NHS England Post Audit Review: City of Wolverhampton Council – Public Health
This report provides an update on progress of the remote data sharing audit of City of Wolverhampton Council - Public Health in June 2021.
Audit summary
Purpose
This report provides an update on progress of the remote data sharing audit of City of Wolverhampton Council (CWC) - Public Health where the interviews were conducted between 16 and 22 June 2021 against the requirements of both:
- the data sharing framework contact (DSFC) CON-392038-Z0Y2T-v2.01
- the data sharing agreement (DSA) DARS-NIC-41597-J6M1R-v5.3
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Vital Statistics Service | Aggregated, Small Numbers Not Suppressed, Pseudo/Anonymised, Non-sensitive | 1993 - 2022 |
| Primary Care Mortality Data | Identifiable, Sensitive | 1996 – March 2024 |
| Civil Registration - Births | Identifiable, Non-sensitive | 1995 - 2023 |
The Controller is the CWC, and the Processor is the Royal Wolverhampton NHS Trust (RWT). The staff processing the data are Trust employees and all the data resides on infrastructure owned and manged by the RWT.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised of a desk-based assessment and a video call of the action plan and supporting evidence supplied by the CWC and the RWT between February and November 2022.
Note, this desk-based review took place just before the merger of NHS Digital and NHS England. Therefore, this report contains references to both organisations.
Post audit review outcome
Based on the evidence, the Audit Team has found that the CWC and the RWT have not suitably addressed the findings. 2 agreement nonconformities, 1 observation and 1 point for follow-up remain open and require further review by the Audit Team. The CWC and the RWT are therefore required to update its action plan to align with this post audit review report.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Medium
Current Risk Statement: Low
Data recipient’s acceptance statement
The CWC and the RWT have reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 5 agreement nonconformities, 1 organisation nonconformity, 1 observation, 3 opportunities for improvement and 2 points for follow-up raised as part of the original audit.
CWC
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The data are being stored at RWT locations not declared on the DSA. | Information transfer |
The CWC contacted the DARS team to add the undeclared storage location. However, the DARS team stated that the DSA no longer needs to have the processing and storage locations listed due to a change in internal processes. The Audit Team were provided with the email trail to confirm this. Instead, it will be the Controller’s responsibility to maintain a list of all locations where data are being processed and stored and to make this list available to NHS England on request. |
Agreement nonconformity | Closed |
| 2 | There was no evidence to show that access to the locations holding the data supplied by NHS Digital are reviewed on a regular basis. | Access control | The RWT stated that a recent review had been performed and that further reviews will be done every 6 months. However, no collaborating evidence was provided to support this statement. | Agreement nonconformity | Open |
| 3 | The review of policies had in some instances been delayed due to Covid. However, there were some documents which had review dates prior to 2020. | Operational management | The CWC provided a copy of the slides of the Information Governance (IG) – Policy Approvals. The slides were used to inform and seek approval from the IG Board about the development of a new IG Policy Framework and supporting policies. | Agreement nonconformity | Closed |
| 4 | No Data Protection Impact Assessment (DPIA) screening questionnaire or a full assessment had been completed by the CWC for the data supplied. | Operational management | The CWC has completed an IG impact assessment screening questionnaire and a copy was provided to the Audit Team. | Organisation nonconformity | Closed |
| 5 | The CWC to consider specific Information Asset Owner (IAO) training. | Operational management | The CWC stated that asset register refresh, identification and review of owners and administrators leading to subsequent IAO and Information Asset Administrator training has been included in the IG workplan for 2022/23. | Opportunity for improvement | Closed |
| 6 | The CWC to consider whether there needs to be a more formal dialogue with RWT on risk in order to feed into CWC’s risk reporting given the data resides on RWT infrastructure. | Risk management | The CWC has included audit requirements and considered risks associated with the data residing on RWT’s infrastructure in its Data Processing Agreement (DPA). A copy of the DPA was provided to the Audit Team. | Opportunity for improvement | Closed |
| 7 | The Audit Team suggested that the CWC ensures appropriate stakeholders are made aware of any new DSFC and DSA, so parties are fully aware of their responsibilities and are fully compliant. | Operational management | The CWC provided an email to confirm that the DSFC was shared with key stakeholders to make them aware of their responsibilities. | Opportunity for improvement | Closed |
| 8 | At the post audit review, the Audit Team will look at:
|
Operational management |
The CWC showed the scope of a validation test recently carried out together with its mitigation plan during a video call. The CWC provided a copy of the latest DPO and SIRO annual summary statement. |
Follow-up | Closed |
RWT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 9 | The backup tapes that hold data supplied by NHS Digital are not encrypted. The DSFC requires portable media to be encrypted. The tapes are, however, kept in RWT offices. | Access control | The RWT confirmed that a new backup solution has been implemented and provided evidence which showed backup tapes are now encrypted. | Agreement nonconformity | Closed |
| 10 | The RWT does not have the data recorded on its Information Asset Register (IAR). | Operational management | No information was supplied to support that this finding has been addressed. | Agreement nonconformity | Open |
| 11 | The Audit Team clarified that should data supplied by NHS Digital be deleted from the live systems, then the RWT needs to establish a process by which such data cannot be retrieved from its backups given the long retention period for its tapes. | Data destruction | Whilst the Audit Team acknowledges data from existing backup tapes cannot be deleted, the RWT should consider how data can be prevented from being retrieved as systems/processes evolve. | Observation | Open |
| 12 | At the post audit review, the Audit Team will review the Trust’s Record of Processing Activities (ROPA) in relation to the data supplied by NHS Digital. | Operational management | No information was supplied to support that this finding has been addressed. Further information required the RWT DPO. | Follow-up | Open |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 29 March 2023 4:37 pm