NHS England Post Audit Review: Belfast Health and Social Care Trust
This report provides an update on progress of the remote data sharing audit of Belfast Health and Social Care in March 2022.
Audit summary
Purpose
This report provides an update on progress of the remote data sharing audit of Belfast Health and Social Care (BHSCT) between 21 and 29 March 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-304112-D2Q8H
- the data sharing agreement (DSA) DARS-NIC-10029-G5R2H-v0.2
-
the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| MRIS-Personal Demographic Service | Pseudo/Anonymised, Sensitive | Historic Data Request |
The Controller is BHSCT and the Processor is the Health and Social Care Business Services Organisation (HSC BSO).
The interviews during the audit were conducted through video conferencing.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by BHSCT between September 2022 and January 2023. Note, this desk-based review took place just before the merger of NHS Digital and NHS England. Therefore, this report may reference both organisations.
Post audit review outcome
Based on the evidence, the Audit Team has found that BHSCT has not suitably addressed the findings. 6 agreement nonconformities and 4 opportunities for improvement remain open and require further review by the Audit Team. The BHSCT is therefore required to update its action plan to align with this post audit review report.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: High
Current Risk Statement: High
Data recipient’s acceptance statement
BHSCT has reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 10 agreement nonconformities, 3 organisation nonconformities, 4 observations, 5 opportunities for improvement raised as part of the original audit.
BHSCT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Data had been onwardly shared with 6 external research organisations without being aggregated which was not allowed by the DSA. Data had also been shared outside of the stated territory of use (UK). | Information Transfer | The Northern Ireland Clinical Trials Unit (NICTU) has provided evidence that it is actively pursuing the external organisations to get the data deleted and the appropriate Certificate of Destruction completed. However, at the time of this review this was still in progress. | Agreement nonconformity | Open |
| 2 |
The storage locations in the DSA do not reflect the actual addresses where the data is stored. |
Information Transfer | The Audit Team has seen a new DSA, DARS-NIC-10029-G5R2H-v1.3, which includes the missing storage locations. | Agreement nonconformity | Closed |
| 3 |
All staff with access to the NHS Digital data have not received data protection training in the last 12 months. |
Operational Management |
The Audit Team has seen evidence that staff have completed and are up to date with their data protection training. Only one member of staff has been unable to complete the training due to extended sick leave and will complete on their return. The BHSCT has created a new tracker which will be used to ensure all staff who still require access to the data maintain annual data protection training. |
Agreement nonconformity | Closed |
| 4 | Security assessments have not been performed. | Access Control | The Audit Team was provided with an email from the NICTU to confirm that a security assessment was completed in July 2022. NICTU has developed an action plan and the estimated completion date of all actions is October 2023. |
Agreement nonconformity | Open |
| 5 | Accounts for a small number of staff that had left or no longer require access had not been disabled or deleted. | Access Control |
All staff leavers have now had their accounts disabled. The leaver’s checklist has been updated and now includes accounts details to be disabled including the clinical study database accounts. The Audit Team has been provided with the evidence to confirm this. |
Agreement nonconformity | Closed |
| 6 | The Information Asset Register (IAR) does not include an entry for the data supplied by NHS Digital. | Operational Management | The Audit Team has seen an updated version of the NICTU IAR. It has been updated with guidance from Belfast Trust Information Governance (IG) to include the data held by NICTU that was received from NHS Digital. | Agreement nonconformity | Closed |
| 7 | A Data Protection Impact Assessment (DPIA) has not been undertaken by BHSCT for the NHS Digital data. It is BHSCT’s practice to complete at least the DPIA screening checklist to assess if a full DPIA is required. | Operational Management | BHSCT has provided the Audit Team a completed DPIA which has been signed off by the IAO. | Organisation nonconformity | Closed |
| 8 | The minimum password length for an application was not in line with the Health and Social Care (Northern Ireland) (HSCNI) Accounts and Passwords All User Standard policy. | Access Control | NICTU has amended the clinical study database minimum password length which is now in line with the policy. | Organisation nonconformity | Closed |
| 9 | The Information Asset Owner (IAO) had not completed a specialist training refresher course in line with BHSCT requirements. | Operational Management | BHSCT confirmed the IAO completed specialist training in June 2022. Evidence of the training was provided to the Audit Team. | Organisation nonconformity | Closed |
| 10 | The 6 external organisations that were previously supplied with the data have not been asked to refrain from processing the data or to delete the data. | Data Destruction | NICTU provided the Audit Team with copies of emails they sent to the 6 external organisations. The emails stated data had been shared without an appropriate data access agreement and have requested for the data to be deleted. | Observation | Closed |
| 11 | A Record of Processing Activity (ROPA) had not been completed for the HARP2 trial. If the ability to process data is reinstated in a future DSA, then a ROPA needs to be completed. | Operational Management | NICTU shared a completed ROPA with the Audit Team. | Observation | Closed |
| 12 | Data supplied by NHS Digital had been processed on unencrypted machines where if the application crashed, then temporary files would be cached on the machine’s local drive. This potential situation would need to be assessed prior to any future processing. | Information Transfer | BHSCT provided evidence that all PC’s used by statistical and health economics staff with STATA installed have now been encrypted. | Observation | Closed |
| 13 | BHSCT has still to agree its System Level Security Policy (SLSP) with the Data Access Request Service (DARS) team by the end of April 2022. | Operational Management | BHSCT has received an email from DARS which confirms the SLSP is a general catch all terms and that the information provided by BHSCT in the format provided was acceptable. A copy of the email was provided to the Audit Team. | Observation | Closed |
| 14 | BHSCT should consider developing a standard operating procedure or enhance an existing procedure to support the electronic deletion of data to ensure that specific requirements of the DSFC are carried out. | Data Destruction | The NICTU Standing Operating Procedures (SOP) are under review by the SOP Working Group and should be finalised by July 2023. | Opportunity for improvement | Open |
| 15 | BHSCT should update its Data Transfer Procedure to seek permission of the data owner before sending data to other recipients. | Operational Management | The SOP on data transfer was under review at the time of this post audit. | Opportunity for improvement | Open |
| 16 | BHSCT should seek clarification from its service provider as to how the hosted infrastructure is segregated and that appropriate controls have been applied. | Operational Management | NICTU has reviewed the situation with BSO and agreed their plan to address the issues raised. The actions should be completed by October 2023. | Opportunity for improvement | Open |
| 17 | The DSFC and DSA should be shared with key support teams to ensure that they are aware of their responsibilities and obligations. | Operational Management | BHSCT has shared the latest version of the DSA with all parties affected within the Belfast Trust. A copy of the covering email was supplied to the Audit Team. | Opportunity for improvement | Closed |
HSC Business Service Organisation (BSO)
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 18 | Software had not been recently patched. | Access Control | NICTU has reviewed the situation with and agreed their plan to address the issues raised. The actions should be completed by October 2023. | Agreement nonconformity | Open |
| 19 | Shared logins for some accounts were in use. The nature and number of administration accounts also requires review. | Access Control | NICTU has reviewed the situation with BSO and agreed their plan to address the issues raised. The actions should be completed by October 2023. | Agreement nonconformity | Open |
| 20 | The servers are not recorded on the IT Asset Management system. | Access Control | NICTU has reviewed the situation with BSO and agreed their plan to address the issues raised. The actions should be completed by October 2023. | Agreement nonconformity | Open |
| 21 | Security assessments have not been performed. | Access Control |
NICTU has reviewed the situation with BSO and agreed their plan to address the issues raised. The actions should be completed by October 2023. |
Agreement nonconformity | Open |
| 22 | A risk assessment should be performed to identify risks associated with the current configuration of the hosted environment. | Operational Management |
NICTU has reviewed the situation with BSO and agreed their plan to address the issues raised. The actions should be completed by October 2023. |
Opportunity for improvement | Open |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 July 2023 3:23 pm