Risk and assurance framework
We have reviewed our corporate risk management framework and methodology during 2019-20 to improve risk data quality and risk management behaviours. Key actions during the year were:
- refreshing our risk management policy
- redefining our strategic risks and risk appetite model
- reviewing our short and long-term risk environment
- refining our risk reporting and escalation framework to ensure that the most significant risks are escalated appropriately and in a timely manner that enables effective risk mitigation
- updating our risk management training approach and supporting materials, including introducing risk master classes for senior leaders
- implementing directorate level and other operational risk dashboards to improve the quality, reliability and accessibility of risk information
Risks and assurance items are reported regularly and escalated through our internal governance structure, with the top strategic and other significant operational risks and issues ultimately being considered by the Executive Management Team, Audit and Risk committee (ARC) and the Board.
The assurance framework operated as intended. In 2020-21, we will further develop our controls, review the linkage between controls and risk, introduce a more dynamic reporting cycle and develop and refine our risk management performance metrics.
The current NHS Digital assurance arrangements are based on two key assurance products (control and assurance statements and assurance maps) created by each directorate annually on a self-assessment basis and reviewed by the Assurance team.
The assurance model will be further developed during 2020-21 to focus on our key controls and how these link to risk and assurance mechanisms. This will ensure a more dynamic approach and will allow for ongoing assurances to be received throughout the year.
Our performance management framework links closely to risk management. It includes periodic reporting at differing levels of granularity in performance packs to the Digital Delivery Board, NHS Digital’s Board, our Executive Management Team and other internal business units.
This performance reporting covers:
- financial and non-financial information, key risks and issues, and an assessment of delivery against strategic commitments
- business plan delivery at corporate and directorate levels
- other key work, such as delivery of specific programmes and organisational development and transformation
Our performance framework and individual performance indicators are kept under regular review to ensure they remain meaningful and effective and support open and transparent governance. With the exception of a limited number of confidential indicators, all elements of the performance framework are reported to public meetings of the Board and most of the information is available on our website.
Internal audit and other third-party assurance
NHS Digital’s internal audit service is provided by the Government Internal Audit Agency. Acting independently, it focuses audit activity on key risk areas and chooses additional areas based on interviews with the Executive Management Team and its knowledge and experience of our business. The internal audit service operates in accordance with the Public Sector Internal Audit Standards and to an annual internal audit plan approved by the Audit and Risk Committee.
Regular reports are submitted to the Audit and Risk Committee on the effectiveness of our systems of internal control and the management of key business risks, with recommendations for improvement by management.
During 2019-20, NHS Digital’s internal audit plan included 14 internal audits and one advisory review for the clinical governance framework. The scope was limited due to the timing of some audits coinciding with the coronavirus (COVID-19).
Whilst we otherwise had a positive year and do not consider our controls have weakened as a whole, the following audits received limited or equivalent assurance:
- The use of consultants: Recommendations to improve the reporting and evaluation of lessons learned. We will ensure the maintenance of a consistent approach to documentation and approvals and scrutinise contract extensions more closely.
- Enterprise Architecture: Recommendations to ensure consistency of architectural solutions, diagrams principles, policies, strategies and standards and of papers presented to our governance bodies. We will focus on the longer-term strategic perspective and ensure the Enterprise Architecture Portal is fully utilised.
- Digital Transformation Portfolio: Delivery could be strengthened by focusing on governance and assurance outcomes. The oversight provided by the Enterprise Architecture Board is important in ensuring that proposed solutions support the broader strategic direction. We will work with NHSX to develop a robust ‘three lines of defence’ model in this area.
- National Back Office controls: Selected for audit to ensure that the data in the Personal Demographics Service (PDS) is fit for purpose and that releases of data to NHS and non-NHS bodies are appropriate. Actions arising from the review include formalising a strategy for work prioritisation and triaging requests, establishing a process to ensure consistency in quality assurance checks and ensuring data sharing agreements are in place for each user of the tracing service.
In addition to our internal audit service, we receive other third-party assurances including:
- instructing another provider to undertake a review of our payroll function. The report identified significant issues around approval processes, oversight and reporting and highlighted a risk that some variable pay payments had been made incorrectly. We are in the process of investigating these outcomes and have already recruited additional resources to strengthen processes and improve our relationship with our third-party payroll supplier
- ISAE3402 assurance reports covering our external payroll and financial services provided by NHS Shared Business Services (SBS). The reports provided unqualified assurance
- ISAE3402 assurance reports for the GP Payment Systems we provide to the wider NHS. This received a qualified assurance due to two minor instances where approval was not sought from the Technical Architect when gaining approval for a system change. We have reviewed these instances. Compensating controls were in place and they worked as intended
We have worked closely with the National Audit Office, who attend and contribute to all Audit and Risk Committee meetings. The external audit work sits outside of our normal governance arrangements but informs the development of our governance and risk processes together with our financial and other controls. The work of external audit is monitored by the Audit and Risk Committee through regular progress reports.
Stopping fraud and corruption
We are a publicly funded organisation and have an anti-fraud, bribery and corruption policy in place together with robust controls. We always seek the appropriate disciplinary, regulatory, civil and criminal sanctions against fraudsters and, where possible, we recover our losses. We also expect our suppliers and those working on their behalf to adhere to our standards and may seek to terminate contracts with any suppliers found by a court of law to have been guilty of corruption.
Our internal counter-fraud function investigates any evidence of corruption. The internal policy and strategy on tackling fraud, bribery and corruption is communicated to all staff and the policy and our management statement on corruption are available on our website.
We work closely with several bodies including the Department of Health and Social Care Anti-Fraud Unit and the NHS Counter Fraud Authority to establish efficient counter fraud measures and to ensure we comply with standards set by the Cabinet Office.
We also hold a quarterly fraud working group, chaired by the Finance Director and participate in the biennial National Fraud Initiative, an exercise that matches electronic data within and between public and private sector bodies to prevent and detect fraud.
NHS Digital was one of the first 100 organisations to sign up to Protect’s Whistleblowing Commission Code of Practice. We will continue to improve our policy and practice through engagement with Protect.
We have a nominated officer at board level to protect and develop whistleblowing arrangements and to encourage staff to openly raise concerns.
There were four whistleblowing cases in the year, which were fully investigated internally or by an external body. All cases are now closed.
Impact of COVID-19
NHS Digital has had to operate with agility and at pace in order to effectively support the system response to the coronavirus pandemic. This has allowed the organisation to make important contributions to the response but the operating environment has generated some risks for NHS Digital and its suppliers, which we are managing in a proportionate manner, including in the area of data collection. The coronavirus has also directly affected some members of staff. Appropriate actions will be taken to ensure colleagues are protected and supported throughout the transition back to office-based working. We are working to fully define and stratify the continuing risks and review our control environment to ensure mitigation actions are effective and being fully progressed.
During 2018-19, NHS Digital began a transformation programme aimed at developing into a modern, agile organisation capable of meeting future delivery commitments. This programme, known as Org2, is responsible for delivering a range of initiatives including restructuring the workforce. The programme is split into three waves, with the first two largely complete by March 2020. The third wave has been delayed until the consequences for deliverables of the coronavirus are known. This programme introduces significant risks and a separate risk register has been created to manage these. This is reviewed regularly at board level.
Data and cyber security
We worked with NHSX, NHS England, NHS Improvement, the Department of Health and Social Care, the National Cyber Security Centre and other partners to strengthen cyber resilience in 2019-20. Alongside our system-wide responsibility, we provide consultancy and assurance on systems and services delivered by NHS Digital.
We are delivering a multi-tiered approach to reduce systemic cyber security risk in the health and social care system while also providing local organisations with the means to manage cyber risk as ‘business as usual.’ This involves central interventions, such as the Cyber Security Operations Centre (CSOC), the Secure Boundary Service, and the Advanced Threat Protection capability, as well as local interventions with NHS providers, including the five National Cyber Security Centre questions for Boards, to increase preparedness and reduce vulnerability.
The risks to the health and social care system from cyber-attacks are growing and will increase significantly with the adoption of new technologies and services. We will continue to provide guidance, assessments and support to help organisations manage risk effectively and be properly prepared.
A wide-ranging legal, regulatory and compliance framework governs our receipt, processing and dissemination of data and information and our production of statistics.
We are responsible for ensuring that all our data and information is collected, stored and disseminated appropriately and continue to improve controls and protocols through the Data Access Request Service (DARS) in consultation with the Independent Group Advising on the Release of Data (IGARD), an independent group who assess applications for data.
By centralising all data requests and disseminations through DARS and through the introduction of new tools and services, we continue to increase efficiency and improve the quality of service for external users. We also provide system-wide advice on operational information governance to the health and social care sectors in England.
DARS handles all requests for personal data that is identifiable or potentially identifiable. Before any data is shared, we ensure that:
- a legal basis for accessing the data exists
- the customer has an appropriate level of security to safeguard the data
- the customer passes our assessment process
- dissemination is covered by a signed data sharing agreement and a data sharing framework contract
Particularly sensitive releases follow a full governance and approval process and we seek independent advice from IGARD when appropriate.
We ensure that the governance around the dissemination of such data is of the highest priority and this includes undertaking data-sharing audits to ensure that organisations meet the terms of their data-sharing agreement and framework contract. During 2019-20, we conducted audits of 19 organisations and recorded observations about their processes, procedures and non-conformities with NHS Digital contractual documentation. The outcome of audits and post-audit reviews are published on our website.
We continue to lead on a range of areas as they affect information governance, including:
- improvements to the service and efficiency of our information governance function
- building capacity to address new and emerging technologies such as AI
- supporting increasingly complex data sharing arrangements
- improving transparency and assurance across NHS Digital
- increasing access to guidance and best practice in collaboration with other NHS organisations and the National Information Governance Board for the health and care system
There were 38 incidents during 2019-20 that were classified as personal data breaches under the General Data Protection Regulations and the Information Commissioner’s Office (ICO) guidance. 17 of these related to employee data and 21 related to patient data. During this period, four of the personal data breach incidents were reported to the ICO. These have been investigated and all have now been closed by the ICO.
1,647 freedom of information (FOI) requests were received. Nine responses were outside of the statutory deadline, resulting in a compliance rate of 99%. 15 internal reviews were carried out. No complaints were made to the ICO or were the subject of an appeal to the Information Tribunal. 50% of FOI requests relate to requests to access historic records, including the 1939 register, held by the National Back Office Team in Southport. We are transferring a number of historic records to the National Archive and, once delivered, this is expected to lead to a significant reduction in FOI requests.
In the same period, we received 1,037 data subject access requests. Compliance within statutory deadlines was nearly 100%. Two internal reviews were carried out. No complaints were made to the ICO and there were no appeals to the Information Tribunal.
NHS Digital manages a range of essential IT systems on behalf of the NHS. It is critical that these systems operate in an efficient manner and that we can support the NHS in the event of threats to these systems. We maintain a business continuity management system (BCMS) that is aligned to the requirements of ISO 22301 and related standards. This provides:
- a corporate incident management framework and supporting processes
- business continuity plans covering all NHS Digital activities
- a range of IT service continuity and disaster recovery plans for services managed in-house or by external suppliers
- arrangements to support the management of NHS Digital facility-related health and safety incidents
- supply chain continuity management. We confirm that critical suppliers and other delivery partners have suitable business continuity arrangements in place to protect delivery of service to NHS Digital and its customers
Our professional and qualified staff provide subject matter expertise in line with relevant industry standards and best practice across government.
Our digital programmes and services are integral to the health and care of patients and citizens. It is therefore essential that we have an effective clinical governance framework in place across all of the organisation. We conducted a complete review of the clinical function within NHS Digital during 2019-20 and developed an enhanced clinical governance framework with a particular emphasis on the identification and management of risk. We will introduce and refine this during 2020-21, with additional work to develop an improved system of learning, professional development and continuous quality improvement.
We maintain careful oversight of the clinical impact and relevance of NHS Digital’s portfolio and have reviewed our approach to patient safety to ensure this is embedded throughout the organisation and have enhanced our safety processes for services that are transitioning from testing to live service.