Post Audit Review: Belfast Health and Social Care Trust
This report provides the formal closure of the remote data sharing audit of Belfast Health and Social Care Trust (BHSCT) and its Processor between 21 and 29 March 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Belfast Health and Social Care Trust (BHSCT) and its Processor between 21 and 29 March 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-304112-D2Q8H
- the data sharing agreement (DSA) DARS-NIC-10029-G5R2H-v0.2
- the organisations’ own policies and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period | |
|---|---|---|---|
| MRIS-Personal Demographic Service | Pseudo/Anonymised, Sensitive | Historic Data Request |
The Controller is BHSCT and the Processor is the Health and Social Care Business Services Organisation (HSC BSO).
Following a post audit review published in July 2023, 6 agreement nonconformities and 4 opportunities for improvement remained open.
As the original audit took place before the merger of NHS Digital and NHS England, this report references both organisations as part of the post audit review.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post Audit Review
This second post audit review comprised a desk-based assessment and video calls of the action plan and supporting evidence supplied by BHSCT between December 2023 and May 2024.
Post Audit Review Outcome
Based on the evidence, the Audit Team has found that BHSCT has not suitably addressed all the findings. Three agreement nonconformities remain open.
These open findings have now been handed over to the representative of the Senior Information and Risk Owner (SIRO) in the IG Risk and Assurance team at NHS England to progress as appropriate with BHSCT.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: High
Previous Risk Statement: High
Current Risk Statement: Medium
Data recipient’s acceptance statement
BHSCT has reviewed this report and confirmed that it is accurate.
Findings
The following tables identify the 10 agreement nonconformities, 3 organisation nonconformities, 4 observations, 5 opportunities for improvement raised as part of the original audit.
BHSCT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Data had been onwardly shared with 6 external research organisations without being aggregated which was not allowed by the DSA. Data had also been shared outside of the stated territory of use (UK). | Information Transfer |
BHSCT has forwarded data destruction certificates for all but one of the organisations which received the data to NHS England. These have been reviewed by NHS England’s security team who have deemed one certificate as acceptable. All other certificates require further information to be provided. For the outstanding organisation, the researcher who received the data has now left the organisation. Their DPO carried out a review of their systems and their profile / records were erased as part of the leavers process. As the organisation have no data on their systems anymore related to this researcher, they are unable to confirm destruction, but can confirm all the researcher’s data has been destroyed and is not on their system. |
Agreement nonconformity | Open |
| 2 |
The storage locations in the DSA do not reflect the actual addresses where the data is stored. |
Information Transfer | The Audit Team has seen a new DSA, DARS-NIC-10029-G5R2H-v1.3, which includes the missing storage locations. | Agreement nonconformity | Closed |
| 3 |
All staff with access to the NHS Digital data have not received data protection training in the last 12 months. |
Operational Management |
The Audit Team has seen evidence that staff have completed and are up to date with their data protection training. Only one member of staff has been unable to complete the training due to extended sick leave and will complete on their return. The BHSCT has created a new tracker which will be used to ensure all staff who still require access to the data maintain annual data protection training. |
Agreement nonconformity | Closed |
| 4 | Security assessments have not been performed. | Access Control |
Northern Ireland Clinical Trials Unit (NICTU) confirmed to the Audit Team that a security assessment was undertaken in July 2022. However, this has not been revisited since the migration of the servers. NICTU have requested details from HSC BSO to determine if further assessments are required. |
Agreement nonconformity | Open |
| 5 | Accounts for a small number of staff that had left or no longer require access had not been disabled or deleted. | Access Control |
All staff leavers have now had their accounts disabled. The leaver’s checklist has been updated and now includes accounts details to be disabled including the clinical study database accounts. The Audit Team has been provided with the evidence to confirm this. |
Agreement nonconformity | Closed |
| 6 | The Information Asset Register (IAR) does not include an entry for the data supplied by NHS Digital. | Operational Management | The Audit Team has seen an updated version of the NICTU IAR. It has been updated with guidance from Belfast Trust Information Governance (IG) to include the data held by NICTU that was received from NHS Digital. | Agreement nonconformity | Closed |
| 7 | A Data Protection Impact Assessment (DPIA) has not been undertaken by BHSCT for the NHS Digital data. It is BHSCT’s practice to complete at least the DPIA screening checklist to assess if a full DPIA is required. | Operational Management | BHSCT has provided the Audit Team a completed DPIA which has been signed off by the IAO. | Organisation nonconformity | Closed |
| 8 | The minimum password length for an application was not in line with the Health and Social Care (Northern Ireland) (HSCNI) Accounts and Passwords All User Standard policy. | Access Control | NICTU has amended the clinical study database minimum password length which is now in line with the policy. | Organisation nonconformity | Closed |
| 9 | The Information Asset Owner (IAO) had not completed a specialist training refresher course in line with BHSCT requirements. | Operational Management | BHSCT confirmed the IAO completed specialist training in June 2022. Evidence of the training was provided to the Audit Team. | Organisation nonconformity | Closed |
| 10 | The 6 external organisations that were previously supplied with the data have not been asked to refrain from processing the data or to delete the data. | Data Destruction | NICTU provided the Audit Team with copies of emails they sent to the 6 external organisations. The emails stated data had been shared without an appropriate data access agreement and have requested for the data to be deleted. | Observation | Closed |
| 11 | A Record of Processing Activity (ROPA) had not been completed for the HARP2 trial. If the ability to process data is reinstated in a future DSA, then a ROPA needs to be completed. | Operational Management | NICTU shared a completed ROPA with the Audit Team. | Observation | Closed |
| 12 | Data supplied by NHS Digital had been processed on unencrypted machines where if the application crashed, then temporary files would be cached on the machine’s local drive. This potential situation would need to be assessed prior to any future processing. | Information Transfer | BHSCT provided evidence that all PC’s used by statistical and health economics staff with STATA installed have now been encrypted. | Observation | Closed |
| 13 | BHSCT has still to agree its System Level Security Policy (SLSP) with the Data Access Request Service (DARS) team by the end of April 2022. | Operational Management | BHSCT has received an email from DARS which confirms the SLSP is a general catch all terms and that the information provided by BHSCT in the format provided was acceptable. A copy of the email was provided to the Audit Team. | Observation | Closed |
| 14 | BHSCT should consider developing a standard operating procedure or enhance an existing procedure to support the electronic deletion of data to ensure that specific requirements of the DSFC are carried out. | Data Destruction | The NICTU standard operating procedures (SOPs) have been reviewed by the SOP Working Group and guidance has been provided by BHSCT ICT department in relation to the electronic deletion of data. | Opportunity for improvement | Closed |
| 15 | BHSCT should update its Data Transfer Procedure to seek permission of the data owner before sending data to other recipients. | Operational Management |
NICTU have updated the procedure on data transfer. A copy was provided to the Audit Team. |
Opportunity for improvement | Closed |
| 16 | BHSCT should seek clarification from its service provider as to how the hosted infrastructure is segregated and that appropriate controls have been applied. | Operational Management | NICTU has reviewed the situation with HSC BSO and agreed their plan to address the issues raised. The actions were completed in October 2023. | Opportunity for improvement | Closed |
| 17 | The DSFC and DSA should be shared with key support teams to ensure that they are aware of their responsibilities and obligations. | Operational Management | BHSCT has shared the latest version of the DSA with all parties affected within the Belfast Trust. A copy of the covering email was supplied to the Audit Team. | Opportunity for improvement | Closed |
HSC BSO
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 18 | Software had not been recently patched. | Access Control | HSC BSO provided evidence to the Audit Team that the patching is up to date. | Agreement nonconformity | Closed |
| 19 | Shared logins for some accounts were in use. The nature and number of administration accounts also requires review. | Access Control |
HSC BSO provided evidence to the Audit Team to confirm they no longer need to share logins and each user has an individual account. Administration accounts have been reviewed. |
Agreement nonconformity | Closed |
| 20 | The servers are not recorded on the IT Asset Management system. | Access Control | BSO shared screenshots to the audit team to confirm the IT Asset Management system is now located on the Active Directory domain. | Agreement nonconformity | Closed |
| 21 | Security assessments have not been performed. | Access Control | A security assessment was performed and issues were identified within the report. At the time of this post audit review, these issues have not been resolved. | Agreement nonconformity | Open |
| 22 | A risk assessment should be performed to identify risks associated with the current configuration of the hosted environment. | Operational Management | BSO shared evidence and confirmed to the Audit Team they are now using Tenable to manage risk. | Opportunity for improvement | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 22 July 2024 8:36 am