NHS England Post Audit Review: City of Wolverhampton Council – Public Health
This report provides the formal closure of the remote data sharing audit of the City of Wolverhampton Council (CWC) - Public Health in June 2021.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of City of Wolverhampton Council (CWC) - Public Health between 16 and 22 June 2021 against the requirements of :
- the data sharing framework contact (DSFC) CON-392038-Z0Y2T-v2.01
- the data sharing agreement (DSA) DARS-NIC-41597-J6M1R-v5.3
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Vital Statistics Service | Aggregated, Small Numbers Not Suppressed, Pseudo/Anonymised, Non-sensitive | 1993 - 2022 |
| Primary Care Mortality Data | Identifiable, Sensitive | 1996 – March 2024 |
| Civil Registration - Births | Identifiable, Non-sensitive | 1995 - 2023 |
The Controller is the CWC, and the Processor is the Royal Wolverhampton NHS Trust (RWT). The staff processing the data are Trust employees and all the data resides on infrastructure owned and manged by the RWT.
Following the first post audit review published in March 2023, 2 agreement nonconformities, 1 observation and 1 point for follow-up remained open.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
As the original audit took place before the merger of NHS Digital and NHS England, this report references both organisations as part of the post audit review.
Post audit review
This second post audit review comprised of a desk-based assessment and video calls to assess the action plan and supporting evidence supplied by the CWC and the RWT between July and September 2023.
Post audit review outcome
Based on the evidence provided by CWC and the RWT, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team, CWC or the RWT.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Medium
Previous Risk Statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
The CWC and the RWT have reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 5 agreement nonconformities, 1 organisation nonconformity, 1 observation, 3 opportunities for improvement and 2 points for follow-up raised as part of the original audit.
CWC
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The data are being stored at RWT locations not declared on the DSA. | Information transfer |
The CWC contacted the DARS team to add the undeclared storage location. However, the DARS team stated that the DSA no longer needs to have the processing and storage locations listed due to a change in internal processes. The Audit Team were provided with the email trail to confirm this. Instead, it will be the Controller’s responsibility to maintain a list of all locations where data are being processed and stored and to make this list available to NHS England on request. |
Agreement nonconformity | Closed |
| 2 | There was no evidence to show that access to the locations holding the data supplied by NHS Digital are reviewed on a regular basis. | Access control | The RWT provided evidence to support that access to the locations holding the data supplied by NHS England are reviewed on a regular basis. The access reviews are scheduled to be performed every 6 months. Evidence of the review schedule was provided to the Audit Team. | Agreement nonconformity | Closed |
| 3 | The review of policies had in some instances been delayed due to Covid. However, there were some documents which had review dates prior to 2020. | Operational management | The CWC provided a copy of the slides of the Information Governance (IG) – Policy Approvals. The slides were used to inform and seek approval from the IG Board about the development of a new IG Policy Framework and supporting policies. | Agreement nonconformity | Closed |
| 4 | No Data Protection Impact Assessment (DPIA) screening questionnaire or a full assessment had been completed by the CWC for the data supplied. | Operational management | The CWC has completed an IG impact assessment screening questionnaire and a copy was provided to the Audit Team. | Organisation nonconformity | Closed |
| 5 | The CWC to consider specific Information Asset Owner (IAO) training. | Operational management | The CWC stated that asset register refresh, identification and review of owners and administrators leading to subsequent IAO and Information Asset Administrator training has been included in the IG workplan for 2022/23. | Opportunity for improvement | Closed |
| 6 | The CWC to consider whether there needs to be a more formal dialogue with RWT on risk in order to feed into CWC’s risk reporting given the data resides on RWT infrastructure. | Risk management | The CWC has included audit requirements and considered risks associated with the data residing on RWT’s infrastructure in its Data Processing Agreement (DPA). A copy of the DPA was provided to the Audit Team. | Opportunity for improvement | Closed |
| 7 | The Audit Team suggested that the CWC ensures appropriate stakeholders are made aware of any new DSFC and DSA, so parties are fully aware of their responsibilities and are fully compliant. | Operational management | The CWC provided an email to confirm that the DSFC was shared with key stakeholders to make them aware of their responsibilities. | Opportunity for improvement | Closed |
| 8 | At the post audit review, the Audit Team will look at:
|
Operational management |
The CWC showed the scope of a validation test recently carried out together with its mitigation plan during a video call. The CWC provided a copy of the latest DPO and SIRO annual summary statement. |
Follow-up | Closed |
RWT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 9 | The backup tapes that hold data supplied by NHS Digital are not encrypted. The DSFC requires portable media to be encrypted. The tapes are, however, kept in RWT offices. | Access control | The RWT confirmed that a new backup solution has been implemented and provided evidence which showed backup tapes are now encrypted. | Agreement nonconformity | Closed |
| 10 | The RWT does not have the data recorded on its Information Asset Register (IAR). | Operational management |
The Audit Team confirmed that although RWT (data processor) do not have the data recorded on its IAR, the CWC (data controller) have recorded the data on its IAR, meeting the requirements of the DSFC. RWT are aware that if any future information assets are to be created from the main information asset, these assets must be recorded on the RWT IAR. RWT confirmed that they have no plans to create any further information assets |
Agreement nonconformity | Closed |
| 11 | The Audit Team clarified that should data supplied by NHS Digital be deleted from the live systems, then the RWT needs to establish a process by which such data cannot be retrieved from its backups given the long retention period for its tapes. | Data destruction |
The Audit Team acknowledges data from existing backup tapes cannot be deleted. However, the RWT have considered how data retrieval can be prevented as systems/processes evolve. After a review of the backup process by the RWT, their Group Director of Digital Technology informed the Audit Team that this is not an operational priority due to the need for a full-scale change of the backup solution to meet this requirement, which would require significant financial investment. |
Observation | Closed |
| 12 | At the post audit review, the Audit Team will review the Trust’s Record of Processing Activities (ROPA) in relation to the data supplied by NHS Digital. | Operational management |
RWT have now completed a ROPA for the data supplied by NHS England. The Audit Team received a copy of the ROPA. |
Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 28 November 2023 1:37 pm