HSCIC Audit of Data Sharing Activities:

Similar documents
HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department

SERVICE EQUIPMENT DISPOSAL POLICY

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead

Information Governance Clauses Clinical and Non Clinical Contracts

Heart of England NHS Foundation Trust

Information Asset Management Procedure

Humber Information Sharing Charter

Humber Information Sharing Charter

Information Governance Assurance Framework

Information Governance Policy and Management Framework

NHS SOUTH DEVON AND TORBAY CLINICAL COMMISSIONING GROUP INFORMATION LIFECYCLE MANAGEMENT POLICY

Information Governance Strategic Management Framework

PHWIGC framework that addresses the issues raised by the Francis Report. Author: John Morley & Jane Evans Information Governance Managers

INFORMATION GOVERNANCE STRATEGY. Documentation control

Information Governance Management Framework

INFORMATION GOVERNANCE STRATEGY IMPLEMENTATION PLAN

Information Governance Strategy and Management Framework

INFORMATION GOVERNANCE ASSURANCE FRAMEWORK

A Guide to Clinical Coding Audit Best Practice Version 8.0

Information Sharing Policy

Information Governance Policy

Information Governance Management Framework Version 6 December 2017

Data Quality Policy

Information Governance Policy

Information Governance Policy

Burton Hospitals NHS Foundation Trust. On: 22 January Review Date: December Corporate / Directorate. Department Responsible for Review:

IG01 Information Governance Management Framework

NHS Digital Post Audit Review of Data Sharing Activities: University College London

Information Security Risk Management Programme and Strategy

The review demonstrated that the Trust has taken appropriate steps and put plans in place to address the requirements of the Undertaking.

United Lincolnshire Hospitals NHS Trust. Governance Statement 2015/16. Scope of responsibility. The governance framework of the organisation

Standard Operating Procedure 3 (SOP 3) Identity Management

The Royal Wolverhampton NHS Trust

INFORMATION GOVERNANCE POLICY

Risk Management and Assurance Strategy

An Information Governance Guide for Clinical Audit

White paper Audits in automated production

Information Governance Policy

Position Description. Senior Systems Administrator. Purpose and Scope

Harbinger Escrow Services Backup and Archiving Policy. Document version: 2.8. Harbinger Group Pty Limited Delivered on: 18 March 2015

IGPr002 - Information Governance Management Framework

Loch Lomond & The Trossachs National Park Authority. Annual internal audit report Year ended 31 March 2015

Minor adjustments from IG Steering Group 0.3 Neil Taylor September 2013

Initiative: Information Governance Management

NHS Sunderland Clinical Commissioning Group. Information Governance Strategy 2016/17

Doncaster Council Data Quality Strategy

Safeguarding Adults Case File Audit. Policy, Procedure and Practice

External Supplier Control Obligations. Records Management

West Kent Clinical Commissioning Group

Information governance strategy

Information Governance Management Framework

INFORMATION GOVERNANCE STRATEGY AND STRATEGIC VISION

Board Assurance and Escalation Framework

ABL Information Risk Policy

MOBILE AND REMOTE WORKING POLICY

General Data Protection Regulation (GDPR) Readiness

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

Auditing data protection

Volunteer Services Policy

1.1 Contributes to the Trust s Organisational Development strategy to improve overall organisational performance and effectiveness

DATA PROTECTION POLICY

IT Service Desk Team Leader Apprentice Job Description

Information Asset Management Policy

JOB DESCRIPTION. To be responsible for supervising the day to day operations of the cross site Café Bistro outlets.

Asbestos Management. Final Internal Audit Report 2018/19. Powys Teaching Health Board. NHS Wales Shared Services Partnership

External Supplier Control Obligations. Information Security

NHS BARNSLEY CCG DATA QUALITY POLICY SEPTEMBER 2016

INFORMATION GOVERNANCE POLICY

Control of Internal Auditing

Information Governance User Handbook

Research Study Close-down and Archiving Procedures

Procurement and Asset Management

Internal Audit. Consultants Job Planning. February 2018

CORPORATE REPORT Information governance, technology and systems development strategy 2017/20 JUNE 2017

Identifies the risk management structure, roles, responsibilities and authority of staff, committees and groups with responsibility for risk

Information Governance Policy

Information Security Policy

Procedure 11 Recruitment and Training

GMS NETWORK PLUS PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. GMS Network Plus

POLICY AND PROCEDURE JOB EVALUATION POLICY

Technology & Telecommunications. Electronic Data Backup Policy

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

TRAINING AND DEVELOPMENT POLICY AND PROCEDURE ISO 9001:2008 Clause 6.2.2

Date: INFORMATION GOVERNANCE POLICY

Agile Working Policy for EMIS Community Health Services

Document Ref: Issue Date: March 2018 Review Date: March 2020 Policy Lead: Stephanie Vasey, Data Governance Manager

INDUCTION POLICY AND PROCEDURE

SCHEDULE 20 SERVICE DOCUMENTATION

Manager On-Call Policy. Manager On-Call. Target Audience. Who Should Read This Policy. Senior Managers Directors. Version 1.

Privacy Impact Assessment. Integrated Personal Commissioning (IPC) Programme

INFORMATION GOVERNANCE POLICY AND FRAMEWORK

Highways Agency Data Protection Audit Report Final

Records Management Plan

INFORMATION GOVERNANCE COMMUNICATION STRATEGY

Job Description. Operations Manager. Scheduled Care. Band 8A. Centre Manager. Centre Manager

Quality Management System. Manual MASTER COPY

The General Data Protection Regulation and associated legislation. Part 1: Guidance for Community Pharmacy. Version 1: 25th March 2018

Data Protection Policy

Transcription:

Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing Activities: Department of Renal Medicine, Derby Hospital NHS Trust

Contents Executive Summary 3 1 About this Document 5 1.1 Introduction 5 1.2 Background 5 1.3 Purpose 5 1.4 Nonconformities and Observations 6 1.5 Audience 6 1.6 Scope 6 1.7 Audit Team 7 2 Audit Findings 8 2.1 Access Controls 8 2.2 Information Transfer 8 2.3 Disposal of Data 9 2.4 Risk Assessment and Treatments 9 2.5 Operational Planning and Control 10 3 Conclusions 11 3.1 Next Steps 12 Page 2 of 12

Executive Summary This document records the key findings of a data sharing audit 1 of the Department of Renal Medicine, Derby Hospital NHS Trust (Derby Hospital) on 2 nd February 2016 against the requirements of the Health and Social Care Information Centre (HSCIC) Data Sharing Agreement MR1176 covering the supply of Office for National Statistics (ONS) data and the associated Data Sharing Framework Contract. This audit used an approved and mature methodology based on ISO 19011:2011 (Guidelines for auditing management systems) and follows the same format for all audits of data sharing agreements conducted by HSCIC. The data is being used to support a 10 year medical research study examining the risk of Kidney Function Decline and Cardiovascular Disease. ONS mortality data is supplied against an original study cohort of 1822 consenting participants. The ONS data, limited to the identified cohort, is used to identify their date and cause of death; records are also updated to ensure that follow up requests are not sent to deceased patients. In total 6 observations were raised: Derby Hospital to ensure that an assessment is conducted prior to any publication to ensure compliance with the Data Sharing Framework Contract and the relevant Data Sharing Agreement, as required in Part 2, paragraph 2.7 of the Data Sharing Framework Contract. (Observation) Saving the ONS data directly into the secure network study folder, rather than into the named individual s secure download network folder and then emailed, would avoid potential risk from these additional transfers. (Observation) The ONS data is not classified as an Information Asset according to Derby Hospital s Information Governance (IG) policies and is therefore not subject to the same IG controls and monitoring as those assets held within its Information Asset Register. As a result, additional risk assessments are not undertaken, certain reports are not produced and the Information Owner is not required to undergo additional training. (Observation) The Derby Hospital Trust Policy and Procedures for Incident Reporting, Analysing, Investigating and Learning document requires review in relation to actions required by the SHA as SHAs are no longer in operation. (Observation) The Renal System Specific Security Policy (SSSP) Risk Assessment does not detail risks as definitively as the Datix Risk tool descriptors. (Observation) 1 An audit is defined by ISO 9000:2014 as a systematic and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled Page 3 of 12

The laptop supplied by Derby University and used by one of the hospital researchers is not subject to the same controls and security protocols of Derby Hospital. Whilst the laptop does not strictly conform to Data Sharing Framework Contract Schedule 2, Section A, Paragraph 4.8, only summary anonymised data is saved and analysed on the university laptop. Any change in data use to include identifiable data, would result in the need to adhere fully to the data security requirements of the Data Sharing Framework Contract and Data Sharing Agreement. (Observation) Areas of Good Practice Positive cultural attitude to hardware disposal, including an additional HP Defective Media Retention agreement which enables Derby Hospital to retain and dispose of hardware held under warranty onsite. In summary, it is the Audit Team s opinion that at the current time and based on evidence presented during the audit, there is minimal risk of inappropriate exposure and / or access to data to be provided by HSCIC to the Derby Hospital under the terms and conditions of the data sharing agreement MR1176 and associated data sharing framework contract signed by both parties. Page 4 of 12

1 About this Document 1.1 Introduction The Health and Social Care Act 2012 contains a provision that health and social care bodies and those providing functions related to the provision of public health services or adult social care in England handle confidential information 2 appropriately. The Review of Data Releases by the NHS Information Centre 3 produced by HSCIC Non-Executive Director Sir Nick Partridge recommended that the HSCIC should implement a robust audit function that will enable ongoing scrutiny of how data is being used, stored and deleted by those receiving it. In August 2014, the HSCIC commenced a programme of external audits with organisations with which it holds data sharing agreements. The established audit approach and methodology is using feedback received from the auditees to further improve our own audit function and our internal processes for data dissemination to ensure they remain relevant and well managed. Audit evidence was evaluated against a set of criteria drawn from the HSCIC s Code of Practice on Confidential Information 4, data sharing contract and agreements signed by the relevant contractual parties and the international standard for Information Security, ISO 27001:2013. 1.2 Background The Department of Renal Medicine, part of the Derby Hospitals NHS Trust, is conducting a long-term medical research study examining the risk of Kidney Function Decline and Cardiovascular Disease. ONS mortality data is supplied quarterly against an original study cohort of 1822 consenting participants. The received data is used to identify project participants date and cause of death. Records are also updated to ensure that follow up requests are not sent to deceased patients. 1.3 Purpose This report provides an evaluation of how Derby Hospital conforms to the requirements of data sharing agreements MR1176 covering the supply of ONS data. It also considers whether the Derby Hospital conforms to its own policies and procedures. This report provides a summary of the key findings. 2 Confidential information is defined by the Code of Practice on Confidential Information as data which: Identifies any person Allows the identity of anyone to be discovered, including pseudonymised information Is held under a duty of confidence 3 www.hscic.gov.uk/datareview 4 www.hscic.gov.uk/cop Page 5 of 12

1.4 Nonconformities and Observations Where a requirement of either the data sharing agreement or the audit criteria was not fulfilled, it is classified as a Major Nonconformity or Minor Nonconformity. Potential deficiencies or areas for improvement are classed as Observations. 1.4.1 Major Nonconformity The finding of any of the following would constitute a major nonconformity: the absence of a required process or a procedure; the total breakdown of the implementation of a process or procedure; the execution of an activity which could lead to an undesirable situation; significant loss of management control; or a number of Minor Nonconformities against the same requirement or clause which taken together are, in the Audit Team s considered opinion, suggestive of a significant risk. 1.4.2 Minor Nonconformity The finding of any of the following would constitute a minor nonconformity: an activity or practice that is an isolated deviation from a process or procedure and in the Audit Team s considered opinion is without serious risk; a weakness in the implemented management system which has neither significantly affected the capability of the management system or put the delivery of products or services at risk; or an activity or practice that is ineffective but not likely to be associated with a significant risk. 1.4.3 Observation An observation is a situation where a requirement is not being breached but a possible improvement or deficiency has been identified by the Audit Team. 1.5 Audience This document has been written for the HSCIC Director of Data Dissemination Services. A copy will be made available to the HSCIC Community of Audit Practitioners, Assurance and Risk Committee and the Information Assurance and Cyber Security Committee for governance purposes. The report will be published in a public forum. 1.6 Scope The audit considered the fitness for purpose of the main processes of data handling at Derby Hospital along with its associated documentation. Page 6 of 12

Fundamentally, the audit sought to elicit whether: Derby Hospital is adhering to the standards and principles of the data sharing agreements and audit criteria; and data handling activities within the organisation pose any risk to patient confidentiality or HSCIC. 1.7 Audit Team The Audit Team was comprised of senior certified and experienced ISO 9001:2008 (Quality management systems) and ISO 27001:2013 (Information security management systems) auditors. The audit was conducted in accordance with ISO 19011:2011 (Guidelines for auditing management systems). Page 7 of 12

2 Audit Findings 2.1 Access Controls Operating within the overall hospital network, the Renal Department network is securely located behind the hospital firewall. All computers on the network are expected to comply with the relevant hospital policies, such as virus protection and patch management. Server equipment is housed within the hospital s premises. ONS data is stored in a restricted folder for the Renal Department with access limited to those persons identified in the data sharing agreement. Access requests for the restricted folder and any associated folders are raised by the project administrator via the IT Service Desk. Only persons recognised by the hospital network can access the network folder. Password policies are in place for users and system administrators. Access is immediately revoked upon a member of staff leaving the organisation via an automated HR process. Access lists are reviewed by the project administrator upon any staff changes within the Renal Department; there is no standard policy for regular review of access rights. Building access controls are established and physical access to the Renal Department is limited to authorised employees. Conclusion: Access control within the Hospital seems to be well managed and there appears to be minimal risk of exposure to unauthorised / inappropriate access to data. 2.2 Information Transfer Data provided through the data sharing agreement is made available on the HSCIC file transfer portal. The Lead Contact is responsible for logging onto the portal and downloading the available files. The Lead Contact currently downloads the ONS files to a secure personal network folder and then emails them via nhs.net to a colleague to save into the secure network study folder within the Renal Department s directory structure. The Audit Team suggested that saving the ONS data directly into the study folder would avoid potential risk from these additional transfers. ONS data is then processed in order to transfer the date of and reason for death onto a project participant spreadsheet. Paper copies of ONS data are also printed and held in a locked filing cabinet within a secure area of the Renal Department which can only be accessed by authorised employees. Systems are in place to backup data onto disk and tapes and are detailed in the Backup Service document. Monthly backup tapes are retained for 2 years. Source data would be kept for 7 years after the close of the project in accordance with the research policy. Page 8 of 12

Anonymised data is transferred, via email, to a hospital researcher s laptop for analysis. As this laptop is supplied by Derby University, it is not subject to the same controls and security protocols of Derby Hospital. Whilst the laptop does not strictly conform to Data Sharing Framework Contract Schedule 2, Section A, Paragraph 4.8, only summary anonymised data is saved and analysed on it. Any change in data use to include identifiable data would result in the need to adhere fully to the data security requirements of the Data Sharing Framework Contract and Data Sharing Agreement. A backup of the analysis is saved by the researcher to an encrypted USB stick. The results of the analysis are reported in medical research papers. One related journal article has been published and it should be noted that this date was prior to signature of the Data Sharing Framework contract. Therefore under NHS IC MR1176 there was no requirement to reference the HSCIC within the publication. The publication did however acknowledge receipt of ONS data from the HSCIC. Derby Hospital is to ensure that an assessment is conducted prior to any publication to ensure compliance with the Data Sharing Framework Contract and the relevant Data Sharing Agreement, as required in Part 2, paragraph 2.7 of the Data Sharing Framework Contract. Conclusion: As no HSCIC sensitive data is transferred or stored outside of Derby Hospital there is minimal risk of inappropriate availability to data. 2.3 Disposal of Data A 3 rd party recycling company is engaged by a purchase order to safely dispose of all computer assets including backup tapes. Assets holding data are held in a secure location whilst awaiting disposal. PC, server hard disks and backup tapes are removed and destroyed onsite by the 3 rd party company for which destruction certificates are supplied. Equipment assets under warranty are covered by an additional HP Defective Media Retention agreement, under which all hard disks are retained by the Hospital rather than returned to HP. These disks are processed by the hospital in the same manner as described above. Confidential paper waste is collected and incinerated by a trust contracted provider. Conclusion: Data assets are securely disposed through a suitable third party. Assets that cannot be wiped and reused are destroyed onsite. 2.4 Risk Assessment and Treatments Derby Hospital has a comprehensive risk management process. An electronic risk assessment tool, Datix, is utilised by Derby Hospital; incidents are logged onto the tool and a risk criteria completed. High scoring risks are escalated to the corporate risk register, which is sub divided to departmental level. Page 9 of 12

Annual System Specific Security Policy (SSSP) risk assessments on asset systems are completed; the Renal SSSP was viewed by the Audit Team. The Renal System SSSP Risk Assessment does not detail risks as definitively as the Datix descriptors, the auditors suggested that the SSAP could be updated to reflect Datix. A risk assessment with regard to ONS data has not been undertaken. Incident Management policies are established, though the Derby Hospital Trust Policy and Procedures for Incident Reporting, Analysing, Investigating and Learning document requires review in relation to actions required by the SHA as SHAs are no longer in operation. Conclusion: Risks and Incidents are managed via established policies. 2.5 Operational Planning and Control All employees are required to undertake annual Information Governance (IG) training and individual access is removed for any employees that do not complete the training within deadlines. New starters also receive IG training as part of their induction. Information assets and IT security are managed via the IG Steering Group. Information Assets and Asset Owners are reviewed annually and appropriate risks are escalated to the Senior Information Risk Owner. Information Asset Owners are required to undertake additional IG training. However, ONS Data is not classified as an Information Asset according to Derby Hospital s IG policies and is therefore not subject to the same IG controls and monitoring as those assets held within its Information Asset Register. Derby Hospital considers systems holding information as an information asset rather than the information itself. As a result, additional risk assessments are not undertaken, certain reports are not produced and the ONS Information Owner is not required to undergo Information Asset Owner training in addition to the mandatory employee IG Training. The auditee stated that the ONS data assets are evaluated and assessed via the Research and Development Department and Medical Research guidelines as part of the overall management of the Medical Research project. The auditee stated that ONS Data is included in data flows for the renal research project however no data flows or asset registers including ONS data were supplied to the Audit Team. Annual IG Toolkit audits are undertaken and Derby Hospital has also participated in a joint NHS Shared Cyber Security Audit, supplied by a private contractor, examining IT Security Systems against HSCIC Test 9 in 2014; this is due to be repeated in 2016. Conclusion: Information assets held within information systems are well governed and managed within an established IG framework. ONS data is not classified as an information asset within Derby Royal Hospitals IG framework and there is a risk that the SIRO would not be aware of any risks associated with this information asset. Page 10 of 12

3 Conclusions Table 1 identifies the observations raised as part of the audit. Ref Comments Section in this Report Designation 1 Derby Hospital to ensure that an assessment is conducted prior to any publication to ensure compliance with the Data Sharing Framework Contract and the relevant Data Sharing Agreement, as required in Part 2, paragraph 2.7 of the Data Sharing Framework Contract. 2 Saving the ONS data directly into the secure study network, rather than into the named individual s secure download network folder and then emailed, would avoid potential risk from these additional transfers. 3 The laptop supplied by Derby University, used by one of the hospital researchers, is not subject to the same controls and security protocols of Derby Hospital. Whilst the laptop does not strictly conform to Data Sharing Framework Contract Schedule 2, Section A, Paragraph 4.8, only summary anonymised data is saved and analysed on the university laptop. Any change in data use to include identifiable data, would result in the need to adhere fully to the data security requirements of the Data Sharing Framework Contract and Data Sharing Agreement. 4 The Renal System Specific Security Policy Risk Assessment does not detail risks as definitively as the Datix Risk tool descriptors. 5 The Derby Hospital Trust Policy and Procedures for Incident Reporting, Analysing, Investigating and Learning document requires review in relation to actions required by the SHA as SHAs are no longer in operation. 6 The ONS data is not classified as an Information Asset according to Derby Hospital s Information Governance (IG) policies and is therefore not subject to the same IG controls and monitoring as those assets held within its Information Asset Register. As a result, additional risk assessments are not undertaken, certain reports are not produced and the Information Owner is not required to undergo additional training. 2.2 Observation 2.2 Observation 2.2 Observation 2.4 Observation 2.4 Observation 2.5 Observation Table 1: Observations Page 11 of 12

3.1 Next Steps Derby Hospital is required to review and respond to this report, providing corrective action plans and details of the parties responsible for each action and the timeline (based on priority and practicalities for incorporation into existing workload). As per agreement, review of the management response may be discussed by the Audit Team and validated at a follow-up meeting with Derby Hospital. Page 12 of 12

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback