Post Audit Review: South London and Maudsley NHS Foundation Trust
This report provides the formal closure of the remote data sharing audit of South London and Maudsley NHS Foundation Trust in September and October 2021.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of South London and Maudsley NHS Foundation Trust (SLaM) between 27 September and 1 October 2021. It provides an evaluation of how SLaM conforms to the requirements of:
- the data sharing framework contract (DSFC) CON-00107-Q0L0N-v2.01
- the data sharing agreement (DSA) DARS-NIC-292279-Z2S5T-v6.6
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 1997/98 – 2019/20 |
| HES Critical Care | Pseudo/Anonymised, Non-sensitive | 2008/09 – 2019/20 |
| HES Outpatients | Pseudo/Anonymised, Non-sensitive | 2003/04 – 2019/20 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2007/08 – 2018/19 |
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | October 2005 - March 2020 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | October 2005 - March 2020 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | October 2005 - March 2020 |
| Demographics | Pseudo/Anonymised, Sensitive | Latest Available, Annually |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | Latest Available, Annually |
The Controller is SLaM and the Processor is Microsoft UK.
Following a post audit review published in December 2022, 1 agreement nonconformity remained open.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by SLaM in May 2023.
Post audit review outcome
Based on the evidence provided by SLaM, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and SLaM.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original Risk Statement: Low
Previous Risk Statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
SLaM has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 1 agreement nonconformity, 3 observations, 3 opportunities for improvement and 1 point for follow-up raised as part of the audit.
Findings 2 to 8 were closed as part of the post audit review published in December 2022.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | SLaM had not conducted security testing of the cloud infrastructure prior to data being transferred. Security testing had been conducted for its on-premise infrastructure. | Access Control |
An independent security assessment of the cloud platform was undertaken in January 2023. In response to the assessment, SLaM has produced an action plan for the findings and is currently working through them. Copies of the external assessment report, the resulting action plan and an extract of the Information Security Committee Minutes from 19th April 2023 - in which the SLaM Senior Information Risk Owner had accepted the findings - were supplied to the Audit Team. |
Agreement nonconformity | Closed |
| 2 | Following further assessment and agreement of the nature of passwords, the SLaM Information Security Policy will need to be updated as the current policy is inconsistent with the password settings technically enforced. Passwords were amended during the Covid-19 pandemic to be consistent with Government guidelines. | Access Control |
The SLaM Information Security Policy (v9, May 2022) has been updated to recognise the nature of passwords and the need to align with the policy. A copy of the new policy was supplied to the Audit Team. The implementation of the policy has been approved by the Change Approval Board (CAB) and is to be communicated to staff. The amendment to the password settings is being done in stages so that impacts can be assessed. A copy of the CAB approval and the draft staff communication was supplied to the Audit Team. |
Observation | Closed |
| 3 | A deprecated hash algorithm is used to encrypt the patient identifier in the anonymised datasets made available to approved researchers. | Access Control | The hash algorithm has been changed to a secure version. | Observation | Closed |
| 4 | SLaM had completed a Data Protection Impact Assessment (DPIA), however, it did not contain the most up to date information. The DPIA is due to be updated following release of the new Data Sharing Agreement (DSA). | Operational Management | The DPIA was revised in February 2022. A copy of the latest DPIA was supplied to the Audit Team. | Observation | Closed |
| 5 | SLaM should consider including a reminder to acknowledge the use of HES data in publications, within the guidance provided to users of the Clinical Record Interactive Search (CRIS) system. | Operational Management |
The CRIS guidance documents have been revised to request users to include a statement acknowledging the use of HES data in publications. A copy of the revised guidance documentation was supplied to the Audit Team. |
Opportunity for improvement | Closed |
| 6 | SLaM should reassess its use of built-in administrator accounts as recommended by Microsoft. | Access Control | SLaM has amended its use of built-in administrator accounts. Screenshots from the tools being used to manage privileged accounts were supplied to the Audit Team. | Opportunity for improvement | Closed |
| 7 | SLaM should consider what specialist training is provided to staff employed in named positions, for example, Information Asset Owner (IAO) and Information Asset Administrator (IAA). | Operational Management | SLAM reported that filming for IAO and IAA training is due to be completed in August and then will be implemented. SLaM stated that any IAOs or IAAs who had not completed the training but were named in a DPIA would be required to complete the training before the DPIA could be approved. | Opportunity for improvement | Closed |
| 8 | At the post audit review, the Audit Team will review evidence of data destruction in relation to data previously stored on-premise. | Data Destruction | A Certificate of Destruction for the data previously held on-premise was received and approved by DARS in March 2022. | Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 July 2023 3:21 pm