NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department

Transcription

1 Directorate / Programme Care Services Project Data Sharing Audits Status Approved Director Catherine O Keeffe Version 1.0 Owner Sean Walsh Version issue date 13/10/2017 NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department Copyright 2017 Health and Social Care Information Centre Page 1 of 6 The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

2 NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/ Audit Summary 1.1 Purpose This document records the key findings of a data sharing audit at Derby Teaching Hospitals NHS Foundation Trust (DTHFT) - Renal Department on 4 and 5 September It provides an evaluation of how DTHFT conforms to the requirements of the data sharing framework contract (DSFC) CON H5X7Z and the data sharing agreement (DSA) NIC X6Y6N with respect to the provision of: Extract Type Dataset Identifiability and Sensitivity Periods Hospital Episode Statistics (HES) Data Interrogation System (HDIS) system access All HES datasets Pseudonymised, anonymised and nonsensitive HES datasets from 1989 to 2017 It should be noted that data accessed through the HDIS system is pseudonymised, nonsensitive and record level. Data extracted from HDIS is limited to aggregate data only. The report also considers whether DTHFT conforms to its own policies and procedures. This is an exception report based on the criteria expressed in the NHS Digital Audit Guide. 1.2 Scope and Assurance Statement The audit considered the fitness for purpose of the main processes with respect to data handling at DTHFT along with its associated documentation against the scope areas shown in Table 1. Whilst DTHFT identified intended uses for the data as stated within the DSA, DTHFT have no outputs to show against the current DSA, which commenced on 1 July However the Audit Team was shown reports that were produced prior to 1 July 2017 using data provided under the previous DSA. Therefore, Data Use and Benefits is assessed using outputs from the previous DSA. The NHS Digital Audit Team has assigned the following assurance ratings to these areas based upon the findings of the audit. Information Transfer Data Use and Benefits Risk Management Operational Management and Control Data Destruction Limited assurance Substantial assurance Table 1: Scope and Assurance rating Detailed findings related to the areas of scope are detailed in Table 2. Copyright 2017 Health and Social Care Information Centre Page 2 of 6

3 NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/ Overall Risk Statement It is the Audit Team s opinion that based on evidence presented during the audit and the type of data being shared, there is medium risk of a breach of information security, duties of care, confidentiality or integrity (including inappropriate access to or loss of data) provided by NHS Digital to DTHFT under the terms and conditions of the data sharing agreements signed by both parties. 1.4 Response DTHFT has reviewed this report and confirmed that it is accurate. DTHFT will establish a corrective action plan to address each finding shown in Table 2. NHS Digital will validate this plan and the resultant actions at a post audit review with DTHFT to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further nonconformities/observations. Copyright 2017 Health and Social Care Information Centre Page 3 of 6

4 NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/ Findings Table 2 identifies one major nonconformity, three minor nonconformities, seven observations and one item for follow up were raised as part of the audit. In addressing a finding the data recipient must take account of any referenced supplementary notes. Ref Comments Link to Area Clause Designation Notes 1. The Audit Team identified weaknesses in certain physical access controls where NHS Digital data is held. DSFC, Schedule 2, Section A, Clause Access controls are not suitably reflected in Active Directory group policies. DSFC, Schedule 2, Section A, Clause User accounts with privilege access are not reviewed on a quarterly basis as required by the IT Security Policy. There is also no monitoring of these accounts even though the data is logged. 4. The Audit Team checked a sample of machines to ensure that Microsoft Windows patches and antivirus definition files were up to date, in line with the DSFC. The Audit Team identified one laptop in the sample, which had not received windows security updates since January This omission is being investigated by the Trust IT Team. It should be noted that this laptop was not being used to download or access NHS Digital data. 5. The Audit Team was informed that DTHFT intended to analyse the NHS Digital data on a personal laptop (Apple Mac) using SPSS statistics software installed on that device. The Trust s Bring Your Own Device (BYOD) policy does not support non-trust laptops. It should be noted that DTHFT confirmed that no data had been stored on this laptop provided under this DSA. IT Security policy, Section 5.2 DSFC, Schedule 2, Section A, Clause 1.1 Major Minor Minor Minor Copyright 2017 Health and Social Care Information Centre Page 4 of 6

5 NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/2017 Ref Comments Link to Area Clause Designation Notes 6. Advice should be sought from the Data Access Request Service (DARS) team prior to deletion of NHS Digital data, to ensure compliance with DARS guidance on data destruction. Data Destruction DSFC, Schedule 2, Section B, 5.5 The Audit Team noted that backup tapes are held indefinitely. This will not meet NHS Digital s requirement for permanent data destruction, as a footprint of the data will always to available even though data on the network file storage has been deleted. Again, advice should be sought from the DARS team on the way forward. 7. The Trust has a process for pushing out software patches and for hardware disposal however these processes have not been documented. 8. Additional access controls could be implemented on the desktop PC used to download and access NHS Digital data. 9. The IG team maintain an Information Asset Register (IAR) that includes systems and processes however it does not capture dataset assets. The Audit Team suggested that an additional sheet is added to the IAR which includes datasets received from NHS Digital. Recording of NHS Digital datasets could also be used as a trigger for a Privacy Impact Assessment (PIA) and risk assessment to be completed. Operational Management The PIA process is being further developed to ensure compliance with the General Data Protection Regulation (GDPR). Additional guidance on the IAR can be found on the IGT requirement The serial numbers of Hard Disk Drives (HDD) are not logged prior to disposal. As a result, there is no reconciliation between the serial numbers of HDDs and the third-party contractor s data destruction certificates in order to account for all the devices. It should be noted that the destruction of HDDs takes place onsite. Data Destruction 11. A checklist should be developed to review compliance with the DSA and DSFC prior to publication of a paper in the public domain. Operational Management 12. The Audit Team is to review the following evidence at the post audit review: USB asset register and future internal audit schedule. Operational Management Follow Up Table 2: Nonconformities, s and Point for follow-up Copyright 2017 Health and Social Care Information Centre Page 5 of 6

6 NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/ Supplementary Notes None 2.2 Data Location DTHFT confirmed that processing and storage, including disaster recovery and backups, of the data was limited to the location shown in Table 3. Data Location England 2.3 Backup Retention Table 3: Data Location The duration for which data may be retained on backup media is shown in Table Good Practice Backup retention Indefinite (see finding 6 in Table 2) Table 4: Data Retention Period In addition to the findings presented in Table 2 the Audit Team noted the following areas of good practice: The Project Lead was able to explain the direct benefits to health and social care from the use of NHS Digital data. It should be noted that a number of reports were shown to the Audit Team, which were produced using HES data provided under a previous DSA. The current DSA had only been in place since 1 July 2017 and no finalised output had been produced at the time of the onsite audit. 2.5 Disclaimer NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report. Copyright 2017 Health and Social Care Information Centre Page 6 of 6