z9M1C-v0.31
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Demographics | Non-sensitive | Latest Available |
| Civil Registrations of Death | Sensitive | Latest Available |
| Cancer Registration Data | Sensitive | Latest Available |
The Controllers are HSE and IOM and the Processor is IOM. Amazon Web Services (AWS) does not have access to the data and only provides cloud hosting services to Box.com (UK) Ltd (Box).
The IOM and the HSE require NHS England data for the purpose of the following research project: ‘Cancer Incidence and Mortality Experience of a British and an International Cohort of Workers Occupationally Exposed to Styrene’.
Styrene is a high-production, high-volume chemical with about 18 thousand tonnes produced annually in the manufacture of plastic and synthetic rubber products worldwide. The general population is exposed to very low levels of exposure. Around 40 years ago, findings among workers in the synthetic rubber industry suggested an increased risk of leukaemia and lymphoma. However, interpretation of this finding was hampered by co-exposure to other chemicals. Within the reinforced plastics industry is therefore ideal for studying the potential carcinogenicity of styrene.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 4.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: High
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The IOM have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The IOM will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with the auditee to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings..
Findings
The following table identifies the 6 agreement nonconformities, 3 organisation nonconformities, 6 observations, 9 opportunities for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | Backups are not taken of data, but reasonably rely on replication across a secondary site in order to maintain availability. The DSFC requires a backup copy of the source data to be kept, as NHS England may not be in a position to resupply the data. | Access Control |
DSFC, Schedule 2, Section A, Clause 4.5 DSA, section 5.3 |
Agreement nonconformity |
| 2 | The IOM Information Asset Register (IAR) does not include an entry for the data supplied under the DSA as required by the DSFC. | Information Transfer | DSFC, Schedule 2, Section A, Clause 3.2 |
Agreement nonconformity |
| 3 | A Data Protection Impact Assessment (DPIA) screening questionnaire has not been completed for the study utilising the data supplied under the DSA. | Operational Management | DSFC, Schedule 3, General Data Protection Regulation (GDPR) | Agreement nonconformity |
| 4 | The permissions assigned to the research staff accounts allowed them to invite other individuals to access the cloud storage folder where data supplied by NHS England was held. Permissions to add users to the folder must be limited to the administrator of the cloud storage facility. | Access Control | DSFC Schedule 2, Section A, Clause 4.3 | Agreement nonconformity |
| 5 | Although the IOM has recorded information security risks in a risk register, there is no documented formal risk management methodology, including a risk scoring matrix and risk appetite statement to support the risk management process. | Risk Management | DSFC Schedule 2, Section A, Clause 3. |
Agreement nonconformity |
| 6 | The IOM has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. | Operational Management | DSFC, Schedule 3, GDPR | Agreement nonconformity |
| 7 | Some entries in the IAR had classifications which do not exist in the IOM Information Classification Policy v3. The policy should be updated to include all classifications | Operational Management | IOM Classification Policy version 3, Table 1- Information Classification, Labelling and Handling |
Organisation nonconformity |
| 8 | The Information Security Incident Report log did not include breaches which had taken place after 2019. | Operational Management | Information Security Incident Management Procedure version 3, Section 5.1 | Organisation nonconformity |
| 9 | The Information Governance (IG) Internal Audit has not been scheduled for the study as required by the IOM IG policy. | Operational Management | Information Governance (IG) for Personal Data and Special Category Data RGN 1.9 version 3 | Organisation nonconformity |
| 10 |
The audit team identified 2 potential touchpoints of the data that were unknown to the organisation:
|
Data Destruction | DSFC, Part 2, Clause 4.1.7 |
Observation |
| 11 |
Although staff have been informed that study data should not be saved on unencrypted USB drives, there are no technical controls in place to prevent them from doing so. Whilst a risk has been identified regarding the use of portable storage media, there is no information as to how mitigation of “inadequate security measures” has been considered and applied or acceptance of this risk. |
Access Control | DSFC, Schedule 2, Section A, Clause 4.7 | Observation |
| 12 | The IOM should remind users that they are only allowed to access the data within the UK. This is defined in the DSA as the territory of use. | Access Control | DSA, Annex A, Section 2 | Observation |
| 13 | The IOM should remind users that they are only allowed to access the data from devices issued by their organisation. | Access Control | DSFC, Schedule 2, Section A, Clause 4.8 | Observation |
| 14 | Whilst equipment being sent for destruction is recorded and the third-party provides an itemised certificate of destruction, the two lists are not reconciled to ensure the assets have been disposed of as required. | Data Destruction | DSFC, Schedule 2, Section A, Clause 4.10 | Observation |
| 15 | On review of the IAR, the Audit Team noted that assets that no longer existed had not been removed from it or marked as deleted. | Operational Management | DSFC, Schedule 2, Section A, Clause 3.2 | Observation |
| 16 | The IOM should consider reducing the expiration time for external collaborator accounts from 365 days to ensure folder owners are prompted to review their access on a quarterly basis. | Access Control |
Opportunity for improvement |
|
| 17 | The use of the generic administration account in place for the administration of cloud storage should be documented to record who can use it, how it can be audited, and any contingency should the staff member that uses it not be available. | Access Control |
Opportunity for improvement |
|
| 18 | The IOM should consider providing specialist training. For example, Senior Information Risk Officer (SIRO) and Information Asset Owner (IAO) training. | Operational Management |
Opportunity for improvement |
|
| 19 | Reviews of dormant Active Directory accounts should be undertaken on a regular basis. | Access Control |
Opportunity for improvement |
|
| 20 | The IOM should consider creating a procedure for downloading data from Secure Electronic File Transfer (SEFT) to ensure it is conducted securely. | Information Transfer | Opportunity for improvement | |
| 21 | The IOM should consider updating data retention guidelines to reflect or make reference to the requirements for deletion on expiry or termination of a DSA. | Operational Management | Opportunity for improvement | |
| 22 | The IOM should consider updating the security policy to reflect who to report to in NHS England if there is a data breach concerning data provided under a DSA. | Access Control | Opportunity for improvement | |
| 23 | The IOM should consider conducting an internal audit to ensure that the requirements of key relevant policies and procedures are being adhered to. | Operational Management | Opportunity for improvement | |
| 24 | Procedures should be developed, or existing documentation updated, to include electronic destruction using the deletion tool (for example, confirmation of the number of passes) and completion of the NHS England certificate of destruction. | Data Destruction | Opportunity for improvement | |
| 25 | At the post audit review, the Audit Team will confirm all identifiers provided by NHS England have been destroyed if the data matching is completed. | Data Destruction | Opportunity for improvement |
Use of data
The IOM confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
The IoM confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. This location conforms with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| IOM | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| IOM | None | No backup performed (see finding 1 in table above). |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 14 December 2023 4:48 pm