NHS England Post Audit Review: NHS Bedfordshire, Luton and Milton Keynes Integrated Care Board
This report provides an update on progress of the remote data sharing audit of NHS Bedfordshire, Luton and Milton Keynes Integrated Care Board (ICB) and its Processors in October 2022.
Audit summary
Purpose
This report provides an update on progress of the remote data sharing audit of NHS Bedfordshire, Luton and Milton Keynes Integrated Care Board (ICB) and its Processors between 3 and 7 October 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-433692-X1V5Y-v2.01
- the data sharing agreement (DSA) DARS-NIC-422183-C3K9L-v4.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Secondary Uses Service (SUS) for Commissioners | Identifiable, Sensitive | 01/04/2013 - latest available |
| National Diabetes Audit | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| e-Referral Service for Commissioning | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| Medicines dispensed in Primary Care (NHSBSA data) | Pseudo/Anonymised, Non-sensitive | 01/04/2018 - latest available |
| Mental Health Minimum Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - 31/03/2014 |
| Mental Health Learning Disabilities Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2014 - 31/12/2015 |
| Improving Access to Psychological Therapies Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - latest available |
| Patient Reported Outcome Measures | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| Diagnostic Imaging Dataset | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - latest available |
| Mental Health Services Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - latest available |
| Maternity Services Data Set | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - latest available |
| Children and Young People Health | Pseudo/Anonymised, Non-sensitive | 01/04/2016 - 31/10/2017 |
| SUS for Commissioners | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Acute-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Ambulance-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Community-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Demand for Service-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Diagnostic-Services-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Emergency Care-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Experience, Quality and Outcomes-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Mental Health-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Other Not Elsewhere Classified (NEC)-Local Provider Flow | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Population Data-Local Provider Flow | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Primary Care Services-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Public Health and Screening Services-Local Provider Flows | Pseudo/Anonymised, Non-sensitive | 01/04/2008 - latest available |
| Civil Registration-Deaths | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| Civil Registration-Births | Pseudo/Anonymised, Non-sensitive | 01/04/2013 - latest available |
| Personal Demographic Service | Pseudo/Anonymised, Non-sensitive | 01/05/2011 - latest available |
| Community Services Data Set | Pseudo/Anonymised, Non-sensitive | 01/11/2017 - latest available |
| Adult Social Care | Pseudo/Anonymised, Non-sensitive | 01/01/2015 - latest available |
| Summary Hospital-level Mortality Indicator | Pseudo/Anonymised, Non-sensitive | 01/05/2011 - latest available |
| National Cancer Waiting Times Monitoring Dataset (NCWTMDS) | Pseudo/Anonymised, Non-sensitive | 01/04/2009 - latest available |
The Controller is the ICB, although the DSA still refers to Clinical Commissioning Groups (CCGs). There are numerous Processors declared in the DSA. However, as the original audit was focused on sub-licencing activities, only the following Processors were interviewed as part of the audit: NHS Arden and Greater East Midlands Commissioning Support Unit (CSU) and Hertfordshire, Bedfordshire and Luton Information Technology (HBL ICT). HBL ICT is undeclared in the DSA. Microsoft Limited is also declared as a Processor who provides cloud storage.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
As the original audit took place before the merger of NHS Digital and NHS England, this report references both organisations as part of the post audit review.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by the ICB and the CSU between July and August 2023.
Post Audit Review Outcome
Based on the evidence, the Audit Team has found that the ICB and the CSU have not suitably addressed the findings. 1 agreement nonconformity remains open. This finding has now been handed over to the representative of the SIRO in the IG Risk and Assurance team at NHS England to progress as appropriate with the ICB and CSU.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
The following table shows the risk assigned in the original audit, and the risk assigned in the post audit review.
Original risk statement: Medium
Current risk statement: Low
Data recipient’s acceptance statement
The ICB and the CSU have reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 7 agreement nonconformities, 1 organisation nonconformity, 1 observation, 4 opportunities for improvement and 6 points for follow-up raised as part of the audit.
ICB
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The ICB has not updated its privacy notice to take into account the sub-licensing arrangements as required by the DSA. | Operational Management | The privacy notice has been updated to include the sub-licencing arrangements as required by the DSA. The privacy notice is available on the Bedfordshire, Luton and Milton Keynes ICB website. | Agreement nonconformity | Closed |
| 2 |
There are no valid sub-licensing agreements at an organisation level between the ICB and the ICS partners. In some cases, an agreement had been signed by the ICS partner, however, the sign off section for the ICB was not complete. Honorary contracts were put in place to allow public health staff to work under the CCG arrangements, whilst the ICB was being set up and ICS partnership arrangements including the sub-licensing arrangements were being finalised, however, at the time of the audit the honorary contracts had expired. |
Use and Benefits |
The ICB confirmed that all sub-licensing agreements have been signed by both ICB and Integrated Care System (ICS) partners. The Audit Team received copies of completed sub-licencing agreements. |
Agreement nonconformity | Closed |
| 3 |
The data are being processed and stored at locations not declared in the DSA. All the locations are within England. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Data Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS Digital on request. |
Information Transfer | DARS have been informed of the additional storage and processing locations. | Agreement nonconformity | Closed |
| 4 | The ICB has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. | Operational Management | A ROPA is currently being developed by the ICB. However, the ICB was unable to confirm a target date for its completion. | Agreement nonconformity | Open |
| 5 | Some users that had access to the GEMIMA platform, had not completed data protection training in the last 12 months. | Operational Management |
The Information Governance (IG) Assistant at the ICB contacted all non-compliant staff and reminded them to undertake their training and not to use GEMIMA until the training was complete. An IG newsletter also contained an article reminding staff to complete their annual IG training. The Audit Team received copies of training certificates and completion reports for the previously non-compliant members of staff. |
Agreement nonconformity | Closed |
| 6 | The ICB is using a third-party IT provider to manage its IT infrastructure and the backups. This Processor is not declared in the DSA. | Access Control | The Audit Team received evidence that the DSA has been updated to include the third-party IT provider. | Agreement nonconformity | Closed |
| 7 | The ICB should remind sub-licensees that any reports created using the data and externally shared must be aggregated and small numbers suppressed in line with NHS Digital guidance. | Use and Benefits |
Sub-licensees have been reminded that any reports created using the data and externally shared must be aggregated and small number suppressed in line with NHS England guidance. The Audit Team received copies of email communication between the ICB and its sub-licensees. |
Observation | Closed |
| 8 | The ICB should consider providing Information Asset Owner (IAO) and Information Asset Administrator (IAA) refresher training as it is a new organisation. The last time the training was provided by the CCG was in April 2020. | Operational Management |
The ICB have provided IAO refresher training and all IAOs were asked to review the Information Asset Register (IAR). The Audit Team received evidence that IAOs reviewed the IAR and attended refresher training. |
Opportunity for improvement | Closed |
| 9 | The ICB should consider requesting assurance from sub-licensees that they are meeting the specific sub-licensing conditions set out in the DSA. | Use and Benefits |
The ICB emailed sub-licensees requesting assurance they are meeting the specific sub-licencing conditions as set out in the DSA. The Audit Team received copies of the email communication between the ICB and its sub-licensees. |
Opportunity for improvement | Closed |
| 10 | At the post audit review, the Audit Team will review the updated Information Asset Register (IAR). This work has been scheduled following the transition from the CCGs to the ICB. | Operational Management | The IAR has been updated and a copy was provided to the Audit Team. | Follow-up | Closed |
| 11 | At the post audit review, the Audit Team will review the progress made on reidentifying data for direct patient care purposes by one of the ICS partners. | Use and Benefits | Legal basis between ICB and NHS England has been established. | Follow-up | Closed |
| 12 | The ICB is reviewing its own processes and the following points should be taken into consideration:
The above items will be followed up by the Audit Team at the post audit review. |
Operational Management |
The ICB has produced articles in IG newsletters to raise awareness on data sharing agreements. An access review of data on the ICB network was performed in November 2022 and an audit of GEMIMA users was then performed that reviewed the agreed locations on where the data supplied by NHS England can be stored. The Audit Team received copies of the IG newsletter and outcomes of the GEMIMA audit. |
Follow-up | Closed |
| 13 | At the post audit review, the Audit Team will review the updated Data Protection Impact Assessment (DPIA). | Operational Management | The Audit Team reviewed the updated DPIA. | Follow-up | Closed |
CSU
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 14 | The CSU has not completed a ROPA for the data supplied under the DSA. Instead, information specific to the DSA datasets is spread across different documents. | Operational Management |
A ROPA has been completed for the data supplied under the DSA. The Audit Team received evidence of the completed ROPA. |
Agreement nonconformity | Closed |
| 15 | The CSU has not conducted a bi-annual review of user access to personal confidential data for the GEMIMA platform as required by its documentation. The last review was conducted in February 2022. | Access Control |
A review of user access was carried out in February 2023. The Audit Team received evidence of the outcome of the review. |
Organisation nonconformity | Closed |
| 16 | The CSU could enhance its account management process for the GEMIMA platform by carrying out more frequent audits to identify dormant accounts. Currently, the CSU conducts this audit on an annual basis. |
Access Control |
A process has been implemented to perform pro-active monitoring of accounts. The Audit Team received evidence of a standard operating procedure document outlining the process and evidence of the most recent audit performed. |
Opportunity for improvement | Closed |
| 17 | The CSU runs security assessments on an ad-hoc basis, however, there are plans to make this more regular. | Access Control | The CSU confirmed that security assessment scanning is now performed monthly by the Cyber Team. | Opportunity for improvement | Closed |
| 18 | At the post audit review, the Audit Team will review the progress made to setup proactive alerts to review the re-identification request logs. Currently re-identification request logs are collated and only analysed on a reactive basis. | Use and Benefits |
An internal report has been set up on GEMIMA of re-identification requests which can be used to investigate unusual requests and follow up as needed. This report will be reviewed by the CSU at monthly Governance Group meetings. The Audit Team received evidence of the latest internal report from March 2023. |
Follow-up | Closed |
| 19 | At the post audit review, the Audit Team will review the plan to replace the software used within the sub–licencing environment. | Access Control |
The CSU have a plan in place to move the data provided by NHS England from on-premises servers to a cloud solution by December 2023. The Audit Team received evidence of a cloud transformation road map and an alternative contingency plan roadmap in case the data is not moved to the cloud. The Data Sharing Agreement will be updated to reflect these changes where applicable. |
Follow-up | No longer applicable |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 6 March 2024 10:29 am