Skip to main content

Post audit review: CHKS

This report provides a progress update of the data sharing audit at CHKS in February 2019.

Audit summary

This report provides a progress update of the data sharing audit at CHKS on 14 February 2019 against the requirements of both:

  • the data sharing framework contract (DSFC) CON-312425-T5J4X 
  • the data sharing agreement (DSA) DARS-NIC-10891-M2Y6Z-v6.3 

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Critical Care Pseudonymised/anonymised, non-sensitive

2012/13 to 2018/19 (M08)

HES Accident and Emergency

 Pseudonymised/anonymised, non-sensitive

2010/11 to 2018/19 (M08)
HES Admitted Patient Care Pseudonymised/anonymised, non-sensitive

2010/11 to 2018/19 (M08)
HES Outpatients Pseudonymised/anonymised, non-sensitive

2010/11 to 2018/19 (M08)

 

The controller is CHKS.

Further guidance on the terms used in this post audit review report can be found in version 2 of the NHS Digital Data Sharing Audit Guide.

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by CHKS between March and August 2020.

Post audit review outcome

Based on the evidence, the Audit Team has found that CHKS has not suitably addressed the findings. 1 agreement nonconformity and 3 observations remain open and require further review by the Audit Team. CHKS is therefore required to update its action plan to align with this post audit review report.

Updated risk statement

Based on the results of the post audit review the risk statement has been reassessed against the options of Critical - High - Medium – Low.

Original risk statement: Low

Current risk statement: Low

Data recipient’s acceptance statement

CHKS did not provide any commentary on the draft report.

Status

The following table identifies the 1 agreement nonconformity and 5 observations raised as part of the original audit.   

Ref Finding Link to area Update Designation Status
1 It was not clear who the Information Asset Owner (IAO) is for the HES data, nor was the IAO identified in the data register as required by the DSFC. Operational management Although CHKS declared that it has identified the IAO in its Information Asset Register (IAR), the Audit Team has not received a copy or extract of the updated IAR. Agreement nonconformity Open
2 Only a few of the fields in the data register have been populated for the HES data. CHKS should consider populating the blank fields to ensure that adequate information is recorded on the data held. Operational management Although CHKS declared that the blank fields will be considered at the next review of the IAR, the Audit Team has not received a copy or extract of an updated IAR. Observation Open
3 CHKS should consider the production and retention of auditable evidence to demonstrate the permanent electronic deletion of data. Data destruction

CHKS provided screenshots of SQL queries to initiate and generate electronic data deletion, the company also provided confirmation that the data purge was completed and that no records exist.
CHKS stated data destruction certificates and other evidence of data deletion will be held within its SharePoint site. 
In addition, CHKS has updated its NHS Digital Data Management Procedure to provide clarity around the procedures for data deletion and retention of auditable evidence. A copy of the procedure was provided to the Audit Team.

 Observation Closed
4 An issue tracking system ticket raised with respect to the recent data deletion exercise specified different methods by which separate instances of the HES data could be deleted; it was not specific as to how data was formally deleted. The ticket should be updated to state the actual methods used.
CHKS could also add the agreed methods for electronic data deletion from the different repositories into its NHS Digital Data Management procedure. This addition would also be consistent with the development of local instructions as recommended by the parent company’s Security Standard, clause 2.3.1.4.		 Data destruction

Although CHKS stated that its tracking system will be reviewed and updated to confirm the actual method of deletion, no evidence has been provided to the Audit Team to support this statement. 
CHKS has updated its NHS Digital Data Management Procedure which now provides clarity around the methods for data deletion from the different repositories. A copy of the procedure was provided to the Audit Team.

 Observation Open
5

CHKS should review and revise clause 2.4 of its NHS Digital Data Management procedure to reflect current practice.

Data destruction

Although CHKS has amended clause 2.4 of its NHS Digital Data Management procedure and provided a copy to the Audit Team, the changes made are only editorial and do not reflect the practice discussed during the original audit.

 Observation Open
6

The Audit Team suggested that the address of the data centre be added under processing location in the DSA. The data centre is already identified under storage location.

 Operational management

CHKS has added the address of the data centre as a processing location. A copy of the amended DSA was provided to the Audit Team.

 Observation Closed

Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 24 May 2021 9:51 am