NHS Digital Audit of Data Sharing Activities: London Borough of Enfield Council Public Health

Similar documents
2 Data applications. Page 1 of 11

DOCUMENT CONTROL Title: Use of Mobile Phones and Tablets (by services users & visitors in clinical areas) Policy. Version: Reference Number: CL062

Board Report In Public Meeting Title of Paper Information Governance Annual Report inc. Caldicott Guardian Annual Activity/Assurance Reports Author(s)

Sample Privacy Impact Assessment Report Project: Outsourcing clinical audit to an external company in St. Anywhere s hospital

Principles of Data Sharing for GPs and LMCs

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

GDPR Records Management Policy

A protocol for using electronic notes in psychological therapies (talking treatments)

Data Provision Notice

The Care Programme Approach

Privacy Impact Assessment: care.data

ANSWERS TO QUESTIONS RECEIVED FROM MEMBERS OF THE INFORMATION GOVERNANCE ALLIANCE (NHS TRUST REPRESENTATIVES)

Data Breach Notification Guide Policies and Procedures

Independent Group Advising (NHS Digital) on the Release of Data (IGARD)

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

Implied Consent Model and Permission to View

Standard Operating Procedures (SOP) Research and Development Office

Clinical Coding Policy

CLINICAL SERVICES POLICY & PROCEDURE (CSPP No. 25) Clinical Photography Policy in the Pre-Hospital Setting. January 2017

Policy on Telecommuting

Archive and Retention Policy

Scheme of ICT Pilot Projects for Rural Areas

NHS standard contract letter templates for practice use

National Diabetes Audit Implementation Guidance

Technology Standards of Practice

DATA PROTECTION POLICY

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

BUSINESS CONTINUITY MANAGEMENT POLICY

Personal Electronic Devices Acceptable Use Policy

Handle Information in Health and Social Care Settings

Mandatory Reporting and Breach Notification Changes to PHIPA and what you need to know

Entrepreneurs Programme - Supply Chain Facilitation

Record Keeping - Legal and Ethical Core CPD

Chapter 9 Legal Aspects of Health Information Management

The telecommuting option is not an employee benefit it is a management option that provides an alternative means to fulfill work requirements.

Walsall Healthcare NHS Trust School Nursing Service

Management of Audio-visual Records Policy

Standard Operating Procedure Research Governance

STEP BY STEP SCHOOL. Data Protection Policy and Privacy Notice

PRIVACY MANAGEMENT FRAMEWORK

Clinical Risk Management: Agile Development Implementation Guidance

State of Delaware TELECOMMUTING POLICY

Addendum 1 Compliance indicators for the Australian Privacy Principles

EQuIPNational Survey Planning Tool NSQHSS and EQuIP Actions 4.

2) Objectives a) The Agency will: i) Provide support to the student(s) whilst engaging in the learning processes of a quality and diverse placement

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

Programme Update: care.data

DATA QUALITY STRATEGY IM&T DEPARTMENT

OHA Primer: A Practical Guide for Hospital Records Management Programs

SM-PGN 01- Security Management Practice Guidance Note Closed Circuit Television (CCTV)-V03

Number: Version Number: 4. On: February 2015 Review Date: February 2018 Distribution: Essential Reading for:

Levels 1 & 2 in Cleaning and Support Services Skills

Section 1 Executive Summary

Dru Professional Network. Code of Ethics and Professional Conduct

Report of the Information & Privacy Commissioner/Ontario. Review of Cancer Care Ontario:

Document Details Title

Strategic Risk Report 4 July 2016

Policies, Procedures, Guidelines and Protocols

Promote good practice in handling information in health and social care settings

Office of the Australian Information Commissioner

White Paper on the use of social media messaging services by medical professionals practising under UK law. December 2017

Records Management Code of Practice for Health and Social Care 2016

Policy to Manage. Information and Records

Derivative Classifier Training

Information Lifecycle and Records Management Policy

Routine Data Is it Good Enough for Trials. Alex Wright-Hughes Wednesday, May 23, 2012

Personal Identifiable Information Policy

RESEARCH GOVERNANCE POLICY

Terms and Conditions of studentship funding

Chapter 3 Deliberate tampering Patient record systems purposes and characteristics 3. Deliberate tampering Patient record systems purposes and

Photography and Video Recording Policy (Camera Policy)

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

A Privacy Compliance Checklist: Organizing for Privacy Management

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

integrated Doncaster Care Record (idcr)

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

DEPARTMENT OF THE AIR FORCE MEMORANDUM FOR 81 TRW AND APPLICABLE TENANT UNIT PERSONNEL

Memorandum of Understanding. between. Healthcare Inspectorate Wales. and. NHS Wales National Collaborative Commissioning Unit

Safeguarding Supervision Policy (Children, Young People & Adults at Risk)

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

CCG authorisation Case Study Template. NHS Croydon Clinical Commissioning Group. Patient Navigation (PatNav) 3 of 3

DESTRUCTION AND RETENTION OF CLINICAL HEALTH RECORDS POLICY

Storage and Archiving of Research Documents SOP 6

Sample. Information Governance. Copyright Notice. This booklet remains the intellectual property of Redcrier Publications L td

ResearchOne. Database System Summary. Page 1 of 20

Terms & Conditions of Award

PERSONALLY IDENTIFIABLE INFORMATON (PII)

Care and Social Services Inspectorate Wales

GPs as data controllers under the General Data Protection Regulation

Employing nurses in local authorities. RCN guidance

SECONDARY USE OF MY HEALTH RECORD DATA

Jeans for Genes Day Genetic Disorders UK. Guidance for Applicants JEANS FOR GENES DAY. Supporting families affected by genetic disorders

Standing Financial Instructions CQC Fundamental Standards: 10, 17. Consulted With: Post/Committee/Group: Date: Angela Wade, Hilary,

Guidance For Health Care Staff Within NHS Grampian On Working With The Pharmaceutical Industry And Suppliers Of Prescribable Health Care Products

This policy sets out the framework of good practice and the principles underpinning this when conducting Clinical Audit

A study to develop integrated working between primary health care services and care homes

Human Research Governance Review Policy

JOB DESCRIPTION FOR THE POST OF Support, Time and Recovery Worker COMMUNITY ADULT MENTAL HEALTH

Competencies for NHS Health Check Enhanced Service using the General Level Framework & Service Specification

Transcription:

Directorate / Programme Care Services Project Sharing Audits Status Approved Director Catherine O Keeffe Version 1.0 Owner Rob Shaw Version issue date 04/01/2018 NHS Digital Audit of Sharing Activities: London Borough of Enfield Council Public Health Copyright 2018 Health and Social Care Information Centre Page 1 of 6 The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

NHS Digital Audit of Sharing Activities: London Borough of Enfield Council Public Health v1.0 Approved 04/01/2018 1 Audit Summary 1.1 Purpose This document records the key findings of a data sharing audit at London Borough of Enfield Council Public Health (LBE) on the 28 and 28 November 2017. It provides an evaluation of how LBE conforms to the requirements of the data sharing framework contract (DSFC) CON-387613-L8G0N and the data sharing agreement (DSA) DARS-NIC-35531-X3Y7Q with respect to continuous user access of the Hospital Episode Statistics (HES) Interrogation System (HDIS) for: Assets Classification of data set period Admitted Patient Care Outpatients Accident and Emergency Pseudonymised / anonymised Non-sensitive Pseudonymised / anonymised Non-sensitive Pseudonymised / anonymised Non-sensitive 2006/07 to 2017/18 2006/07 to 2017/18 2006/07 to 2017/18 The report also considers whether LBE conforms to its own policies and procedures. This is an exception report based on the criteria expressed in the NHS Digital Audit Guide. 1.2 Scope and Assurance Statement The audit considered the fitness for purpose of the main processes with respect to data handling at LBE along with its associated documentation against the scope areas shown in Table 1. The NHS Digital Audit Team has assigned the following assurance ratings to these areas based upon the findings of the audit. No rating has been assigned to Information Transfer and Use and Benefits as the source data has not been accessed and the current HDIS agreement does not allow records to be downloaded. The proposed use of the data as discussed during the audit nevertheless concurred with the objectives presented in the DSA. Risk and Control Moderate assurance Moderate assurance Limited assurance Unsatisfactory assurance Table 1: Scope and Assurance rating Detailed findings related to the areas of scope are detailed in Table 2. Copyright 2018 Health and Social Care Information Centre Page 2 of 6

NHS Digital Audit of Sharing Activities: London Borough of Enfield Council Public Health v1.0 Approved 04/01/2018 1.3 Overall Risk Statement It is the Audit Team s opinion that based on evidence presented during the audit and the type of data being shared, there is a high risk of a breach of information security, duties of care, confidentiality or integrity (including inappropriate access to or loss of data) provided by NHS Digital to LBE under the terms and conditions of the data sharing agreements signed by both parties. 1.4 Response LBE has reviewed this report and confirmed that it is accurate. LBE will establish a corrective action plan to address each finding shown in Table 2. NHS Digital will validate this plan and the resultant actions at a post audit review with LBE to confirm the findings have been satisfactorily addressed. Copyright 2018 Health and Social Care Information Centre Page 3 of 6

NHS Digital Audit of Sharing Activities: London Borough of Enfield Council Public Health v1.0 Approved 04/01/2018 2 Findings Table 2 identifies the one major nonconformity, six minor nonconformities and six observations raised as part of the audit. In addressing a finding the data recipient must take account of any referenced supplementary notes. Ref Comments Link to Area Clause Designation Notes 1. Papers that contained personal identifiable information and one with personal sensitive information were found by the Audit Team in unlocked waste disposal containers located within the goods-in area of the Council building. There was no evidence of this information being lost or used inappropriately but storage protocols were not being followed. It was noted by LBE that some of the material may have emanated from another company located in the building. LBE - Corporate Records Policy, Section 11 (Appendix 4) A, clause 4.9 Major LBE immediately raised a security incident and is expected to investigate and report accordingly. 2. Reviews of user folder permissions and domain administrator accounts are not being undertaken on a regular basis to ensure that they remain valid. A, clause 1.2 and 4.1 3. Whilst a refresh of the Council s policies and procedures is currently being undertaken as part of its General Protection Regulations (GDPR) readiness, along with preparations for roll out to staff, existing documents have not been reviewed for some years. As a result, some of the practices witnessed onsite did not conform to existing documents. A, clause 3 4. The retention of faulty or end of life hardware prior to destruction by the thirdparty destruction company does not meet the requirements of the NHS Digital s guidance. A, clause 4.10 1 5. LBE does not currently have a Public Service Network (PSN) connection compliance certificate due to the number of recorded internal vulnerabilities. The Council does, however, have an active resolution process and is keeping PSN informed of progress. A, clause 1.1 6. No Privacy Impact Assessments (PIA) for NHS Digital supplied data has been undertaken, though PIAs should have been completed from 2016. PIAs will be undertaken under the new GDPR requirements. Risk LBE, Privacy Impact Assessment (template) Copyright 2018 Health and Social Care Information Centre Page 4 of 6

NHS Digital Audit of Sharing Activities: London Borough of Enfield Council Public Health v1.0 Approved 04/01/2018 Ref Comments Link to Area Clause Designation Notes 7. The Public Health team is recording risk in a manner that is not compliant with the corporate definition. The team is, however, expecting to move its risks to the corporate risk management tool which will ensure future consistency. Risk management is currently being improved within the Council as a whole and a new Risk Manager has been appointed. Risk LBE, Risk Strategy 8. LBE should review whether access to sensitive folders should be approved by the requestor s manager (which is the current approach) or by the Information Asset Owner (IAO) who may be more aware of any contractual restrictions. 9. Whilst equipment being sent for destruction is recorded and the third-party provides a certificate of destruction, LBE does not reconcile the two lists to ensure they are consistent. 10. The Audit Team recommends that a representative of the Council visits the third-party destruction company to ensure that equipment is being destroyed in an acceptable manner. 11. There is no central Information Asset Register (IAR) at the moment, though LBE reported it is working towards one as part of its GDPR preparations. 12. No specialist training is currently being provided for Information Asset Owners, though plans are underway for such training as part of the GDPR rollout. 13. LBE should ensure that any new system that will hold NHS Digital data conforms to the full requirements of the existing and new contracts/agreements and relevant guidelines to maximise return. Table 2: Nonconformities and s Copyright 2018 Health and Social Care Information Centre Page 5 of 6

NHS Digital Audit of Sharing Activities: London Borough of Enfield Council Public Health v1.0 Approved 04/01/2018 2.1 Supplementary Notes The following notes refer back to Table 2 and provide additional commentary on the linked finding. Note 1. Currently, all equipment marked for destruction is held in a locked steel container in in an unsecured area. The Council does not currently hold any NHS Digital data and the Public Health team use laptops which are encrypted using BitLocker. It was suggested by the Audit Team that hard discs are removed from devices awaiting destruction and held separately in a secure environment. 2.2 Location LBE confirmed that processing and storage, including disaster recovery and backups, of the data will be limited to the location shown in Table 3. This location conforms with the locality defined in clause 2c of the DSA. Location England 2.3 Backup Retention Table 3: Location The duration for which data may be retained on backup media is shown in Table 4. Backup retention No data has been downloaded at present 2.4 Good Practice Table 4: Retention Period In addition to the findings presented in Table 2 the Audit Team noted the following areas of good practice: LBE are making good progress in terms of re-structuring and updating their ICT infrastructure following the transfer of ICT services from the service provider to bringing the service in-house. 2.5 Disclaimer NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report. Copyright 2018 Health and Social Care Information Centre Page 6 of 6

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback