NHS England Data Sharing Remote Audit: NHS North Central London Integrated Care Board
This report records the key findings of a remote data sharing audit of NHS North Central London Integrated Care Board (NCL ICB) between 4 and 7 March 2024.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of NHS North Central London Integrated Care Board (NCL ICB) between 4 and 7 March 2024. It provides an evaluation of how NCL ICB and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC) CON-369360-Z5R7D-v2.02
- the data sharing agreements (DSA):
- DARS-NIC-362253-J5V8L-v3.2
- DARS-NIC-615974-Y3R7Q-v0.2
- the organisations’ own policies, processes and procedures
These DSAs cover the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Commissioning Datasets |
Sensitive | Ad-hoc irregular dissemination |
| Invoice Validation Datasets | Identifiable, Sensitive | Ad-hoc irregular dissemination |
The Controller is NCL ICB and the Processors are NHS North East London ICB, Microsoft Limited, NHS South West London ICB, NHS North of England Commissioning Support Unit (NECS CSU), NHS North West London ICB and NHS South East London ICB. The DSA allows the Controller to share data with other organisations under a sub-license agreement.
Data provided by NHS England is used to provide intelligence to support the commissioning of health services. The data is analysed so that health care provision can be planned to support the needs of the population within the ICB area.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
| Audit type | Focused |
|---|---|
| Scope areas |
Data Use and Benefits Information Transfer Access Control |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared, the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
NCL ICB has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
NCL ICB will establish a corrective action plan to address each finding shown in the tables below. The Audit Team will validate this plan and the resultant actions at a post audit review with NCL ICB to confirm the findings have been satisfactorily addressed.
Findings
The following tables identify the 3 observations and 1 opportunity for improvement raised as part of the audit.
NCL ICB
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | NCL ICB must have Data Processing Agreements in place with all processors listed in the DSA before they are used. However, some organisations are not currently processing data and are listed to allow them to do so in the future. Alternatively, any inactive processors should be removed from the DSA. | Operational Management | DSA, Annex A, Section 1c | Observation |
| 2 | Staff under honorary contract are accessing data provided by NHS England. The details of these users and details of the oversight process to authorise these users has not been outlined within the DSA. | Operational Management | DSA, Annex A, Section 5b | Observation |
| 3 | Two NCL ICB servers used to store data provided by NHS England are running an Operating System that is approaching end of support. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Observation |
NECS CSU
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 4. | NECS CSU should ensure that the Controlled Environment for Finance (CEfF) Standard Operating Procedure (SOP) is reviewed within its allocated review date. | Operational Management | CEfF Processing an NCA invoice (Ref. CF.NCA.2.5) | Opportunity for improvement |
Use of data
NCL ICB confirmed that the datasets were only being processed and used for the purposes defined in the DSAs and were only being linked with those datasets explicitly allowed in the DSAs.
Data location
NCL ICB and Microsoft confirmed that processing and storage locations, including disaster recovery and backups of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| NCL ICB | England / Wales |
| Microsoft | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Microsoft | Cloud | 6 months |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 28 May 2024 8:56 am