NHS England Post Audit Review: NHS North Central London Clinical Commissioning Group
This report provides the formal closure of the remote data sharing audit of NHS North Central London Clinical Commissioning Group in April and May 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of NHS North Central London Clinical Commissioning Group (NCL CCG) between 25 April and 4 May 2022. It provides an evaluation of how NCL CCG conforms to the requirements of:
- the data sharing framework contract (DSFC) CON-369360-Z5R7D-v2.01
- the data sharing agreement (DSA) DARS-NIC-362253-J5V8L-v3.2
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Mental Health Services Data Set | Identifiable, Sensitive | 1 April 2016 to 12 January 2025 |
| SUS for Commissioners | Identifiable, Sensitive | 1 April 2020 to12 January 2025 |
| National Diabetes Audit | Pseudo/Anonymised, Sensitive | 1 April 2013 to 12 January 2025 |
| e-Referral Service for Commissioning | Pseudo/Anonymised, Sensitive | 1 April 2013 to 12 January 2025 |
| Medicines dispensed in Primary Care (NHSBSA data) | Pseudo/Anonymised, Sensitive | 1 April 2018 to12 January 2025 |
| Mental Health Minimum Data Set | Pseudo/Anonymised, Sensitive | 1 April 2013 to 31 March 2014 |
| Mental Health and Learning Disabilities Data Set | Pseudo/Anonymised, Sensitive | 1 April 2014 to 31 December 2015 |
| Improving Access to Psychological Therapies Data Set | Pseudo/Anonymised, Sensitive | 1 April 2016 to 12 January 2025 |
| Patient Reported Outcome Measures | Pseudo/Anonymised, Sensitive | 1 April 2013 to 12 January 2025 |
| Diagnostic Imaging Dataset | Pseudo/Anonymised, Sensitive | 1 April 2016 to 12 January 2025 |
| Mental Health Services Data Set | Pseudo/Anonymised, Sensitive | 1 April 2016 to 12 January 2025 |
| Maternity Services Data Set | Pseudo/Anonymised, Sensitive | 1 April 2016 to 12 January 2025 |
| Children and Young People Health | Pseudo/Anonymised, Sensitive | 1 April 2016 to 31 October 2017 |
| SUS for Commissioners | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Acute-Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Ambulance-Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Community-Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Demand for Service-Local Provider Flows | Pseudo/Anonymised, Sensitive |
1 April 2020 to 12 January 2025 |
| Diagnostic Services- Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Emergency Care- Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Experience, Quality and Outcomes - Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Mental Health- Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Other Not Elsewhere Classified (NEC) - Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Population Data- Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Primary Care Services-Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Public Health and Screening Services-Local Provider Flows | Pseudo/Anonymised, Sensitive | 1 April 2020 to 12 January 2025 |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | 1 April 2013 to 12 January 2025 |
| Civil Registration - Births | Pseudo/Anonymised, Sensitive | 1 April 2013 to 12 January 2025 |
| Personal Demographic Service | Pseudo/Anonymised, Sensitive | 1 May 2011 to 12 January 2025 |
| Community Services Data Set | Pseudo/Anonymised, Sensitive | 1 November 2017 to 12 January 2025 |
| Adult Social Care | Pseudo/Anonymised, Sensitive | 1 January 2015 to 12 January 2025 |
| Summary Hospital level Mortality Indicator | Pseudo/Anonymised, Sensitive | 1 May 2011 to 12 January 2025 |
| National Cancer Waiting Times Monitoring Data Set (NCWTMDS) | Pseudo/Anonymised, Sensitive | 1 April 2009 to 12 January 2025 |
In the DSA, the Controller was NCL CCG, and the Processors were North and East London Clinical Support Unit (NEL CSU), North of England CSU (NECS) and Microsoft UK. However, after the DSA was signed, there were changes to the Processors and their roles, significantly NEL CSU. At the time of the audit the Processors were NEL CCG, London Shared Services (LSS), NECS and Microsoft UK.
Since the audit, NCL CCG and LSS have both ceased to exist. The former’s commissioning and Controller responsibilities have predominantly transferred to the North Central London Integrated Care Board (NCL ICB), while CSU roles have moved into either NCL ICB, NEL ICB and other organisations.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by NCL ICB between February and April 2023. Video conference calls to review evidence were held in March and April 2023.
Post audit review outcome
Based on the evidence provided by NCL ICB, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and NCL ICB.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
NCL ICB has reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 5 agreement nonconformities, 1 observation, 5 opportunities for improvement and 3 points for follow-up raised as part of the original audit.
Note: whilst the findings assigned in the original audit report continue to reference the names of the audited organisations, the update column reflects any subsequent changes in organisational names and roles.
NCL CGG
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Since the DSA was signed on 13 January 2022 there have been changes to the organisations processing the data, and their associated processing and storage locations, which are not reflected on the DSA. Over the coming months further changes are planned. | Information Transfer |
NCL ICB reported that the Data Access Request Service (DARS) had been informed of the changes. Since the original audit, a new DSA has been issued, DARS-NIC-615974-Y3R7Q-v0.2. However, DARS no longer publishes storage and processing locations in a DSA. DARS does however require the Controller to maintain a list of such locations. A list of active storage and processing locations was supplied to the Audit Team. |
Agreement nonconformity |
Closed |
| 2 |
One of the laptops sampled during the audit had a non-functional anti-virus solution which requires re-installation. |
Access Control | NCL ICB reported that following the merger to the ICB all machines not under warranty were replaced with new machines, including the sampled laptop that had a non-functional anti-virus solution. All other machines were re-imaged to the new organisation and all security software upgraded and renewed. |
Agreement nonconformity |
Closed |
| 3 |
NCL CCG to review the accuracy of its document management information as several of its policies have errors on the front cover including dates and version numbers. |
Operational Management |
NCL ICB reported that all Information Governance (IG) policies had been updated to reflect the creation of the NCL ICB, thereby replacing the CCG policies. The new core NCL ICB IG policies were provided to the Audit Team. For the policies provided, the document management information was consistent with the front cover. |
Agreement nonconformity |
Closed |
| 4 | A recent access control review failed to identify a NCL CCG staff member who no longer required access to data provided by NHS Digital, due to an internal move between departments. |
Access Control | NCL ICB reported that following a recent migration from Intelligence Solutions for London (ISL) to NCL ICB, all accounts were revoked and reissued to current members of the team only. This action removed anyone no longer working for the ICB or within the Intelligence function. |
Agreement nonconformity |
Closed |
| 5 | The NCL CCG Information Asset Register (IAR) does not identify the datasets provided by NHS Digital. Currently the IAR is focused on the assets generated by the CCG, for example reports and outputs. |
Operational Management |
A copy of the latest IAR which identifies individual datasets supplied under the DSA was supplied to the Audit Team. |
Agreement nonconformity |
Closed |
| 6 | A small number of staff with access to the data supplied by NHS Digital are just outside of the 12-month data protection training window. | Operational Management | NCL ICB reported that the Information Asset Owner (IAO) and IG Compliance Manager had reviewed the workforce system training records and confirmed training was up to date for those with access to the data supplied under the DSA. The new training list was shown to the Audit Team during a video call. |
Observation | Closed |
| 7 | At the next review of the NCL CCG Information Governance Framework (currently v0.6), the CCG should review the bulleted list in section 3.1 to ensure it accurately reflects its requirements and the text is clear as to what is to be delivered. | Operational Management | NCL ICB reported that a review of the Information Governance Framework had found it to be inadequate. As a result, the Framework was withdrawn, with relevant information moved to the NCL ICB Information Governance policy, v0.12. The bulleted list mentioned in the original finding does not appear in the new policy. |
Opportunity for improvement | Closed |
| 8 | NCL CCG to consider developing a risk management training pack as part of its plan to provide risk management training to all staff. |
Risk Management | NCL ICB’s IG Training Needs Analysis, Communications and Training Plan 2022-23 includes a commitment to “Supporting staff through training and practical guidance on key IG issues and risks”. NCL ICB has also added a section on Risk Management to its corporate induction training pack slides (dated September 2022). Copies of both the training plan and slides were supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 9 | NCL CCG could not provide a copy of the latest honorary contract for a member of staff with access to data provided by NHS Digital. NCL CCG should also agree the wording with the Data Access Request Service (DARS) team around any continuing honorary contracts. | Operational Management | NCL ICB reported that the IAO had conducted a review of users and confirmed only NCL staff have user access to the data. However, an HR-approved copy of NCL’s new Honorary Contract template (September 2022) was available should it be required. A copy of the Honorary Contract template was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 10 | The Audit Team suggested that NCL CCG should ensure all appropriate new teams and stakeholders review any new DSFC and DSA to ensure that they are fully aware of their responsibilities and are fully compliant. | Operational Management |
NCL reported it had reviewed the purposes of processing as defined in the DSA. Emails stating compliance with the terms of the framework contract and DSAs from the Senior Information Risk Owner and IAO were supplied to the Audit Team. |
Opportunity for improvement | Closed |
NEL CCG
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 11 | NEL CCG to add the outdated servers to its risk register, along with the mitigation for their current retention. | Access Control | NEL ICB has added a risk regarding the outdated servers to its service risk register. However, since the on-premise servers have now been securely destroyed, the risk has been closed. This risk was viewed as part of Finding 13. | Opportunity for improvement | Closed |
| 12 | At the post audit review, the Audit Team will review the status of the decommissioning or reuse of the on-premises secure file transfer server. | Data Destruction | The ticket for the decommissioning of the Data Management Integration Centres environment, including the secure file transfer server, along with associated destruction certificates, were supplied to the Audit Team. | Follow-up | Closed |
| 13 | At the post audit review, the Audit Team will review the NEL CCG operational risk register. | Risk Management | During a video call the NEL ICB operational risk register was shown. | Follow-up | Closed |
| 14 | At the post audit review, the Audit Team will review evidence of the NEL CCG IAR and Record of Processing Activities (ROPA), as it pertains to the data supplied under the DSA. The Audit Team will also require confirmation of the appointed Information Asset Owner. | Operational Management |
An extract of the IAR which also forms the ROPA was supplied to the Audit Team. The full IAR was displayed during a video call. The IAR clearly shows the IAO. |
Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 10 July 2023 12:52 pm