Post Audit Review: NHS Cheshire and Merseyside Integrated Care Board
This report provides the formal closure of the remote data sharing audit of NHS Cheshire and Merseyside Integrated Care Board (ICB) and Graphnet Health Limited (Graphnet) in September 2022.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of NHS Cheshire and Merseyside Integrated Care Board (ICB) and Graphnet Health Limited (Graphnet) between 12 and 20 September 2022 against the requirements of:
- the data sharing framework contract (DSFC) CON-331374-L9K3P-v2.01
- the data sharing application in progress (DSA) DARS-NIC-396095-H1P1D-v3.4
- the organisations' own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Acute-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Ambulance-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Children and Young People Health | Identifiable, Sensitive | 01/04/2016 - 31/10/2017 |
| Civil Registration - Births | Identifiable, Sensitive | 01/04/2013 - latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | 01/04/2013 - latest available |
| Community Services Data Set | Identifiable, Sensitive | 01/11/2017 - latest available |
| Community-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Demand for Service-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Diagnostic Imaging Dataset | Identifiable, Sensitive | 01/04/2016 - latest available |
| Diagnostic Services-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Emergency Care-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Experience, Quality and Outcomes-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Improving Access to Psychological Therapies Data Set | Identifiable, Sensitive | 01/04/2016 - latest available |
| Maternity Services Data Set | Identifiable, Sensitive | 01/04/2016 - latest available |
| Mental Health and Learning Disabilities Data Set | Identifiable, Sensitive | 01/04/2014 - 31/12/2015 |
| Mental Health Minimum Data Set | Identifiable, Sensitive | 01/04/2013 - 31/03/2014 |
| Mental Health Services Data Set | Identifiable, Sensitive | 01/01/2016 - latest available |
| Mental Health-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| National Cancer Waiting Times Monitoring Data Set (NCWTMDS) | Identifiable, Sensitive | 01/04/2009 - latest available |
| National Diabetes Audit | Identifiable, Sensitive | 01/04/2013 - latest available |
| Other Not Elsewhere Classified (NEC)-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Patient Reported Outcome Measures | Identifiable, Sensitive | 01/04/2013 - latest available |
| Population Data-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Primary Care Services-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Public Health and Screening Services-Local Provider Flows | Identifiable, Sensitive | 01/04/2015 - latest available |
| Shielded Patient List | Identifiable, Sensitive | 1/10/2020 - latest available |
| SUS for Commissioners | Identifiable, Sensitive | 01/04/2015 - latest available |
The Controller is the ICB, and the Processors are Graphnet and Microsoft Limited. Microsoft Limited is the cloud storage provider for Graphnet.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
As the original audit took place before the merger of NHS Digital and NHS England, this report may reference both organisations as part of the post audit review.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by the ICB and Graphnet between January and May 2024.
Post Audit Review Outcome
Based on the evidence provided by the ICB and Graphnet, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and the ICB and Graphnet.
Updated Risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Original Risk statement: Low
Current Risk Statement: Low
Data recipient’s acceptance statement
The ICB and Graphnet have reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 4 agreement nonconformities, 4 opportunities for improvement and 4 points for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The terms and conditions of the DSFC and DSA did not flow down into the data processing agreement. | Operational Management |
The data processing agreement (DPA) in place between the ICB and Graphnet has been updated and now references the current DSA. It was signed by both parties in May 2023. A copy of this document was provided to the Audit Team. |
Agreement nonconformity | Closed |
| 2 | The ICB had not made Graphnet aware of the obligations in the DSA and DSFC. | Operational Management |
The DSA is now referenced in the DPA which has been signed off by Graphnet. The ICB should ensure that they share the current version of the DSFC and DSA with Graphnet. |
Agreement nonconformity | Closed |
| 3 | In relation to processing by Graphnet on behalf of the ICB, Graphnet stated that it did not backup data but reasonably relied on replication across multiple sites in order to maintain availability. The DSFC requires a backup copy of the source data to be kept, not least since NHS England may not be in a position to resupply the data. | Access Control |
Graphnet have put backups in place for the raw data. A procedure was provided to the Audit Team which outlines the process to back up the data provided by the Secondary User Service (SUS). |
Agreement nonconformity | Closed |
| 4 |
In relation to processing by Graphnet on behalf of the ICB, the following issues were noted regarding account management:
As the user has legitimate access to the data this finding is focused on the organisation’s housekeeping of accounts/groups.
|
Access Control |
Graphnet have reviewed the user accounts and security groups and resolved these issues. Evidence was provided to show that the account was removed, and the security groups were updated. |
Agreement nonconformity | Closed |
| 5 | The ICB should remind dashboard users that access is only allowed within England and Wales as stated in the territory of use. | Operational Management |
A statement has been added on the dashboard and to reports to advise users that data can only be viewed in England and Wales under the terms of the agreement. Evidence was provided to the Audit Team to show this in operation. |
Opportunity for improvement | Closed |
| 6 | Although the ICB has a Cheshire and Merseyside Population Health Programme Record of Processing Activity (ROPA), the Audit Team advise that improvements could be made to bring it in line with Information Commissioner’s Office (ICO) requirements. | Operational Management | The ICB have updated the ROPA, and a copy was provided to the Audit Team. | Opportunity for improvement | Closed |
| 7 | The ICB should ensure that Processors are aware of the copyright requirements outlined in the DSFC. | Use and Benefits | A copyright statement has now been added to the dashboards and reports. | Opportunity for improvement | Closed |
| 8 | In relation to processing by Graphnet on behalf of the ICB, Graphnet should consider changing the period for reviewing administrator accounts from 12 months as stated in the Graphnet Access Control Policy, to every 6 months. | Operational Management |
Graphnet have updated their Access Control Policy to ensure administrator accounts are reviewed every 6 months. A copy of the policy and evidence to show that the 6 monthly account review has been performed was provided to the Audit Team. |
Opportunity for improvement | Closed |
| 9 | At the post audit review, the Audit Team will follow up with the ICB on the progress of the Data Protection Impact Assessment (DPIA). | Operational Management | The DPIA has been completed and a copy was provided to the Audit Team. | Follow-up | Closed |
| 10 | At the post audit review, the Audit Team will follow up with the ICB on the statement in the application regarding the direct care re-identification tool that is expected to be developed by the DSCRO. | Operational Management | The DSCRO will develop an application programming interface to securely implement a solution for re-identification. | Follow-up | Closed |
| 11 | At the post audit review, the Audit Team will follow up with Graphnet regarding the progress on the specialist training for the Information Asset Owner and Information Asset Administrator. | Operational Management | Graphnet has provided evidence to the Audit Team showing that Information Asset Owner and Information Asset Administrator training was undertaken by the relevant staff in June 2023. | Follow-up | Closed |
| 12 | At the post audit review, the Audit Team will follow up with Graphnet on the work to further enhance its security posture in Defender for Cloud, and the actions taken to address the 2 medium level recommendations identified on Microsoft Azure. | Access Control | Graphnet have provided evidence to the Audit Team to show that the 2 medium level recommendations have been assessed and mitigation applied where appropriate. | Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 7 June 2024 4:08 pm