Data Sharing Remote Audit: South London and Maudsley NHS Foundation Trust
This report records the key findings of a remote data sharing audit of South London and Maudsley NHS Foundation Trust between September and October 2021.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of South London and Maudsley NHS Foundation Trust (SLaM) between 27 September and 1 October 2021. It provides an evaluation of how SLaM conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-00107-Q0L0N v2.01
- the data sharing agreement (DSA) DARS-NIC-292279-Z2S5T-v6.6
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudo/Anonymised, Non-sensitive | 1997/98 – 2019/20 |
| HES Critical Care | Pseudo/Anonymised, Non-sensitive | 2008/09 – 2019/20 |
| HES Outpatients | Pseudo/Anonymised, Non-sensitive | 2003/04 – 2019/20 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-sensitive | 2007/08 – 2018/19 |
| Medical Research Information Service (MRIS) – Flagging Current Status Report | Identifiable, Sensitive | October 2005 - March 2020 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | October 2005 - March 2020 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | October 2005 - March 2020 |
| Demographics | Pseudo/Anonymised, Sensitive | Latest Available, Annually |
| Civil Registration - Deaths | Pseudo/Anonymised, Sensitive | Latest Available, Annually |
The Controller is SLaM and the Processor is Microsoft UK.
SLaM requires HES, mortality and cancer registration data from NHS Digital for the purpose of research in the public interest. The objective of the data collection is to create a research resource to be used for research projects aiming to investigate physical health outcomes (including mortality) and receipt of health care in people with mental health conditions attending secondary mental health care services provided by SLaM.
This report also considers whether SLaM conform to its own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information transfer |
| Restrictions | Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.
Data recipient’s acceptance statement
SLaM has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
SLaM will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with SLaM to confirm the findings have been satisfactorily addressed.
Findings
The following table identifies the 1 agreement nonconformity, 3 observations, 3 opportunities for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 | SLaM had not conduct security testing of the cloud infrastructure prior to data being transferred. Secuity testing had been conducted for its on-premise infrastructure. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity | |
| 2 | Following further assessment and agreement of the nature of passwords, the SLaM Information Security Policy will need to be updated as the current policy is inconsistent with the password settings technically enforced. Passwords were amended during the Covid-19 pandemic to be consistent with Government guidelines. | Access Control | SLaM Information Security Policy, version 8 (February 2020) | Observation | |
| 3 | A deprecated hash algorithm is used to encrypt the patient identifier in the anonymised datasets made available to approved researchers. | Access Control | DSFC, Part 2, Clause 5.1.3 | Observation | |
| 4 | SLaM had completed a Data Protection Impact Assessment (DPIA), however, it did not contain the most up to date information. The DPIA is due to be updated following release of the new Data Sharing Agreement (DSA). | Operational Management | South East London Data Protection and Privacy Impact Assessment (DPIA) Process, 10 Apr 2019 | Observation | |
| 5 | SLaM should consider including a reminder to acknowledge the use of HES data in publications, within the guidance provided to users of the Clinical Record Interactive Search (CRIS) system. | Operational Management | Opportunity for improvement | ||
| 6 | SLaM should reassess its use of built-in administrator accounts as recommended by Microsoft. | Access Control | Opportunity for improvement | ||
| 7 | SLaM should consider what specialist training is provided to staff employed in named positions, for example, Information Asset Owner (IAO) and Information Asset Administrator (IAA). | Operational Management | Opportunity for improvement | ||
| 8 | At the post audit review, the Audit Team will review evidence of data destruction in relation to data previously stored on-premise. | Data Destruction | DSA, Annex A, Clause 6 | Follow-up |
Supplementary notes
No notes.
Use of data
SLaM confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
SLaM confirmed that processing and storage locations, including disaster recovery and backups, of the data were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| SLaM | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Microsoft | Cloud storage | 7 days |
Note: Previous on-premise storage is awaiting destruction. See finding Ref. 8.
Good practice
During the audit, the Audit Team noted the following areas of good practice:
- SLaM was able to clearly demonstrate the value the data supplied under this DSA has had towards benefitting the provision of health and social care in England
- Effective governance controls were in place, with regular Board and Information Security Committee meetings, as well as a programme of internal audits providing oversight and assurance.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.
NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 4 March 2022 2:28 pm