NHS England Post Audit Review: Institute of Occupational Medicine
This report provides the formal closure of the remote data sharing audit of the Institute of Occupational Medicine (IOM) in August 2023.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the Institute of Occupational Medicine (IOM) in August 2023 against the requirements of:
- the data sharing framework contracts
- (DSFC) CON-321875-F9Z2M-v2.02 – HSE
- (DSFC) CON-306818-J4Y5L-v2.02 – IOM
- the data sharing agreement (DSA) DARS-NIC-169971-Z9M1C-v0.31
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Demographics |
Non- sensitive | Latest available |
| Civil Registrations of Death | Sensitive | Latest available |
|
Cancer Registration Data |
Sensitive | Latest available |
The Controllers are Health and Safety Executive (HSE) and IOM and the Processor is IOM. Box.com (UK) Ltd (Box) are also declared as a processor as they are the provider of cloud storage for the data. Amazon Web Services (AWS) did not have access to the data and was included as the storage and processing location as they provide server hosting services to Box.
The Audit Team were informed that the IOM have changed their service provider from Box to Microsoft SharePoint. This report provides assurance on the findings raised for the Box storage service that was in place until December 2023. No testing has been performed on the controls in place on Microsoft SharePoint. The action taken by IOM against findings 4 and 16 are relating to Box as this was the storage provider in place when the original findings were raised.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment and video calls of the action plan and supporting evidence supplied by the IOM between February and May 2024.
Post Audit Review Outcome
Based on the evidence, the Audit Team has found that the IOM has not suitably addressed all the findings. 1 observation remains open. The open finding has now been handed over to the representative of the Senior Information Risk Owner (SIRO) in the IG Risk and Assurance team at NHS England to progress as appropriate with the IOM.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: High
Current Risk Statement: Low
Data recipient’s acceptance statement
The IOM has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 6 agreement nonconformities, 3 organisation nonconformities, 6 observations, 9 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
Backups are not taken of data, but reasonably rely on replication across a secondary site in order to maintain availability. The DSFC requires a backup copy of the source data to be kept, as NHS England may not be in a position to resupply the data. |
Access Control |
An encrypted backup of the data has been taken and stored in a different storage platform. A procedure has been written to support this backup process which will take place upon receipt of a new version of the data. The Audit Team viewed the backup and the procedure. |
Agreement nonconformity |
Closed |
| 2 | The IOM Information Asset Register (IAR) does not include an entry for the data supplied under the DSA as required by the DSFC. | Information Transfer | The IAR now contains an entry for the data and a copy was provided to the Audit Team for review. |
Agreement nonconformity |
Closed |
| 3 | A DPIA screening questionnaire has not been completed for the study utilising the data supplied under the DSA. | Operational Management | DPIA screening was completed and the outcome recorded in the IAR. |
Agreement nonconformity |
Closed |
| 4 | The permissions assigned to the research staff accounts allowed them to invite other individuals to access the cloud storage folder where data supplied by NHS England was held. Permissions to add users to the folder must be limited to the administrator of the cloud storage facility. | Access Control |
The permissions were updated to restrict invitation to the administrator only. Evidence was provided to the Audit Team to show that this had been implemented on the cloud storage folder. The Audit Team were informed that the IOM have migrated the data from Box to Microsoft SharePoint in December 2023. |
Agreement nonconformity |
Closed |
| 5 | Although the IOM has recorded information security risks in a risk register, there is no documented formal risk management methodology, including a risk scoring matrix and risk appetite statement to support the risk management process. | Risk Management |
A risk management policy has now been documented. A copy was provided to the Audit Team. |
Agreement nonconformity |
Closed |
| 6 | The IOM has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. | Operational Management |
The IOM have reviewed Article 30 of the General Data Protection Regulation and ensured information required has been captured in their IAR. A copy of the IAR was provided to the Audit Team and contained the minimum requirements of both the IAR and the ROPA as recommended by the ICO. |
Agreement nonconformity |
Closed |
| 7 | Some entries in the IAR had classifications which do not exist in the IOM Information Classification Policy v3. The policy should be updated to include all classifications. | Operational Management | The entries in the IAR have been reviewed by the Audit Team who have confirmed that they reflect the classifications in this policy. |
Organisation nonconformity |
Closed |
| 8 | The Information Security Incident Report log did not include breaches which had taken place after 2019. | Operational Management | The log has been updated and a copy was provided to the Audit Team for review. |
Organisation nonconformity |
Closed |
| 9 | The Information Governance (IG) Internal Audit has not been scheduled for the study as required by the IOM IG policy. | Operational Management |
The IG audit was completed for this study in November 2023. A copy of the audit report was provided to the Audit Team for review. |
Organisation nonconformity |
Closed |
| 10 |
The audit team identified 2 potential touchpoints of the data that were unknown to the organisation:
|
Data Destruction |
A procedure has been documented for downloading the data from SEFT, which specifies that the download folder should be deleted once the data is transferred to the research folder. A copy of the procedure was provided to the Audit Team. |
Observation |
Closed |
| 11 |
Although staff have been informed that study data should not be saved on unencrypted USB drives, there are no technical controls in place to prevent them from doing so. Whilst a risk has been identified regarding the use of portable storage media, there is no information as to how mitigation of “inadequate security measures” has been considered and applied or acceptance of this risk. |
Access Control |
The IOM are proposing to implement security policies to block the use of unencrypted USB devices. The Audit Team were informed that the date for completion of this is December 2024. |
Observation |
Open |
| 12 | The IOM should remind users that they are only allowed to access the data within the UK. This is defined in the DSA as the territory of use. | Access Control |
The IOM have emailed researchers to remind them that the data can only be accessed within the UK. A copy of the email was provided to the Audit Team. |
Observation |
Closed |
| 13 | The IOM should remind users that they are only allowed to access the data from devices issued by their organisation. | Access Control |
The IOM have emailed researchers to remind them that the data can only be accessed from devices issued by the IOM. A copy of the email was provided to the Audit Team. |
Observation |
Closed |
| 14 | Whilst equipment being sent for destruction is recorded and the third-party provides an itemised certificate of destruction, the two lists are not reconciled to ensure the assets have been disposed of as required. | Data Destruction |
The Disposal policy has been updated to include a process to reconcile assets sent for disposal with the certificate received from the supplier. A copy of the policy was provided to the Audit Team. |
Observation |
Closed |
| 15 | On review of the IAR, the Audit Team noted that assets that no longer existed had not been removed from it or marked as deleted. | Operational Management | The deleted assets have been removed from the IAR. |
Observation |
Closed |
| 16 | The IOM should consider reducing the expiration time for external collaborator accounts from 365 days to ensure folder owners are prompted to review their access on a quarterly basis. | Access Control |
The expiration time was reduced to 90 days. The Audit Team was provided with evidence to show that the change was implemented on the cloud storage folder for the study. The Audit Team were informed that the IOM have migrated the data from Box to Microsoft SharePoint in December 2023. |
Opportunity for improvement |
Closed |
| 17 | The use of the generic administration account in place for the administration of cloud storage should be documented to record who can use it, how it can be audited, and any contingency should the staff member that uses it not be available. | Access Control | The IOM advised that the relevant policy will be reviewed and updated in the annual policy review to take place in July 2024. |
Opportunity for improvement |
Closed |
| 18 | The IOM should consider providing specialist training. For example, Senior Information Risk Officer (SIRO) and Information Asset Owner (IAO) training. | Operational Management | The IOM have drafted a training framework to capture training requirements for these roles and are considering relevant training. |
Opportunity for improvement |
Closed |
| 19 | Reviews of dormant Active Directory accounts should be undertaken on a regular basis. | Access Control |
The IOM have implemented a monthly check to review dormant accounts. A copy of the service ticket detailing the latest review was provided to the Audit Team. |
Opportunity for improvement |
Closed |
| 20 | The IOM should consider creating a procedure for downloading data from Secure Electronic File Transfer (SEFT) to ensure it is conducted securely. | Information Transfer |
A procedure has been documented for downloading the data from SEFT. A copy of the procedure was provided to the Audit Team. |
Opportunity for improvement |
Closed |
| 21 | The IOM should consider updating data retention guidelines to reflect or make reference to the requirements for deletion on expiry or termination of a DSA. | Operational Management |
The IOM have updated the relevant policy to reference the requirements. A copy of the policy was provided to the Audit Team. |
Opportunity for improvement |
Closed |
| 22 | The IOM should consider updating the security policy to reflect who to report to in NHS England if there is a data breach concerning data provided under a DSA. | Access Control | The IOM advised that the relevant policy will be reviewed and updated in the annual policy review to take place in July 2024. |
Opportunity for improvement |
Closed |
| 23 | The IOM should consider conducting an internal audit to ensure that the requirements of key relevant policies and procedures are being adhered to. | Operational Management | The IOM informed the Audit Team that an audit has been scheduled for September 2024. |
Opportunity for improvement |
Closed |
| 24 | Procedures should be developed, or existing documentation updated, to include electronic destruction using the deletion tool (for example, confirmation of the number of passes) and completion of the NHS England certificate of destruction. | Data Destruction |
A procedure has been documented to support the destruction of data using the deletion tool. A copy of the procedure was provided to the Audit Team. |
Opportunity for improvement |
Closed |
| 25 | At the post audit review, the Audit Team will confirm all identifiers provided by NHS England have been destroyed if the data matching is completed. | Data Destruction | The IOM have renewed the DSA for these datasets, so will retain the identifiers to perform data matching for the duration of the agreement. |
Follow-up |
Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 30 August 2024 3:06 pm