NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department

Similar documents
NHS Digital Post Audit Review of Data Sharing Activities: University College London

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

Harbinger Escrow Services Backup and Archiving Policy. Document version: 2.8. Harbinger Group Pty Limited Delivered on: 18 March 2015

Information Governance Policy and Management Framework

Guidelines for Information Asset Management: Roles and Responsibilities

Humber Information Sharing Charter

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

East Riding of Yorkshire Council Data protection audit report. Executive summary March 2014

Data protection (GDPR) policy

ASSET MANAGEMENT TOWARDS ISO/IEC 27001:2005 ACCREDITATION OF AN INFORMATION SECURITY MANAGEMENT SYSTEM

IG01 Information Governance Management Framework

External Supplier Control Obligations. Information Security

INFORMATION GOVERNANCE STRATEGY IMPLEMENTATION PLAN

Assessment Report. PSU Technology Group Limited

Minor adjustments from IG Steering Group 0.3 Neil Taylor September 2013

1. Each employee is responsible for managing college records in a responsible and professional manner.

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead

IGPr002 - Information Governance Management Framework

DATA QUALITY POLICY Review Date: CONTENT

Information Governance Assurance Framework

A Guide to Clinical Coding Audit Best Practice Version 8.0

DISASTER PREPAREDNESS Guide & Template

Rule Business Function Retention Rule Title Retention Period Description

"Charting the Course... MOC C Administering System Center Configuration Manager and Intune. Course Summary

Information Governance Strategic Management Framework

Secure File Sharing and Collaboration

Information Asset Management Procedure

Sensitive Data Retention and Destruction Policy

Information Governance Strategy and Management Framework

INS QA Programme Requirements

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

RECORDS MANAGEMENT POLICY

Draft Internal Audit Plan for Institute of Technology Blanchardstown 2017

Data Quality Policy

Xpert MTB/RIF test. Laboratory monitoring & evaluation tool Xpert Pre-handover Checklist

Level 2 ICT Systems monitoring and operation ( )

DATA PROTECTION POLICY

Honorary Contracts Procedure

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

Sandwell HR Services Information regarding requirements for Disclosure & Barring Checks and the Single Central Record

NHS SOUTH DEVON AND TORBAY CLINICAL COMMISSIONING GROUP INFORMATION LIFECYCLE MANAGEMENT POLICY

Standard Statement and Purpose

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

Supply Chain. Example Policy. Author: A Heathcote Date: 24/05/2017 Version: 1.0

Acronis ACRONIS ACCESS ADVANCED

Records Management Officer (Sharepoint) Job Description

GDPR: Is it just another strict regulation or a great opportunity for operational excellence?

REPORT 2014/115 INTERNAL AUDIT DIVISION. Audit of information and communications technology management at the United Nations Office at Geneva

IT Hardware and Software - Procurement of Hardware and Software Procedure

ediscovery at the University of Michigan

Information Technology. Classification Band 5. Position Objective

How to sell Azure to SMB customers. Paul Bowkett Microsoft NZ

5-Step Guide For GDPR Compliance

DSU Tech Manager Recruitment Pack.

ICT and Computing Curriculum leader, Business Manager and ultimately the Headteacher

Information Governance and Records Management Policy March 2014

IT Administration including SIMS Support

SapphireIMS 4.0 ITAM Suite Feature Specification

PRIVACY IMPACT ASSESSMENT (PIA) TEMPLATE

Information Governance Management Framework Version 6 December 2017

INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK

ANNEX 2 Security Management Plan

Data Protection Strategy Version 1.0

Records management policy. Document author Assured by Review cycle. Audit and Risk Committee. 1. Introduction Purpose or aim Scope...

Internal Control and the Computerised Information System (CIS) Environment. CA A. Rafeq, FCA

Technical Services Document #: TS-0007 Internal Audit Procedure Version #: 01

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

DRAFT ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management system implementation guidance

PRINCE2 - Quality Management Strategy

Policy Outsourcing and Cloud-Based File Sharing

Records Management Plan

Service Option Attachment - Acquired from an IBM Business Partner - Enhanced Technical Support for IBM i

Understanding Internal Controls Office of Internal Audit

Report on controls over Devon Funds Management Limited s investment management services. For the period from 1 January 2014 to 31 December 2014

Loch Lomond & The Trossachs National Park Authority. Annual internal audit report Year ended 31 March 2015

TUV SUD BABT PRODUCTION QUALITY CERTIFICATION SCHEME

Personal Data Protection in the Workplace promoting the awareness of data protection in Singapore, and administrating and enforcing the PDPA.

ISMS AUDIT CHECKLIST

Rexel Shredding. Why a paper security policy is integral to GDPR compliance.

NTT DATA Service Description

Right Start Remote Implementation (RIS) of a NetVault Environment

TENDER AND EVALUATION PROCESS FOR CONTESTABLE AUGMENTATIONS

Tough Math for Desktop TCO

Data Protection/ Information Security Policy

Desk Audit of. Based on Federal Transit Administration (FTA) Quality Assurance and Quality Control Guidelines FTA-IT

Information Governance Policy

REQUEST FOR PROPOSALS: INFORMATION TECHNOLOGY SUPPORT SERVICES

Primavera Analytics and Primavera Data Warehouse Security Overview

Standard Operating Procedure 1 (SOP 1) Printing

Introducing FUJITSU Software Systemwalker Centric Manager V15.0

The Red (Book) Rocks The Latest and Greatest Audit Standards

ISO INTERNATIONAL STANDARD. Quality requirements for fusion welding of metallic materials Part 3: Standard quality requirements

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

SECTION - VI FORMS AND PROCEDURES

INTERNATIONAL STANDARD

2017 IBM Corporation. IBM s Journey to GDPR Readiness

Job Descriptions. Title & Job Functions: Transmission Function Employees

Integrated Management System Manual

Infrastructure Hosting Service. Service Level Expectations

Transcription:

Directorate / Programme Care Services Project Data Sharing Audits Status Approved Director Catherine O Keeffe Version 1.0 Owner Sean Walsh Version issue date 13/10/2017 NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department Copyright 2017 Health and Social Care Information Centre Page 1 of 6 The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/2017 1 Audit Summary 1.1 Purpose This document records the key findings of a data sharing audit at Derby Teaching Hospitals NHS Foundation Trust (DTHFT) - Renal Department on 4 and 5 September 2017. It provides an evaluation of how DTHFT conforms to the requirements of the data sharing framework contract (DSFC) CON-308529-H5X7Z and the data sharing agreement (DSA) NIC-11221- X6Y6N with respect to the provision of: Extract Type Dataset Identifiability and Sensitivity Periods Hospital Episode Statistics (HES) Data Interrogation System (HDIS) system access All HES datasets Pseudonymised, anonymised and nonsensitive HES datasets from 1989 to 2017 It should be noted that data accessed through the HDIS system is pseudonymised, nonsensitive and record level. Data extracted from HDIS is limited to aggregate data only. The report also considers whether DTHFT conforms to its own policies and procedures. This is an exception report based on the criteria expressed in the NHS Digital Audit Guide. 1.2 Scope and Assurance Statement The audit considered the fitness for purpose of the main processes with respect to data handling at DTHFT along with its associated documentation against the scope areas shown in Table 1. Whilst DTHFT identified intended uses for the data as stated within the DSA, DTHFT have no outputs to show against the current DSA, which commenced on 1 July 2017. However the Audit Team was shown reports that were produced prior to 1 July 2017 using data provided under the previous DSA. Therefore, Data Use and Benefits is assessed using outputs from the previous DSA. The NHS Digital Audit Team has assigned the following assurance ratings to these areas based upon the findings of the audit. Information Transfer Data Use and Benefits Risk Management Operational Management and Control Data Destruction Limited assurance Substantial assurance Table 1: Scope and Assurance rating Detailed findings related to the areas of scope are detailed in Table 2. Copyright 2017 Health and Social Care Information Centre Page 2 of 6

NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/2017 1.3 Overall Risk Statement It is the Audit Team s opinion that based on evidence presented during the audit and the type of data being shared, there is medium risk of a breach of information security, duties of care, confidentiality or integrity (including inappropriate access to or loss of data) provided by NHS Digital to DTHFT under the terms and conditions of the data sharing agreements signed by both parties. 1.4 Response DTHFT has reviewed this report and confirmed that it is accurate. DTHFT will establish a corrective action plan to address each finding shown in Table 2. NHS Digital will validate this plan and the resultant actions at a post audit review with DTHFT to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further nonconformities/observations. Copyright 2017 Health and Social Care Information Centre Page 3 of 6

NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/2017 2 Findings Table 2 identifies one major nonconformity, three minor nonconformities, seven observations and one item for follow up were raised as part of the audit. In addressing a finding the data recipient must take account of any referenced supplementary notes. Ref Comments Link to Area Clause Designation Notes 1. The Audit Team identified weaknesses in certain physical access controls where NHS Digital data is held. DSFC, Schedule 2, Section A, Clause 4.9 2. Access controls are not suitably reflected in Active Directory group policies. DSFC, Schedule 2, Section A, Clause 4.2 3. User accounts with privilege access are not reviewed on a quarterly basis as required by the IT Security Policy. There is also no monitoring of these accounts even though the data is logged. 4. The Audit Team checked a sample of machines to ensure that Microsoft Windows patches and antivirus definition files were up to date, in line with the DSFC. The Audit Team identified one laptop in the sample, which had not received windows security updates since January 2016. This omission is being investigated by the Trust IT Team. It should be noted that this laptop was not being used to download or access NHS Digital data. 5. The Audit Team was informed that DTHFT intended to analyse the NHS Digital data on a personal laptop (Apple Mac) using SPSS statistics software installed on that device. The Trust s Bring Your Own Device (BYOD) policy does not support non-trust laptops. It should be noted that DTHFT confirmed that no data had been stored on this laptop provided under this DSA. IT Security policy, Section 5.2 DSFC, Schedule 2, Section A, Clause 1.1 Major Minor Minor Minor Copyright 2017 Health and Social Care Information Centre Page 4 of 6

NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/2017 Ref Comments Link to Area Clause Designation Notes 6. Advice should be sought from the Data Access Request Service (DARS) team prior to deletion of NHS Digital data, to ensure compliance with DARS guidance on data destruction. Data Destruction DSFC, Schedule 2, Section B, 5.5 The Audit Team noted that backup tapes are held indefinitely. This will not meet NHS Digital s requirement for permanent data destruction, as a footprint of the data will always to available even though data on the network file storage has been deleted. Again, advice should be sought from the DARS team on the way forward. 7. The Trust has a process for pushing out software patches and for hardware disposal however these processes have not been documented. 8. Additional access controls could be implemented on the desktop PC used to download and access NHS Digital data. 9. The IG team maintain an Information Asset Register (IAR) that includes systems and processes however it does not capture dataset assets. The Audit Team suggested that an additional sheet is added to the IAR which includes datasets received from NHS Digital. Recording of NHS Digital datasets could also be used as a trigger for a Privacy Impact Assessment (PIA) and risk assessment to be completed. Operational Management The PIA process is being further developed to ensure compliance with the General Data Protection Regulation (GDPR). Additional guidance on the IAR can be found on the IGT requirement 323. 10. The serial numbers of Hard Disk Drives (HDD) are not logged prior to disposal. As a result, there is no reconciliation between the serial numbers of HDDs and the third-party contractor s data destruction certificates in order to account for all the devices. It should be noted that the destruction of HDDs takes place onsite. Data Destruction 11. A checklist should be developed to review compliance with the DSA and DSFC prior to publication of a paper in the public domain. Operational Management 12. The Audit Team is to review the following evidence at the post audit review: USB asset register and future internal audit schedule. Operational Management Follow Up Table 2: Nonconformities, s and Point for follow-up Copyright 2017 Health and Social Care Information Centre Page 5 of 6

NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department v1.0 Approved 13/10/2017 2.1 Supplementary Notes None 2.2 Data Location DTHFT confirmed that processing and storage, including disaster recovery and backups, of the data was limited to the location shown in Table 3. Data Location England 2.3 Backup Retention Table 3: Data Location The duration for which data may be retained on backup media is shown in Table 4. 2.4 Good Practice Backup retention Indefinite (see finding 6 in Table 2) Table 4: Data Retention Period In addition to the findings presented in Table 2 the Audit Team noted the following areas of good practice: The Project Lead was able to explain the direct benefits to health and social care from the use of NHS Digital data. It should be noted that a number of reports were shown to the Audit Team, which were produced using HES data provided under a previous DSA. The current DSA had only been in place since 1 July 2017 and no finalised output had been produced at the time of the onsite audit. 2.5 Disclaimer NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report. Copyright 2017 Health and Social Care Information Centre Page 6 of 6

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback