NHS England Post Audit Review: British Thoracic Society
This report provides the formal closure of the remote data sharing audit of the British Thoracic Society and its Processors in May 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the British Thoracic Society (BTS) and its Processors between 23 and 31 May 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-243753-G7Y5H-v2.01
- the data sharing agreement (DSA) DARS-NIC-219944-G9X4V-v0.6
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 2018/19 – 2019/20_M10 |
| HES Critical Care | Pseudo/Anonymised, Non-sensitive | 2018/19 – 2019/20_M10 |
| Civil Registration (Deaths) - Secondary Care Cut | Pseudo/Anonymised, Sensitive | Latest available |
The Controller is the BTS and the Processors are Westcliff Solutions and the University of Nottingham (UoN).
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by the BTS between February and May 2023.
Post audit review outcome
Since the audit in May 2022, the DSA has expired and the BTS does not expect to renew it. Furthermore, the UoN has provided a Certificate of Destruction to the Data Access Request Service (DARS) team to confirm that the data had been deleted locally and from OneDrive. As a result, a number of the findings have been classed as “No longer applicable”.
Note: the findings classified as “No longer applicable” in this report may be subject to further review by NHS England if the BTS submits a new application.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
The BTS has reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 4 agreement nonconformities, 4 organisation nonconformities, 1 observation, 5 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
BTS
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Analysis of the data supplied by NHS Digital was undertaken by a PhD student at the UoN, whereas the DSA stated such analysis would be conducted by substantive employees of UoN. | Use and Benefits | The BTS reported that as data analysis was completed prior to audit, no further action can be taken for this nonconformity under this project. It would, however, ensure the correct description of staff involved on any future project. | Agreement nonconformity | No longer applicable |
| 2 |
Processing of the data supplied by NHS Digital is being done on equipment not declared in the DSA, along with the use of Microsoft as a backup solution who is not declared as a Processor in the DSA. |
Use and Benefits | The BTS reported that data processing and analysis was completed prior to audit. The BTS stated it would, however, ensure correct description of equipment involved is used on any future project. Since the DSA has expired and the BTS does not expect to renew the agreement, no revision to the DSA has been made. A completed Certificate of Destruction, signed 24 April 2023, was provided to DARS to confirm that the data had been deleted by the UoN locally and from OneDrive. |
Agreement nonconformity | Closed |
| 3 |
The HES/ONS datasets are not recorded on the BTS Information Asset Register (IAR). The Audit Team also suggested additional fields that could be added to the register. |
Operational Management | The BTS has added the HES and ONS datasets to the BTS IAR and has added a ‘notes’ column to allow relevant project details to be captured when needed. An extract of the latest IAR was supplied to the Audit Team. | Agreement nonconformity | Closed |
| 4 | The BTS was unable to provide written evidence for how it monitors compliance with its information governance policies. Where such activities are undertaken in the future, it is important that suitable and auditable evidence is maintained. | Operational Management | The BTS confirmed that there is a new upcoming project under the Quality Improvement Committee where information governance compliance will be confirmed within the project outline. However, there are no current and active projects that require a project outline for documentation purposes. | Organisation nonconformity | No longer applicable |
| 5 | Since the DSA was signed, several minor changes around the processing and storage of data have been made. The BTS should speak with the Data Access Request (DARS) team to establish whether the DSA should be revised to reflect these changes noting the data is expected to be deleted shortly, following acceptance of a journal paper. | Use and Benefits | Since the DSA has expired and the BTS does not expect to renew the agreement, no revision to the DSA has been made. | Observation | No longer applicable |
| 6 | The BTS should ensure any future papers contain an acknowledgement to NHS Digital as being the source of the data. | Use and Benefits | The BTS provided a copy of the paper “Causes of readmission following hospital admission for Community Acquired Pneumonia in England” to the Audit Team which contained an acknowledgement to NHS Digital being the source of the data. | Opportunity for improvement | Closed |
| 7 | The BTS should ensure appropriate stakeholders review any new DSFC and DSA to ensure that they are fully aware of their responsibilities and are fully compliant. | Operational Management | The BTS stated that it would do this for any future DSFCs and DSAs. | Opportunity for improvement | No longer applicable |
| 8 | The BTS should add approval dates to future issues of its Data Protection Impact Assessments (DPIA). | Operational Management | The BTS reported that it will do this for future projects but had no relevant documentation at the time of the post audit review. | Opportunity for improvement | No longer applicable |
| 9 | At the post audit review, the Audit Team will discuss the status of data deletion and, if appropriate, check that a Certificate of Destruction (CoD) has been completed by the BTS and sent to NHS Digital. Prior to destruction being undertaken, the BTS and UoN should agree on what evidence is to be collected to support the production of the CoD. | Data Destruction | A completed Certificate of Destruction, signed 24 April 2023, was provided to DARS to confirm that the data had been deleted by the UoN locally and on OneDrive. | Follow-up | Closed |
UoN
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 10 | The HES/ONS datasets are not recorded on a UoN (or School) IAR. As a result, the normal information governance reviews, considerations and processes were not enacted, for example, the completion of a DPIA or the need to handle any specific risks. | Operational Management | The UoN reported that a new Research Data Management Checklist had been created. The checklist requires users to answer a number of questions to understand the risks in their processing, and direct researchers to complete various governance documentation (Data Management Plans, DPIAs, DSAs, NHS Data Security Protection Toolkit, etc.) to ensure the correct practices are followed. At the time of the post audit review the HES/ONS datasets had not been recorded on a UoN (or School) IAR. However, the UoN has recently deleted the data locally and on OneDrive. |
Agreement nonconformity | Closed |
| 11 | The desktop holding the data supplied by NHS Digital is not encrypted. | Access Control | The UoN IT team confirmed that the hard disk of the computer that held NHS Digital data has been encrypted. A screenshot from Microsoft Configuration manager showed Bitlocker was enabled on all drives. | Organisation nonconformity | Closed |
| 12 | The password requirements defined in the Access Control Standards were different to the technical controls being enforced through its systems. | Access Control | The UoN reported that all new passwords reflect the current requirements as defined by the Access Control Standards. To ensure that no passwords are currently vulnerable, a technical audit had been conducted to identify potentially weak passwords. Accounts found with insufficient passwords were forced to update with sufficiently complex passwords. For most systems, a stricter password policy is technically enforced than that defined by the Access Control Policy. UoN stated that by having a lower requirement in the policy, a small number of older standalone systems remain compliant. Copies of the technical password rules and the Access Control Policy v3 were supplied to the Audit Team. |
Organisation nonconformity | Closed |
Westcliff
|
Ref |
Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 13 | Westcliff to correct inaccurate statements in its documentation as part of the next annual review. | Operational Management | Westcliff supplied revised copies of the documents identified in the original report to the Audit Team. Whilst most of the identified changes have been made, the Information Asset Register and Risk Assessment (October 2022) still refers to privacy assessments and the abbreviation PIA. | Organisation nonconformity | Closed |
| 14 |
Westcliff should assess whether the desktop machine used to temporarily extract identifiable data collected from other sources should be encrypted. |
Access Control | Westcliff reported that all PCs that are used for development and/or producing data exports are fully encrypted. Boot drive and all data drives are protected using Windows Bitlocker. A screenshot showing that BitLocker was active was supplied to the Audit Team. | Opportunity for improvement | Closed |
| 15 |
Westcliff should consider how data held electronically could be permanently deleted from its systems, should this be required. |
Data Destruction |
Westcliff reported any PC that is no longer required will be securely wiped using KillDisk. This software is used to permanently erase hard drives and ensure that no previous data can be recovered by another party. A screenshot showing the active version of KillDisk was supplied to the Audit Team. Westcliff also stated that in the event specific files required destruction then a named commercial file scrubber would be used. Both approaches are specified in the latest System Level Security Policy, May 2023, which was provided to the Audit Team. |
Opportunity for improvement | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 23 August 2023 12:10 pm