NHS England Post Audit Review: Barts Health NHS Trust
This report provides the formal closure of the remote data sharing audit of Barts Health NHS Trust (Barts) and Queen Mary University of London (QMUoL) between 5 June and 9 June 2023.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Barts Health NHS Trust (Barts) and Queen Mary University of London (QMUoL) between 5 June and 9 June 2023 against the requirements of:
- the data sharing framework contracts (DSFC)
- CON-325985-Y5F4B-v2.02 (Barts)
- CON-315125-P6G9X-v 2.02 (QMUoL)
- the data sharing agreement (DSA) DARS-NIC-291938-R6V3V-v4.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| MRIS-Cohort Event Notification Report | Identifiable, Sensitive | Historic Held (February 2013 – March 2020) |
| MRIS-Cause of Death Report | Identifiable, Sensitive | Historic Held (February 2013 – March 2020) |
| Demographics | Identifiable, Sensitive | Latest Available 03/2022 |
| MRIS-Members and Postings | Identifiable, Sensitive | Historic Held (February 2013 – March 2020) |
| MRIS-Flagging Current Status Report | Identifiable, Sensitive | Historic Held (February 2013 – March 2020) |
The Joint Controllers are Barts and the QMUoL and the Processor is Barts.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by Barts.
Post Audit Review Outcome
Based on the evidence provided by Barts, the Audit Team has found that Barts have not suitably addressed all the findings. 4 agreement nonconformities, 1 organisation nonconformity, 1 observation and 4 opportunities for improvement remain open. These findings have now been handed over to the representative of the Senior Information Risk Owner (SIRO) in the IG Risk and Assurance team at NHS England to progress as appropriate with Barts.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: High
Current Risk Statement: High
Data recipient’s acceptance statement
Barts has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 5 agreement conconformities, 1 organisation nonconformity, 1 observation, 4 opportunities for improvement.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
User permissions to the network folder holding NHS England data were not restricted to the users that were authorised to access the data. Barts raised this with IT support during the audit and it was immediately resolved. The Audit Team has viewed the permissions since and noted that they are now restricted to users authorised to access the data. |
Access Control | This finding was resolved during the audit. |
Agreement nonconformity |
Closed |
| 2 | The Audit Team were unable to verify if technical controls were in place to record access to the NHS England data. | Access Control |
The Trust has declared it no longer requires the data it holds. A data destruction certificate has been returned to NHS England. However, it does not contain the correct information to close this finding. The finding remains open and requires action from Barts. |
Agreement nonconformity |
Open |
| 3 |
Data are being stored at two locations within England that have been not declared in the DSA. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data are being processed and stored and to make this list available to NHS England on request. |
Access Control |
The Trust has declared it no longer requires the data it holds. A data destruction certificate has been returned to NHS England. However, it does not contain the correct information to close this finding. The finding remains open and requires action from Barts. |
Agreement nonconformity |
Open |
| 4 | The Trust’s Information Asset Register (IAR) does not contain an entry for the data supplied under this DSA. | Access Control |
The Trust has declared it no longer requires the data it holds. A data destruction certificate has been returned to NHS England. However, it does not contain the correct information to close this finding. The finding remains open and requires action from Barts. |
Agreement nonconformity |
Open |
| 5 | A DPIA template had been completed by the IAO for the study in February 2023, but it had not been reviewed by the Information Governance Lead and the Data Protection Officer (DPO). | Operational Management |
The Trust has declared it no longer requires the data it holds. A data destruction certificate has been returned to NHS England. However, it does not contain the correct information to close this finding. The finding remains open and requires action from Barts. |
Agreement nonconformity |
Open |
| 6 | Retention periods have not been defined for the data supplied under the DSFC in line with the Barts Health Records Management Policy. | Operational Management |
The Trust has declared it no longer requires the data it holds. A data destruction certificate has been returned to NHS England. However, it does not contain the correct information to close this finding. The finding remains open and requires action from Barts. |
Organisation nonconformity |
Open |
| 7 | The Audit Team suggest that “Data suppliers” is added to the potential parties to contact in the event of a data breach in their Information Governance Incident Handling Procedure. This will ensure that the notification requirement in Part 2 section 4.1.8 of the DSFC is not overlooked in the event of a breach. | Operational Management |
The Trust has declared it no longer requires the data it holds. A data destruction certificate has been returned to NHS England. However, it does not contain the correct information to close this finding. The finding remains open and requires action from Barts. |
Observation |
Open |
| 8 | The Audit Team suggest that a risk assessment is performed on the security controls of the Diabetes Database. | Access Control | Opportunities for improvement are provided for reference and are not followed up as part of any post audit review. |
Opportunity for improvement |
No longer applicable |
| 9 | A number of the configuration and operational documents provided to the Audit Team need to be reviewed and updated. | Operational Management | Opportunities for improvement are provided for reference and are not followed up as part of any post audit review. |
Opportunity for improvement |
No longer applicable |
| 10 | The Information Asset Owner (IAO) should consider completing specialist IAO training. | Operational Management | Opportunities for improvement are provided for reference and are not followed up as part of any post audit review. |
Opportunity for improvement |
No longer applicable |
| 11 | Barts should consider reducing the number of touchpoints of the data and updating relevant documentation about the download process to reflect any changes. | Information Transfer | Opportunities for improvement are provided for reference and are not followed up as part of any post audit review. |
Opportunity for improvement |
No longer applicable |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 22 July 2024 10:43 am