NHS England Post Audit Review: Healthcare Quality Improvement Partnership
This post audit report provides the formal closure of the remote data sharing audit of the Healthcare Quality Improvement Partnership (HQIP) and its Processors in January 2022.
Audit summary
Purpose
This post audit report provides the formal closure of the remote data sharing audit of the Healthcare Quality Improvement Partnership (HQIP) and its Processors between 10 and 19 January 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-326178-V9S5X v2.01
- the data sharing agreement (DSA) DARS-NIC-355855-R4G6G-v7.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 2012/12 – 2020/21 |
| HES Critical Care | Identifiable, Non-sensitive | 2015/16 – 2020/21 |
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | February 2016 to March 2020 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | February 2016 to March 2020 |
| MRIS – Cause of Death Report | Identifiable, Sensitive | February 2016 to March 2020 |
| Demographics | Sensitive | Latest Available, quarterly |
| Civil Registration - Deaths | Sensitive | Latest Available, quarterly |
The Controller is HQIP, and the two Processors are the Royal College of Anaesthetists (RCoA) and the Royal College of Surgeons of England (RCS).
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
As the original audit took place before the merger of NHS Digital and NHS England, this report may reference both organisations as part of the post audit review.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by HQIP, RCoA and RCS between February and October 2023.
Post Audit Review Outcome
Based on the evidence, the Audit Team has closed all findings. No further action is required by the Audit Team or any of the auditees.
Updated Risk Statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.
Original risk statement: Medium
Current risk statement: Low
Data recipient’s acceptance statement
HQIP have reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 6 agreement nonconformities, 8 opportunities for improvement and 1 point for follow-up raised as part of the audit.
RCoA
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Data supplied by NHS Digital are being stored at locations not declared in the DSA. Consideration should also be given as to whether the owner of these storage locations should be added as a Processor. | Information Transfer |
A new DSA version 9.21 has been agreed, and whilst individual locations are no longer recorded, the DSA does include an additional Processor. The RCoA has now moved to cloud-based backups, which includes backups of data provided under the DSA. The Confidentiality Advisory Group (CAG) has reviewed the move to the cloud-based solution and is fully supportive. A copy of the CAG approval letter was shared with NHS England. |
Agreement nonconformity | Closed |
| 2 | There has been no regular review of access to the network folders where the data supplied by NHSD is held. | Access Control |
The RCoA provided a copy of a recent report generated by a file permissions tool. The RCoA stated that a process is now in place to produce a 6 monthly review which will be signed off by the Head of IT. Copies of the generated report and the sign off process were provided to the Audit Team. |
Agreement nonconformity | Closed |
| 3 | Security assessments have not been performed on the infrastructure holding the data supplied by NHS Digital. | Access Control | The RCoA provided evidence that all internal security assessments identified during the audit had been carried out. A schedule of future assessments has been created and is due to be undertaken on a regular basis. | Agreement nonconformity | Closed |
| 4 | A signed copy of the Memorandum of Understanding (MoU) for the research fellows has not been provided to NHS Digital as required by the DSA. | Access Control | The RCoA confirmed that all current research fellow MoUs have been provided to NHS England. A copy of the email trail with the DARS team was provided to the Audit Team. | Agreement nonconformity | Closed |
| 5 | The RCoA should ask the third-party data destruction contractor to provide a detailed list of the assets destroyed along with a data destruction certificate. This list would allow the RCoA to reconcile the assets sent for destruction with those destroyed. The RCoA IT Assets Disposals Policy should also be updated to reflect this process. | Data Destruction |
The RCoA has recently changed its third-party data destruction contractor. The RCoA confirmed that the new contractor has agreed that individual destroyed assets will be mapped to a data destruction certificate. The RCoA IT Assets Disposal Policy has been updated to reflect the process. Evidence was provided to the Audit Team. |
Opportunity for improvement | Closed |
| 6 | The RCoA should implement a recording mechanism for staff, contracted as research fellows, who have completed the necessary mandatory training at their substantive organisation. All users with direct access to data provided by NHS Digital had completed annual Information Governance training. | Operational Management |
The RCoA stated that the MoU for Research Fellows has been updated so that it includes reference to completing necessary mandatory IG training. A process is now in place requesting that all completed IG training certificates are sent in to the RCoA Research Team. A copy of the MoU was provided to the Audit Team. |
Opportunity for improvement | Closed |
| 7 | The RCoA should document the password settings enforced via Active Directory group policy for all staff, within its IT Password Policy. | Access Control |
The password policy has been updated to include Active Directory group policy settings. A copy of the policy was provided to the Audit Team. |
Opportunity for improvement | Closed |
| 8 | The RCoA should update its Data Protection Impact Assessment (DPIA) to record that all parties agree with the content (HQIP, RCoA and RCS) along with the review dates. | Operational Management |
HQIP, the RCoA and the RCS have met to ensure that all parties agree with the content of the DPIA. All 3 organisations involved approved the content, with a copy provided as evidence to the Audit Team to support this. |
Opportunity for improvement | Closed |
| 9 | The RCoA’s Information Asset Register (IAR) could be updated to:
|
Operational Management | The RCoA has decided to replace the IAR with the ROPA since it already contains the relevant information. | Opportunity for improvement | Closed |
RCS
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 10 | The backup tapes that hold data supplied by NHS Digital are not encrypted. The tapes are, however, kept in RCS premises. | Access Control | The RCS provided evidence to the Audit Team that it is now storing the backup data on a new encrypted server. | Agreement nonconformity | Closed |
| 11 | The server holding data provided by NHS Digital is running unsupported software. | Access Control | The RCS has provided evidence to demonstrate that new replacement servers are now running with supported and up to date software. | Agreement nonconformity | Closed |
| 12 | The RCS should consider performing a review of its IAR to ensure it is capturing the appropriate information. As part of this review the IAR could be compared with the NELA IAR to ensure their contents are aligned. | Operational Management | The RCS is updating its Record of Processing Activities (ROPA) to include the information required in the IAR. Email evidence to support this ongoing work was provided to the Audit Team. | Opportunity for improvement | Closed |
| 13 | The RCS should update its Data Protection Impact Assessment (DPIA) to record that all parties agree with the content (HQIP, RCoA and RCS) along with the review dates. | Operational Management | HQIP, the RCoA and the RCS have met to ensure that all parties agree with the content of the DPIA. An updated DPIA template for all HQIP projects has been drafted and will be implemented shortly. The template includes a section where all organisations involved sign off on content. | Opportunity for improvement | Closed |
| 14 | The RCS should ask the third-party data destruction contractor to provide a detailed list of the assets destroyed along with the data destruction certificate. This list would allow the RCS to reconcile the assets sent for destruction with those destroyed. The RCS IT Assets Disposals Policy should also be updated to reflect this process. | Data Destruction |
The RCS confirmed that the serial numbers for assets that are destroyed are included and captured as part of the service provided by the third-party data destruction contractor. A screenshot of the terms and conditions of the contract with the third-party provider was provided to the Audit Team. |
Opportunity for improvement | Closed |
| 15 | At the post audit review, the Audit Team will review evidence of the actions taken following a recent security assessment. | Access Control | The infrastructure referenced in the security assessment has been decommissioned since the original audit and replaced with new servers, with up-to-date operating systems and software installed. | Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 14 December 2023 4:44 pm