NHS Digital is an executive non-departmental public body. It is responsible for setting up and operating systems for the collection, analysis, dissemination and publication of information relating to health services and adult social care and for ensuring citizens’ health data is protected.
We develop and operate information and communications systems for health services and adult social care in England and act as the authority for determining and publishing information standards. We are accountable directly to Parliament for the delivery of the statutory functions described within the Health and Social Care Act 2012.
The Senior Departmental Sponsor for the Department of Health and Social Care is responsible for ensuring our procedures operate effectively, efficiently and in the interest of the public and the health sector.
Details of our constitution, our operational accountability, our Board and its appointed committees are provided on pages 110 to 115. Information about the conduct of the Board and the roles and responsibilities of members are set out in our Corporate Governance Manual, which incorporates the Standing Orders, Standing Financial Instructions and the Scheme of Delegation. This is reviewed and updated annually. We comply with the best practice described in the corporate governance code for central government departments issued by HM Treasury.
Corporate policies are reviewed on a regular basis and are refined as appropriate.
Risk and assurance framework
We have reviewed our corporate risk and assurance framework methodology during 2018-19 and made further improvements, which included creating directorate assurance maps and enhancing control and assurance statements. Each directorate completed an annual self-assessment statement that included:
- an acknowledgement of their responsibilities and objectives over the financial year, including new responsibilities and objectives
- a statement that a sound system of internal controls was in place and that these controls had operated as intended
- confirmation of compliance with statutory obligations and organisational policies
- a description of the directorate’s action plans and improvement activity
- a quality assessment of the level of information supplied to allow for effective decision-making
We continue to carry out regular quality assurance checks to ensure that the risk information held is current, accurate and of good quality. We have refined strategic risk reporting to focus on the outcomes of our risk management effort and this work has been reported to the Audit and Risk Committee (ARC), Executive Management Team (EMT) and the Board. The use of risk management performance metrics is starting to drive an overall improvement in risk data quality and risk management behaviours, although further improvements are planned for 2019-20.
Risks are reported regularly and escalated through our internal governance structure, with the top strategic risks and issues ultimately being considered by the Delivery Assurance Board (DAB), EMT, ARC and our Board. During 2018-19, we:
- reviewed our strategic and other key risks, so that they continued to reflect the most significant risks to the delivery of our strategic objectives
- began work to refine the control and assurance framework for our strategic risks
- continued delivery of our targeted risk management improvement plan - this focused on risk maturity, capability and awareness, including improved tools, metrics, reporting and collection methods
- started work to strengthen our governance and accountabilities for managing and reporting risks, to ensure that the most significant risks are escalated appropriately and in a timely manner, to enable effective risk mitigation
- continued to refine the reporting of risks that cross organisational boundaries
- continued development of a set of key risk indicators to provide early warning and triggers for risk interventions
- sought opportunities to leverage the use of risk information in decision-making
We will continue this work in 2019-20, including a review of our strategic risk-appetite model.
Internal audit and other third-party assurance
NHS Digital’s internal audit service is provided by the Government Internal Audit Agency (GIAA). It plays a crucial role in reviewing the effectiveness of management controls, risk management and governance. It focuses audit activity on the key risk areas. This service uses a blend of internal GIAA staff and resources from professional firms. The internal audit service operates in accordance with the Public Sector Internal Audit Standards and to an annual internal audit plan approved by ARC.
Regular reports are submitted on the effectiveness of our systems of internal control and the management of key business risks, with recommendations for improvement by management. The status of audit recommendations is reported to each meeting of ARC, and ARC noted significant progress in implementing these. There were no overdue actions outstanding at the end of the year.
During 2018-19, there were 19 separate audits undertaken across a range of business areas which confirmed our controls were largely operating as intended. GIAA target areas of high risk to ensure they remain controlled and assured.
The following areas were identified for improvement:
- procurement and contract management arrangements for one particular programme of work. This has led to the development of a plan to drive forward improvements to the commercial arrangements across the organisation in 2019-20
- review of Workforce Planning and Transformation: the initial scope of the programme, communications, resource levels, financial oversight and governance required some immediate rectification, which has since been implemented
- internal decision-making arrangements required some refinement. Work during 2019-20 will review our internal governance structure, ensuring all internal boards and committees are aligned
In addition to our internal audit service, we receive other third-party assurances including:
- ISAE3402 assurance reports covering our external payroll and financial services provided by NHS Shared Business Services (SBS) - the financial services report was unqualified - the payroll services report received a qualified opinion - SBS was unable to evidence independent approvals for all checks to manual payroll and recurring calculations, consequently, the report was unable to confirm that all controls as set out by SBS were fully operational - controls within the payroll and e-expenses systems, together with internal NHS Digital processes, contribute to reducing risks arising from the areas of concern
- ISAE3402 assurance reports for the GP Payment Systems we provide to the wider NHS - this received an unqualified assurance
- an external review of our Supplier Audit Management processes - this including two of the biggest suppliers of GP Systems of Choice (GPSoC)
The GPSoC review presented an opportunity to improve our existing processes and practices. It highlighted a number of areas for improvement, including understanding the governance and roles and responsibilities in supplier management and ensuring thorough exit plans are created and adhered to. The actions will be implemented during 2019-20.
We have worked constructively with the National Audit Office. They attend and contribute to all ARC meetings during the year. The work of external audit sits outside our normal governance arrangements but independently informs the suitability and appropriateness of relevant financial and other controls and our governance and risk processes. The work of external audit is monitored by ARC through regular progress reports.
We are responsible for investigating allegations of fraud related to our functions and work.
We have an internally appointed counter-fraud manager who ensures that appropriate anti-fraud arrangements are in place and who undertakes reactive and proactive counter-fraud work. The internal policy on tackling fraud, bribery and corruption is communicated to all staff. The policy and our management statement on corruption is available on our website.
We work closely with a number of bodies including the Department of Health and Social Care Anti-Fraud Unit to establish appropriate and efficient anti-fraud arrangements, and to ensure we comply with the counter fraud functional standard set out by the Cabinet Office. We 119 continue to work jointly with the biennial National Fraud Initiative. Fraud referrals have increased in the year and one investigation resulted in action against an individual. This included seeking an appropriate sanction and redress.
We also hold a quarterly fraud working group chaired by the Chief Finance Officer, which includes key senior internal and external stakeholders. We undertake an annual review of the fraud risk assessment and risk register and hold internal fraud risk workshops with key stakeholders. We continuously review our processes, sample check employee subsistence and travel claims and recover overpayments. We have introduced a data analytics tool to improve compliance checking, detect fraud more effectively, and reduce errors and losses.
Public interest disclosure
NHS Digital was one of the first 100 organisations to sign up to the Protect (formerly Public Concern at Work (PCAW)) Whistleblowing Commission code of practice. We attend an annual networking event to discuss progress in implementing whistleblowing procedures and will continue to improve our policy and practice through engagement with Protect. We have well-established reporting routes and mechanisms to allow staff to raise concerns.
The organisation has appointed one nominated officer at board level to protect and develop whistleblowing arrangements and encourage staff to openly raise concerns. There was one whistleblowing case in the year which was fully investigated and no further action was deemed necessary.
Corporate performance management, including the use of key performance indicators, is linked with business planning and risk management to provide a joined-up view of what we intend to deliver (business planning), what factors could prevent successful delivery and how they can be mitigated (risk management), and how well we are delivering (performance management). The development of our business plan commitments includes assessment of constraints, dependencies and risks, and we track delivery using relevant measures.
Our organisation-wide performance management framework includes periodic reporting at differing levels of granularity in performance packs to the Digital Delivery Board, our Board, the Executive Management Team and other internal business units.
This performance reporting covers:
- financial and non-financial information, key risks and issues, and an assessment of delivery against strategic commitments
- business plan delivery at corporate and directorate levels
- other key work, such as delivery of specific programmes and organisational development and transformation
Our performance framework and individual performance indicators are kept under regular review to ensure they remain meaningful and effective. With the exception of a limited number of confidential indicators, all elements of the performance framework are reported to public meetings of the Board and most of the information is available on our website.
Our performance reporting supports open and transparent governance and helps ensure public accountability. Performance packs and business plan monitoring reports also inform quarterly accountability meetings between the Department of Health and Social Care and ourselves.
Data and cyber security
Our Data Security Centre continues to lead the provision of support to health and care organisations to manage cyber security risk, enabling the safe and secure use of data and technology to deliver improved patient care. We worked with NHS England, NHS Improvement, the Department of Health and Social Care, the National Cyber Security Centre and other partners to strengthen cyber resilience in 2018-19.
We are leading a multi-tiered approach to reduce systemic cyber security risk in the health and social care system. This involves central interventions, such as the Cyber Security Operations Centre (CSOC) as well as local interventions with NHS providers to increase preparedness and reduce vulnerability.
Alongside our system-wide responsibility, we provide consultancy and assurance to systems and services delivered by NHS Digital.
In 2018-19, the Data Security Centre triaged, created and distributed 63% more threat intelligence content than in the previous financial year. There was a 34% decrease in notifications of active infections sent to health and social care organisations.
Our CSOC capability is being developed in collaboration with our strategic partner, IBM. We have significantly improved its service, including onboarding the Incident Response and Intelligence Service, implementing the Vulnerability Management Service (which provides healthcare organisations with access to vulnerability scanning for their external-facing services) and integrating the Bitsight platform (which provides the CSOC with organisational ‘league tables’ based on vulnerability risk profiles).
Supporting local organisations with cyber security
To address critical weaknesses identified at a local level through on-site assessments, the Data Security Centre developed a Cyber Security Support Model. This helps organisations identify issues and provide bespoke advice and support to address vulnerabilities and increase cyber security preparedness in line with national standards. The model is underpinned by a GCHQ-accredited, board-level training offer to ensure leadership buy-in. We also provided a toolkit of communications materials to help organisations raise cyber and data security awareness among their staff.
We have supported the migration to a more resilient and secure operating system and published tailored Windows 10 build toolkits and online training to support NHS trusts in managing their transition. We also enrolled 750,000 devices onto the national end-point detection, threat and vulnerability management tool, which helps identify and monitor emerging threats at a local and national level.
The risks to the health and social care system from cyber attacks are growing and will increase significantly with the adoption of new technologies and services. We will continue to provide guidance, assessments and support to help organisations manage risk effectively, be prepared and be ready to respond.
Data Security and Protection Toolkit (DSPT)
During 2018-19 we developed and launched the DSPT, a replacement for the Information Governance Toolkit. The new resource combines data security and data protection principles. Additional functionality includes:
- the ability to report data security incidents to the Information Commissioner’s Office or the Department of Health and Social Care
- the ability for pharmacy, opticians and social care providers to submit assessments for their sites in bulk
- additional reporting and exporting functionality (including the ability to export an action plan based on an organisation’s assessment)
Over 30,000 health and social care organisations have registered with the toolkit and 26,800 organisations have published an assessment against the National Data Guardian’s standards. This is 18% more than with the previous toolkit.
The DSPT is also used to assess third-party suppliers to the NHS and organisations applying for data through our data dissemination services.
We are required to submit an annual return against the DSPT. Our result was “standards met”, which means that all mandatory assertions were evidenced.
Data sharing arrangements
DARS handles all requests for personal data that is identifiable or potentially identifiable. Before any data is shared, we ensure that:
- a legal basis for accessing the data exists
- the customer has an appropriate level of security to safeguard the data
- the customer passes our assessment process
- dissemination is covered by a signed data sharing agreement and a data sharing framework contract
Particularly sensitive releases follow a full governance and approval process and we seek independent advice from the Independent Group Advising on the Release of Data (IGARD) when appropriate.
We will continue to ensure that the governance around the dissemination of such data is of the highest priority. This includes close collaborations with IGARD, which reviews applications for sensitive NHS Digital data and has expert members and an enhanced transparency remit.
We conduct data-sharing audits to ensure that organisations meet the terms of their data-sharing agreement and framework contract. The organisations audited are selected by the DARS Team, based on a risk assessment that considers the overall level of assurance required for a specific agreement. The audit team may also carry out some random or sampling audits as a check on the overall assurance process.
During 2018-19, we conducted audits of 20 separate organisations and recorded observations about their processes, procedures and non-conformities with NHS Digital contractual documentation.
The non-conformities are subsequently followed up with a post-audit review to ensure they have been addressed. During 2018-19, 17 post-audit reviews were conducted. The outcome of audits and post-audit reviews are published on our website.
Changes to cross-government data sharing
The memorandum of understanding between the Home Office, the Department of Health and Social Care and NHS Digital in relation to information sharing was terminated in October 2018 by NHS Digital following the government’s announcement that it would no longer request tracing information in respect of individuals suspected of immigration offences. Urgent tracing requests from the Home Office and other government departments or agencies where there is a need to trace an individual for welfare and safeguarding purposes are assessed on a case by case basis by NHS Digital’s welfare and safeguarding request panel.
Data quality assurance
We understand the importance of good quality data and our role in ensuring that the data we collect, process and share is subject to the most rigorous levels of quality assurance.
Given our unique position as a processor, user and sharer of health and social care data, we also have a duty to promote understanding of the importance of data quality across the health and social care sector.
We continue to seek ways to improve our data quality assurance. During 2018-19, we:
- monitored the implementation of our secondary uses data quality assurance policy
- worked collaboratively with our partners to develop requirements-based data quality assurance products, processes and tools
- ensured new and existing data collections and extractions went through the appropriate data quality assurance assessment processes
We have appointed a new executive director to lead this area and establish a revised operating model to support a more efficient and resilient service, and embed good information governance compliance across the organisation.
The information governance work plan for 2019-20 includes:
- designing the future operating model and implementing interim changes in structure
- implementing tracking and reporting mechanisms to support resource management and to monitor and report on performance
- developing and implementing further staff training
- developing and starting the delivery of an information governance programme to review, improve and streamline existing processes, and to establish new processes, policy, guidance, tools and training
- reviewing and updating the NHS Digital Code of Practice on Confidential Information in line with work being undertaken separately by the Department of Health and Social Care to update the NHS Code of Practice on Confidentiality
General Data Protection Regulation (GDPR)
In May 2018, the GDPR and the Data Protection Act 2018 replaced the Data Protection Act 1998, providing a comprehensive legal framework for data protection in the UK. NHS Digital has a responsibility to ensure that its policies, procedures and working practices reflect current EU and UK legislation. Our GDPR implementation programme and work plan began in 2017 and culminated in quarter two of 2018.
We have restructured our internal teams, developed our internal policies and processes and raised awareness through communications and training.
We supported good information governance across NHS Digital by:
- appointing a Data Protection Officer and a supporting team to help respond to the tasks and responsibilities required under GDPR
- putting in place a comprehensive Unified Register which holds the records of over 700 information assets with built-in controls, filters and guidance to help ensure accurate details are recorded and we are able to comply with its record keeping requirements under GDPR Article 30
- ensuring a process is in place for creating and maintaining Data Protection Impact Assessments
- updating our Data Subject Access Request procedure to support staff, patients and citizens to apply and receive the personal data NHS Digital holds about them
- updating our transparency notices, which advise on how we collect, analyse and store personal data and information
In 2018-19, 20 incidents were classified as a personal data breach under GDPR and the Information Commissioner’s Office (ICO) guidance. Two personal data breach incidents were reported to the ICO. The ICO has confirmed it is not taking action on either incident.
Freedom of Information (FOI) requests and Data Subject Access Requests (DSARs)
During 2018-19, 1,368 FOI requests were received. Nine responses were outside of the statutory deadline, a compliance rate of 99.3%.
We received 266 DSARs. DSAR compliance within statutory deadlines was 98.8%. In the three cases where statutory deadlines were breached, reasons for the delay were investigated and steps taken to address issues where necessary.
Three complaints were made to the ICO by applicants dissatisfied with our responses to FOI requests or DSARs. Two are now closed and we are waiting for further correspondence regarding the third. The outcomes of ICO investigations can be found on their website.
NHS Digital manages a range of essential IT systems on behalf of the NHS. It is critical that these systems operate in an efficient manner and that we can support the NHS in event of an outage. We conduct stress testing, provide a fully manned service bridge and maintain a Business Continuity Management System (BCMS) that is aligned to the requirements of ISO 22301 and related standards. The capability of the BCMS includes:
- a corporate incident management framework and supporting processes
- business continuity plans covering all NHS Digital activities
- a range of IT service continuity and disaster recovery plans for services managed in-house or by external suppliers
- arrangements to support the management of NHS Digital facility-related health and safety incidents
- supply chain continuity management. We confirm that critical suppliers and other delivery partners have suitable business continuity arrangements in place to protect delivery of service to NHS Digital and its customers
Our professional and qualified staff provide subject matter expertise in line with best practice across government and relevant industry standards.
An ongoing work programme is focused on corporate incident management capability, exercising business continuity plans, facility/site emergency plans, supply chain continuity management and people aspects of business continuity planning.
As we move toward providing digital programmes and services that impact more closely on the lives of patients and citizens, there is a requirement to raise the profile of clinical governance at all levels of the organisation. This year, we worked towards developing a clinical governance framework and have appointed two very senior clinicians to non-executive positions and allocated one with special responsibility for this area. We also appointed nine senior clinicians with strong informatics competencies to lead on our major areas of activity.
We have invigorated our patient safety approach to ensure it keeps pace with new digital technologies. This work is ongoing but includes consideration of decision-support algorithms, apps and machine learning. Clinician time will be allocated according to clinical risk in each programme.
During 2018-19, NHS Digital began a transformation programme aimed at transforming itself into a modern, agile organisation capable of meeting future delivery commitments. This programme, known as Org2, is responsible for delivering a range of initiatives including restructuring the workforce. All 3,000 permanent staff will be affected, as a net reduction of around 500 full-time equivalent staff is expected. This programme introduces significant risks and a separate risk register has been created to manage these. This is reviewed regularly at board level. The first wave of this change started in 2018-19 and the programme is expected to be completed during 2020-21.
Breast cancer screening service
In May 2018, an issue was identified with the Breast Cancer Screening Service in England that resulted in thousands of women aged between 68 and 71 not being invited to their final breast screening between 2009 and 2018. NHS Digital has provided extensive support to Public Health England and other system partners on the response to, and resolution of, this critical issue
Patient Objections Management extract
On 20 June 2018, NHS Digital discovered an issue with the Patient Objection Management data extracts from one of the system providers, TPP. It was established this was due to a coding error in TPP SystmOne where new objections between 31st March 2015 and the 8th May 2018 had not been collected and sent to NHS Digital. Following investigation, it was identified that this affected submissions from 148,873 patients.
NHS Digital worked swiftly to report the error and on 27 June 2018 stopped all data flows from NHS Digital where type 2 opt-outs should have been upheld. By the evening of 28 June 2018, the opt-out data had been corrected and data flows were restarted. Affected patients were contacted to make them aware of the issue. We also worked with organisations that received data to ensure data files were replaced and incorrect data was destroyed where possible. No patient’s personal care and treatment was reported to be affected by this issue and NHS Digital informed GPs, the Information Commissioner’s Office and the National Data Guardian. All objections are now being honoured.
TPP apologised for its role and committed to work with NHS Digital so that errors of this = nature do not occur again. Subsequently, Type 2 opt-outs are now collected and converted to National Data Opt-outs. These are held on a central service managed by NHS Digital. There is no further need for TPP, or other system providers, to collect the opt-out information.
Multiple users were unable to access Microsoft Portal, Outlook Web Access, Skype or send email via Outlook on the 1st of December 2018 due to a server storage issue. A full service stability plan was initiated by Accenture and ourselves to rectify the issue (which was completed by 3rd December) and seek mitigations for the future. Following extensive clinical assessments, no patient harm or impact on the security or integrity of patient data was identified.