1 |
Data is being stored at a third-party location not declared on the DSA. |
Information Transfer |
New DSAs are currently in progress. The Audit Team confirmed via the Data Access Request Service (DARS) management system that the missing storage location has been included in the latest in-progress versions. |
Agreement nonconformity |
Closed |
2 |
The processing description in the new DSA is incorrect, along with the declaration of a location which is not expected to store or process data. |
Use and Benefits |
New DSAs are currently in progress. The Audit Team confirmed via the DARS management system that in the latest in-progress versions:
- the processing description has been revised
- the redundant processing / storage location has been removed.
|
Agreement nonconformity |
Closed |
3 |
The third-party being used to manage the IT infrastructure and the backups is not named as a Processor on the DSA. |
Access Control |
New DSAs are currently in progress which name the IT third-party as a Processor. |
Agreement nonconformity |
Closed |
4 |
Backup tapes, which are kept offsite, are not encrypted. |
Access Control |
A new backup strategy and solution, which is moving away from backup tapes, is being developed, but its implementation has been delayed. |
Agreement nonconformity |
Open |
5 |
Internal audits have not been conducted in accordance with the existing System Level Security Policy (SLSP). |
Operational Management |
A new version of the SLSP has been issued, v5.0, October 2020, which changes some of the requirements. The document recognises that audits may not be conducted annually, also see findings 14.
An NHS agreement internal audit plan proforma has been created to ensure a proper review of HSE’s SLSP with respect to data supplied by NHS Digital. The document shows that reviews of the SLSP and associated documents have taken place and aspects such as the clean desk policy are being maintained.
The Information Asset Manager (IAM) also reiterated the activities undertaken and information received to discharge the IAM responsibilities. |
Organisation nonconformity
|
Closed |
6 |
The existing SLSP does not reflect the system changes made last year. |
Operational Management |
The SLSP has been revised. A copy of the new SLSP, v5.0 dated October 2020, was supplied to the Audit Team.
The latest information risk assessment, dated 30 November 2020, was also supplied to the Audit Team. |
Organisation nonconformity |
Closed |
7 |
The draft low-level design for the new system implemented last year appears to be incomplete. There is no record in the document of review and approval, and the document management information is inconsistent. |
Operational Management |
During a video call, the approved low-level design (v1.0 dated 16 September 2021), which represents the current system, was presented to the Audit Team. |
Organisation nonconformity |
Closed |
8 |
The Information Asset Owner (IAO) had not completed an annual report on the security of NHS Digital supplied assets as required by the IT Security Policy. |
Operational Management |
During a video call, a copy of the Letter of Assurance sent by the Director, Science and Commercial to the HSE Chief Executive Officer, in lieu of the IAO annual report, was shown to the Audit Team. |
Organisation nonconformity |
Closed |
9 |
The prepared Certificate of Destruction should be amended before being sent to NHS Digital to remove any incorrect statements around backups. |
Data Destruction |
An amended Certificate of Destruction was issued to NHS Digital in August 2020. This certificate has been accepted by DARS. |
Observation |
Closed |
10 |
HSE should undertake periodic checks to ensure that access to protected project folders is consistent with internal records held by the research team. Such checks were made as part of the change of system and in preparation for the audit. |
Access Control |
HSE stated that a standing item had been on the agenda for the project’s quarterly meetings to review access. The Audit Team was supplied a copy of the standard agenda.
The Audit Team was also provided:
- a copy of a service call to remove a user from a number of related Active Directory groups, dated 30 November 2020
- an email from 14 April 2021 confirming that access was correct.
|
Observation |
Closed |
11 |
The HSE incident reporting form could be extended to capture interested parties, such as NHS Digital, to ensure these parties are notified in accordance with any contractual obligations. |
Operational Management |
A field has been added to the incident reporting form to capture relevant details when the incident affects contractual obligations or agreements with organisations outside of HSE. A copy of the revised form was supplied to the Audit Team. |
Opportunity for Improvement |
Closed |
12 |
There should be a check to review the appropriateness of the compliance statement when revising each of the current policies. |
Operational Management |
HSE stated the compliance statements within a policy are checked by relevant parties as part of the policy’s annual review. The review process has also been included in the NHS agreement internal audit plan. |
Opportunity for Improvement |
Closed |
13 |
Additional columns should be added to the project risk spreadsheet to record both the pre- and post-mitigated scores so that the impact of any mitigating controls is apparent. |
Risk Management |
An updated project risk spreadsheet has been developed and implemented by the Project Management Capability Group. Though the new spreadsheet does not address suggestions made by the Audit Team, it has been accepted by the HSE as being suitable for its needs. |
Opportunity for Improvement |
Closed |
14 |
HSE should consider conducting an internal audit to ensure that the requirements of key policies and procedures are being adhered to. |
Operational Management |
The Epidemiology & Predictive Modelling (EPM) team was audited in April 2021. A copy of this audit report was provided to the Audit Team. The HSE stated that the EPM team is audited every year, and each year different projects are audited. The Asbestos Workers Survey project is currently scheduled to be audited in April 2022 along with another project. |
Opportunity for Improvement |
Closed |
15 |
HSE should establish whether additional information is available through the third-party recycler’s portal to support the destruction of data bearing assets. |
Data Destruction |
The information available within the portal, using a current disposal entry (DSF10125), was shown to the Audit Team during a video call. To a large extent, the portal holds information already retained by the HSE with respect to the disposal of assets. |
Follow-up |
Closed |