Skip to main content

NHS England Post Audit Review: NHS Dorset Clinical Commissioning Group

This report provides an update on progress of the remote data sharing audit of NHS Dorset Clinical Commissioning Group in January 2022.

Audit summary

Purpose

This report provides an update on progress of the remote data sharing audit of NHS Dorset Clinical Commissioning Group (CCG) between 10 and 14 January 2022 against the requirements of both:

  • the data sharing framework contract (DSFC) CON-338307-D8Z0G-v2.01
  • the data sharing agreement (DSA) DARS-NIC-54727-S3Y1T-v4.3

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
SUS for Commissioners Pseudo/Anonymised, Sensitive 2008/09 – 2021/22
Emergency Care - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Acute - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Ambulance - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Community - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Demand for Service - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Diagnostic Services - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Experience, Quality and Outcomes - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Mental Health - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Other Not Elsewhere Classified (NEC) - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Population Data - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Primary Care Services - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Public Health and Screening Services - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Mental Health Minimum Data Set Pseudo/Anonymised, Sensitive 2013/14 - 2021/22 
Mental Health and Learning Disabilities Data Set Pseudo/Anonymised, Sensitive 2013/14
Improving Access to Psychological Therapies Data Set Pseudo/Anonymised, Sensitive 2016/17 – 2021/22
Diagnostic Imaging Dataset Pseudo/Anonymised, Sensitive 2016/17 – 2021/22
Mental Health Services Data Set Pseudo/Anonymised, Sensitive 01/01/2016 – 2021/22
Maternity Services Data Set Pseudo/Anonymised, Sensitive 2016/17 – 2021/22
Children and Young People Health Pseudo/Anonymised, Sensitive 2016/17 - 31/10/2017
Civil Registration - Deaths Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Civil Registration - Births Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Community Services Data Set Pseudo/Anonymised, Sensitive 01/11/2017 – 2021/22
National Cancer Waiting Times Monitoring Data Set (CWT) Pseudo/Anonymised, Sensitive 2009/10 – 2021/22
National Diabetes Audit Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Patient Reported Outcome Measures Pseudo/Anonymised, Sensitive 2013/14 – 2021/22

 

The Controller is the CCG, and the Processors are the Dorset Healthcare University NHS Foundation Trust (DHC) and Microsoft Limited. Microsoft Limited supplies cloud storage services, via the Microsoft Azure platform, and doesn’t process the data. The Dorset Intelligence & Insight Service’ (DiiS) reporting solution is hosted on Azure and is managed by DHC.

It should be noted at the time of the post audit review, the CCG had been replaced by the newly formed NHS Dorset Integrated Care Board (ICB) on the 1 July 2022. This report will going forward refer to the Controller as the ICB.

Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.

Post audit review

This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by the ICB between July and November 2022. Note, this desk-based assessment took place before the merger of NHS Digital and NHS England. Therefore, this report references both organisations.

Post audit review outcome

Based on the evidence, the Audit Team has found that the ICB has not suitably addressed the findings. 3 agreement nonconformities, 1 organisation nonconformity, 4 opportunities for improvement and 2 points for follow-up remain open and require further review by the Audit Team. The ICB is therefore required to update its action plan to align with this post audit review report.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original Risk Statement: Medium

Current Risk Statement: Medium

Data recipient’s acceptance statement

The ICB has reviewed this report and confirmed that it is accurate.

Status

The following tables identifies the 6 agreement nonconformities, 1 organisation nonconformities, 7 opportunities for improvement and 3 points for follow-up raised as part of the original audit.

ICB

Ref Finding Link to area Update Designation Status
1 Some of the core dashboards available to authorised end users display pseudonymised record-level data which is not consistent with the data sharing statements in the DSA. Use and Benefits The ICB reported that it is in ongoing discussion with the Data Access Request Service (DARS) team to agree a new DSA following the establishment of the ICB. Agreement nonconformity Open
2

The active DSA needs to be updated as it does not reflect current practice, including (but not limited to):

  • the role of DiiS and the reporting solution
  • the use of a cloud provider to store the data supplied by NHS Digital
  • the datasets made available
  • the use of a pseudonymisation tool
  • the re-identification process for users with responsibility for direct care for that patient
  • permitted linkage to other datasets.
 Use and Benefits The ICB reported that it is in ongoing discussion with the DARS team to agree a new DSA following the establishment of the ICB. Agreement nonconformity Open
3

The DPIA needs to be updated to reflect current practice including:

  • DiiS analysts can re-identify the NHS number, however, the DPIA currently states that developers and analyst cannot reidentify the NHS number. DiiS stated this service is provided on behalf of GPs who required assistance in reidentifying NHS number for patients in their direct care
  • the data available on some of the dashboards is pseudonymised record level data, however, the DPIA currently states aggregated data
  • clarification that signed confidentiality agreements are only required by external contractors. The DPIA is not clear and could be interpreted as it applied to all users.
 Operational Management

The ICB has updated the Data Protection Impact Assessment (DPIA) and circulated it for review by the Dorset IG leads. The 3 points in the finding have been updated to reflect current practice in the DPIA.

A copy of the DPIA v2.8 was shared with the Audit Team.

 Agreement nonconformity Closed
4 The Information Asset Register (IAR) and Record of Processing Activities (ROPA) need to be updated to reflect current practice. Operational Management The ICB has updated both the IAR and the ROPA to reflect current practice. Copies of the revised IAR and ROPA were supplied to the Audit Team. Agreement nonconformity Closed
5 The Audit Team suggested that any new DSA and DSFC be reviewed by all stakeholders to ensure that they are aware of their responsibilities and obligations. Operational Management

DiiS reported that the DSA and DSFC are now a standing agenda item for the Pan Dorset Information Governance meeting, where a number of stakeholders are involved including the ICS partners.

The monthly virtual meeting includes a number of services including DiiS. An example of topics areas discussed in relation to DiiS was shared with the Audit Team.

 Opportunity for improvement Closed
6 The CCG should establish formal agreements between the Controller(s) and each partner organisations who have users that can access the dashboards. Operational Management A template for the ‘Joint Controller Information Sharing Agreement to the DiiS - Digital Platform’ was supplied to the Audit Team. The ICB is considering this template further as it moves towards a shared service. Opportunity for improvement Open

 

DHC / DiiS

Ref Finding Link to area Update Designation Status
7 Some of the configuration settings on the Azure platform are not in line with the DSA, DSFC and DiiS documentation.  Information Transfer The ICB provided evidence that data in transit is encrypted, and auditing for the Azure SQL database is enabled. Agreement nonconformity Closed
8 Security testing had not been carried out on the Azure platform where the data is held. DiiS confirmed that such testing is being planned for later in 2022. Access Control DiiS reported that it is working with DHC as the host, to commission a security test. However, there has been a delay due to internal resourcing availability. The security testing is expected to be complete by March 2023. Agreement nonconformity Open
9 Data supplied by NHS Digital held on the SQL database had not been marked to indicate its source as defined in the DiiS Solution Architecture. Operational Management DiiS shared evidence that the coding had been updated, however, it did not fully address the requirements in the DiiS Solution Architecture.  Organisation nonconformity Open
10 DiiS should consider developing documentation that outlines the technical re-identification process (for example, the systems involved) and the business re-identification process (for example, the authorisation approval process). Operational Management

DiiS has produced a Role Based Access Control process documentation set, and has updated the DiiS Solution Architecture. 

DiiS advised that the documents can be viewed during the next video conference call with the Audit Team.

 Opportunity for improvement Open
11 DiiS should review the following elements to identify any gaps in controls around:
  • the management of the salt, pseudonym and NHS Number
  • monitoring access to the salt, pseudonym and NHS Number.
 Operational Management

DiiS reported that the DiiS Solution Architecture has been updated to address the gaps identified in the finding. 

DiiS advised that the document can be viewed during the next video conference call with the Audit Team.  

 Opportunity for improvement Open
12 DiiS should consider if any additional Azure services should be enabled to improve the security and management of the platform. Access Control DiiS reported there are ongoing reviews of the Azure architecture to improve security and management of the platform. Evidence of the security features that have been enabled was supplied to the Audit Team. Opportunity for improvement Closed
13 DiiS should clarify which supervisory checks for users with access to the Azure environment are to be carried out. The results of these checks should be documented to provide an audit trail.  Access Control DiiS reported that the security documentation has been updated and checks have been commissioned with the local support partner. However, no evidence was supplied to support this.  Opportunity for improvement Open
14 DiiS should remind all dashboard users that they are only allowed to access the dashboard within England and Wales. This is defined in the DSA as the territory of use.  Operational Management DiiS shared a screenshot of a message shown on the DiiS portal that stated access is limited to England and Wales.  Opportunity for improvement Closed
15 At the post audit review, the Audit Team will review the process developed around managing user access. For example, regular checks on last login, check for dormant accounts, movers/leavers process, etc. Access Control

DiiS reported that it has implemented a process to review user accounts on a 3 monthly basis. This will help to identify dormant accounts.

This process is outlined in DiiS Role Based Access Control v1.0. A copy of the process document was supplied to the Audit Team.  

 Follow-up Closed
16 At the post audit review, the Audit Team will review the work to refine the permissions for authorised dashboard users. DiiS reported that the same permissions had been applied to all authenticated dashboard end users given access to the core reports and there was work planned to refine the permissions even further. Access Control

DiiS reported that various access levels are enabled depending on the role. 

DiiS supplied a spreadsheet with a cross section of how it manages user accounts and control the access levels. The Audit Team have some queries and plan to follow this up at the next video conference call.   

 Follow-up Open
17 At the post audit review, the Audit Team will review the user access list to the mapping table held at DHC. Access Control DiiS reported that access is limited to 3 users. However, the Audit Team has not seen evidence to support this. Follow-up Open

 

Disclaimer

NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 17 February 2023 9:56 am