External audit
We have worked closely with the National Audit Office, which attends and contributes to all the ARC meetings. The external audit work sits outside of our normal governance arrangements but informs the development of our governance and risk processes as well as our financial and other controls. The work of external audit is monitored by the ARC through regular progress reports. During 2021-22, we engaged early with the National Audit Office on key issues, particularly in relation to the accounting treatment of the major systems delivered in response to COVID-19 and their continued improvements during the reporting year.
Preventing fraud, bribery and corruption
Public bodies and the NHS continue to be major targets for fraud. The pandemic has accelerated the digitisation of data and technology services, which have been key targets for fraudsters using traditional and cyber-enabled methods as well as exploiting business logic to commit cyber crimes.
In 2021-22, there was a rise in NHS branded scams and spoof websites to steal user credentials. We are working with the Data Security Centre and public sector partners, such as the NHS Counter Fraud Authority and the National Cyber Security Centre, to identify and mitigate cyber-enabled fraud risks for NHS Digital and the wider health and care system.
There were also increased instances of ‘dual-working’, where staff and contractors may have held full-time contracts with 2 employers at the same time. This was exacerbated by the pandemic and the move to homeworking, as there was reduced direct management oversight, which could be exploited by opportunistic fraudsters. To mitigate this, we reviewed and strengthened controls with key stakeholders and suppliers. In addition, we shared the mitigation steps taken at NHS Digital with government partners and worked collaboratively to implement controls and raise awareness across the public sector.
In order to mitigate the risk of fraud, bribery and corruption to NHS Digital we have the following control measures in place:
- a counter fraud, bribery and corruption strategy aligned to the government functional standard for counter fraud to continuously improve our approach in identifying and preventing the risk of fraud
- a counter fraud, bribery and corruption policy that is required to be read and accepted by all staff. The policy and our management statement on fraud, bribery and corruption are available on our website
- a fraud risk framework, and working with internal and external stakeholders to mitigate risks and implement robust controls
- a quarterly working group, chaired by the Finance Director, with both internal and external stakeholders
- proactive exercises using data analytics to detect and prevent fraud, including participation in national exercises, such as the biennial National Fraud Initiative
- an internal counter fraud team to investigate allegations of fraud and to always seek the appropriate disciplinary, regulatory, civil and criminal sanctions against fraudsters and, where possible, recover our losses
- collaborative working with external stakeholders including the Department of Health and Social Care Anti-Fraud Unit, the NHS Counter Fraud Authority, and the Cabinet Office to share intelligence, insight and best practice
Whistleblowing
We continue to work with Protect, the UK’s leading whistleblowing charity, to enhance our ability to support staff through improved guidance, policy and awareness training. We encourage staff to openly raise concerns through a number of channels. Following the limited assurance received from the internal audit, our policy was overhauled and made more robust.
There were 8 whistleblowing cases during 2021-22 which were all subsequently resolved.
Freedom to Speak Up
In 2021-22 we appointed 5 Freedom to Speak Up guardians and established an independent and confidential reporting service as part of our ‘Safe to Challenge’ initiative. The guardian role is one of independence, impartiality and objectivity, contributing to the Freedom to Speak Up network to comply with National Guardian’s Office guidance, and providing peer-to-peer support and learning.
Whistleblowing and Freedom to Speak Up both have nominated board-level officers to assure these arrangements.
Impact of COVID-19
We continued to deliver on all commitments, including those developed to respond to the COVID-19 pandemic which changed rapidly during the year – with national lockdown restrictions still in place at the start of the reporting year alongside the national COVID-19 vaccination programme, lockdown easing over the summer, the surge of the Omicron variant in winter, and the ‘Living with COVID-19’ strategy announced in February 2022.
The risks in ensuring capacity within the National Coronavirus Testing System during the Omicron surge were managed with the dedication of our colleagues. They worked diligently to mitigate the risks of the high volume of lateral flow test results that needed processing, enabling many people to safely spend time with their families over the Christmas period.
Wellbeing check-ins with colleagues continued during the year, and our offices continued to be ‘COVID-19 secure’ and available for those that needed them. We also worked to ensure that colleagues received help with working safely and effectively during the pandemic, including support on working safely and effectively from home. These initiatives were delivered through the Organisational Wellbeing workstream, which was jointly led by the Chief Commercial Officer and Chief People Officer.
Data and cyber security
Cyber security is a significant and ongoing risk to operations, patient care and patient safety. With increasing use and reliance on digital data and technology, our Data Security Centre continued to work rapidly to support organisations to reduce their risk and increase their protection against cyber risks in close partnership with the National Chief Information Security Officer, NHS England Transformation Directorate and the National Cyber Security Centre. As a result, health and care organisations are better protected, including through effective use of threat intelligence, continuous scanning and monitoring of the NHS estate in England, and additional cyber support across the health sector.
We continued to deliver technical remediation for the most vulnerable trusts, and were able to offer a range of security services, such as vulnerability scanning, immediate fixes for major cyber security flaws and additional integration of data and threat feeds into the National Cyber Security Centre to counter increased ransomware and COVID-19 phishing efforts.
Alongside our health and care system-wide responsibility and growing range of managed cyber security services, we provided consultancy and assurance for a number of Department of Health and Social Care Group Critical National Infrastructure (CNI) systems, and protective monitoring for NHS Digital CNI systems. We have also strengthened our internal security approach and culture to support this.
The risks to the health and care system from cyber attacks continue to grow and evolve. We will continue to respond to these risks by providing guidance, assessments and support to help organisations understand and manage their cyber risks. We are also currently scoping new programmes of work, aligned to the National Government Cyber Strategy, which are expected to deliver further enhancements to cyber defences across NHS Digital and the wider health and care sector in the future.
Data governance
A wide-ranging legal, regulatory and compliance framework governs our receipt, processing and dissemination of data and information and our production of statistics. We are responsible for ensuring that health and social care data and information is collected, stored and disseminated appropriately.
We continued to improve controls and protocols for secondary uses of NHS data through the Data Access Request Service (DARS) in consultation with the Independent Group Advising on the Release of Data (IGARD). For General Practice Extraction Service (GPES) data requests for pandemic planning and research, we ensured an additional layer of clinical scrutiny by representatives of the British Medical Association and the Royal College of General Practitioners through the Profession Advisory Group.
On 1 October 2021, responsibility for the National Disease Registration Service (NDRS) transferred from Public Health England (PHE) to NHS Digital. Following the transfer, requests for access to data held by the NDRS continued to be assessed on a case-by-case basis by the Office for Data Release (ODR), which until 30 September 2021 had been part of PHE, and from 1 October 2021 became part of the UK Health Security Agency.
Before any data is shared, we ensure that:
- a legal basis for accessing the data exists
- the customer has an appropriate level of security to safeguard the data
- the customer passes our assessment process
- dissemination is covered by a signed data-sharing agreement and a data-sharing framework contract
Particularly sensitive releases follow a full governance and approval process, and we seek independent advice from IGARD when appropriate.
We publish details of our data sharing agreements through our Data Uses Register. We improved this in 2021-22 by providing a new interactive tool that makes it easier to see which organisations access data, the purposes for which they are permitted to use it, and the expected benefits.
To ensure that organisations meet the terms of their data sharing agreement and framework contract, we undertake data sharing audits. During 2021-22, we conducted audits of 19 organisations and recorded observations about their processes, procedures and nonconformities with NHS Digital requirements. The outcome of audits and post-audit reviews are published on our website.
Privacy, transparency, ethics and legal
The Privacy, Transparency, Ethics and Legal directorate is comprised of the Data Protection Officer team, the Information Governance Delivery team, the Information Law team, the Commercial Legal team and the COVID-19 Public Inquiry Response team.
Personal data breaches and audits
The Data Protection Officer (DPO) and their team provide oversight of NHS Digital’s compliance with data protection law, advise on data protection matters and personal data breaches, and have a central role in setting the overall strategy for data protection compliance.
There were 52 personal data breaches, as defined in the UK General Data Protection Regulation (UK GDPR), reported to the DPO in 2021-22. There were 8 personal data breaches reported to the Information Commissioner’s Office.
The DPO audit function carried out 9 audits in the year as part of the DPO’s statutory role in monitoring compliance with UK GDPR, the Data Protection Act 2018, and our own data protection policies. Where improvements were needed, they were captured as audit actions, with progress and completion monitored and reported on through corporate risk and assurance processes.
NHS Digital’s Data Security and Protection Toolkit (DSPT) 2020-21 assessment was successfully submitted as ‘standard met’ by the end of June 2021 deadline, achieving 88 mandatory and 20 non-mandatory requirements. The Government Internal Audit Agency assessed NHS Digital against a mandatory assessment framework and tested the approach used to ensure a robust self-assessment is undertaken. The outcome was a ‘substantial’ (green) rating, finding the framework of governance, risk management and control adequate and effective.
The GIAA also undertook an audit of the NHS Digital DPO function in 2021-22 which also received a ‘substantial’ (green) rating, indicating that the framework of governance, risk management and control around the DPO function was adequate and effective.
The records management function undertook an ISO 9001:2015 Quality Management System routine external audit in August 2021 and was successful in maintaining certification for this period.
Freedom of information requests
The Information Governance Delivery team provides information governance services across NHS Digital, including information governance advice and support on the operation of national data and IT products, services and programmes, strategic records management advice, secretariat support for the Independent Group Advising on Release of Data (IGARD), an internal information governance helpline service and a freedom of information (FOI) and data subject access request (DSAR) response team.
1,867 FOI requests were received in 2021-22 – a 0.8% increase on the previous financial year. In recent years, we have started to receive an increasing volume of FOI requests for information held on the 1939 register from commercial genealogists. The 1939 register holds a snapshot of information on the population of England and Wales from just before the Second World War. A digital version of the register is available through National Archive partner organisations, but the original manual register records are still held by NHS Digital.
In 2021, the number of requests from some of these organisations for information held in these manual records became exceptionally high, creating a disproportionate and excessive burden on the National Back Office and FOI teams. A number of these requests were therefore refused under the terms of the Freedom of Information Act 2000. We provided advice and assistance to the relevant requesters about how to reduce the breadth and volume of their requests to reduce the burden on resources, and have seen a significant drop in the number of such requests since. We continue to assess the need for NHS Digital to retain the 1939 register manual records.
The average annual rate of compliance with the statutory timescales for responding to FOI requests remains high at 99.2%. 22 internal reviews were carried out and 4 complaints were made to the Information Commissioner’s Office (ICO), 2 of which remain open. The closed cases were resolved informally with no action required by NHS Digital.
Data subject access requests under UK GDPR
804 data subject access requests (DSARs) for access to personal data under UK GDPR were received. 99.6% of DSARs were responded to within the statutory timescales for compliance. 1 internal review was carried out during the year and no complaints were made to the ICO.
10 audits were commissioned internally by the Data Protection Officer as part of their statutory role in monitoring our compliance with GDPR.
COVID-19 Public Inquiry preparations
NHS Digital has been taking steps to prepare for the COVID-19 Public Inquiry through the establishment of a COVID-19 Public Inquiry Response team. The team is responsible for ensuring NHS Digital prepares appropriately, identifies and retains relevant records, and manages and responds to requests from the inquiry for information and evidence to support its work.
The Government Internal Audit Agency (GIAA) undertook an advisory review of our preparations in February 2022 as part of high-level assurance for the Department of Health and Social Care of initial preparations for the inquiry by all its arm’s-length bodies. GIAA concluded that we had made reasonable progress in preparing for the commencement of the inquiry. The review made a number of suggestions to help further shape our preparations. To address these suggestions, our COVID-19 Public Inquiry Response team formulated an action plan which will be subject to a progress review and further recommendations by an internal team of auditors.
Business continuity
NHS Digital manages a range of essential IT systems on behalf of the NHS. It is critical that these systems operate in an efficient manner and that we can support the NHS in the event of threats to them. We maintain a business continuity management system that is aligned to the requirements of ISO 22301 and related standards. This provides:
- a corporate incident management framework and supporting processes
- business continuity plans covering all NHS Digital activities
- a range of IT service continuity and disaster recovery plans for services managed inhouse or by external suppliers
- arrangements to support the management of NHS Digital facility-related health and safety incidents
- supply chain continuity management - we confirm that critical suppliers and other delivery partners have suitable business continuity arrangements in place to protect delivery of services to NHS Digital and its customers
Our staff provide subject matter expertise in line with relevant industry standards and best practice across government. During 2021-22, NHS Digital showed its organisational resilience and its ability to continue to deliver, despite the challenges of the pandemic.
Clinical governance
Our digital programmes, services and data are central to the health and care of patients and citizens. Our clinicians remain absolutely integral to the development and delivery of the digital services that have supported the country’s ongoing response to COVID-19, ensuring they are clinically safe, and that all associated clinical risks are understood and managed appropriately. We have also contributed clinical informatics expertise to the development and delivery of a wide range of products and services that underpin the day-to-day work of the health and care system, alongside new programmes of recovery and transformation.
Having an effective clinical governance framework is key to this assurance, since it provides clear oversight and accountability alongside a system of learning, professional development and continuous quality improvement in our programmes and services. This was independently assessed by the Government Internal Audit Agency this year, receiving a rarely awarded ‘substantial’ (green) rating. We have also expanded and developed the clinical team to enhance its profile, effectiveness and impact across the organisation.