Post Audit Review: i5 Health Limited
This report provides the formal closure of the remote data sharing audit of i5 Health Limited in October 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of i5 Health Limited (i5 Health) between 10 and 14 October 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-311985-R7R3V-v2.01
- the data sharing agreement (DSA) DARS-NIC-14709-Z2H2R-v6.9
- the organisation’s own policies, processes, and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| HES Outpatients | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| HES Accident and Emergency | Anonymised, Non-sensitive | 2012/13 – 2019/20_M12 |
| Secondary Uses Service (SUS) Payment by Results Episodes | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| SUS Payment By Results Spells | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| SUS Payment By Results Outpatients | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| SUS Payment By Results Accident & Emergency | Anonymised, Non-sensitive | 2012/13 – 2020/21 |
| Emergency Care Data Set (ECDS) | Anonymised, Non-sensitive | 2018/19 – 2020/21 |
| HES-ID to MPS-ID HES Admitted Patient Care | Anonymised, Non-sensitive | 2016/17 |
| HES-ID to MPS-ID HES Outpatients | Anonymised, Non-sensitive | 2016/17 |
The Controller is i5 Health.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by i5 Health in April 2023.
Post audit review outcome
Based on the evidence provided by i5 Health, the Audit Team has closed the nonconformities and observation. Although no further action is required by the Audit Team, there is 1 opportunity for improvement still open, and i5 Health should complete the action against this finding.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
i5 Health has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 4 organisation nonconformities, 1 observation and 5 opportunities for improvement raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | There was an inaccuracy noted in a policy between the documented level of encryption and the actual level on devices. | Access Control | i5 Health provided a copy of the updated Data Encryption Policy which now shows the correct level of encryption on devices. | Organisation nonconformity | Closed |
| 2 | Patching had not been consistently conducted in accordance with the IT Patch Management. Policy | Access Control | i5 Health provided screenshots which shows that patches have been applied and are up to date. | Organisation nonconformity | Closed |
| 3 | Business continuity and disaster recovery plans have not been developed as required by the Information Security Policy. | Operational Management | i5 Health has developed a Business Continuity Policy and a Disaster Recovery procedure as required by its Information Security Policy. Copies of the new documents were provided to the Audit Team. | Organisation nonconformity | Closed |
| 4 | The risk register is not compliant with the requirement of the Risk Management Policy and Risk Assessment Template. | Risk Management | i5 Health provided a copy of its updated risk register, which shows risks are being articulated as required by its policy and has a new column for risk rating. | Organisation nonconformity | Closed |
| 5 | Appendix A of the Disposal and Destruction of Electronic Equipment Policy states that “A contract will be established that will meet all legal and regulatory requirements for secure confidential disposal of assets.” i5 Health confirmed that a contract was not currently in place. | Data Destruction | i5 Health has updated Appendix A and stated that, when required a certified contractor will be appointed that will meet all legal and regulatory requirements for secure and confidential disposal of assets. Furthermore, i5 has identified and included 3 providers on its supplier register. A copy of the updated policy was provided to the Audit Team. | Observation | Closed |
| 6 | There was an inaccuracy noted in the Password Management Policy between the documented password settings and the actual settings on devices. The actual level was stronger. | Access Control | i5 Health has updated its Password Management Policy to ensure that it is now consistent with the actual settings on the devices and as defined in the windows account password policy settings. A copy of the updated policy was provided to the Audit Team. | Opportunity for improvement | Closed |
| 7 | Although i5 Health is performing its own assessments, the Audit Team suggested that an independent security assessment is undertaken. | Access Control | i5 Health confirmed that as part of its ongoing ISO certification, it will be audited and assessed by an independent provider in June 2023. | Opportunity for improvement | Open, but not for follow-up |
| 8 | The Audit Team suggested that the retention period of access logs is reviewed. Also, offline backups of the logs should be taken to ensure they can be accessed to facilitate investigations. | Access Control | i5 Health stated that the retention period of Windows system and SQL based audit logs has been reviewed and included in future scheduled backups. An extract of the audit logs was provided to the Audit team. | Opportunity for improvement | Closed |
| 9 | There are inconsistencies regarding how the data supplied by NHS Digital is referred to across i5 Health’s documentation (for example, some documents refer to it as “HES” and some “SUS”). The terminology should be standardised to ensure consistent reference. | Operational Management |
i5 Health has updated its documents and databases to use the terms HES and SUS more accurately. Furthermore, its Information Asset Register (IAR) has also been updated to reflect consistent use of the terms. i5 Health provided an extract from its document library and the IAR as evidence. |
Opportunity for improvement | Closed |
| 10 | The version control information for the Data Protection Impact Assessment (DPIA), Record of Processing Activities (ROPA) and HES risk register documents should be corrected on the next review of these documents. | Operational Management | i5 Health has updated its DPIA, ROPA and HES risk register to include version control. Copies of these documents were provided to the Audit Team. | Opportunity for improvement | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 May 2023 3:05 pm