| 1 |
At the time of the audit the previous Principal Investigator (PI)/Information Asset Owner (IAO), along with other historical system administration accounts, still had access to the folders containing data supplied by NHS Digital.
A full review of access to this folder needs to be carried out to ensure access is restricted to only the roles declared in the DSA. This regular review should be documented to provide evidence it has been carried out. |
Access control |
A full review of access to folders where the MRIS data resides has been undertaken. Historical accounts have been removed and only appropriate study specific users can now gain access. Reviews of access are undertaken regularly during data guardian meetings, evidence of which was supplied to the Audit Team. |
Agreement nonconformity |
Closed |
| 2 |
The Network Attached Storage (NAS), used to store the data supplied by NHS Digital, is not encrypted as stated in the DSA. |
Access control |
References to encryption have been removed from the updated DSA (v3.2), but comment that NHS Digital data is stored on a secure area network with restricted access continues to be stated. |
Agreement nonconformity |
Closed |
| 3 |
The location of the primary datacentre, where data supplied by NHS Digital is stored and backed up, is not declared within the DSA. This is a commercial datacentre although the hardware is owned by the University. |
Information transfer |
The location of the primary datacentre has been included in subsequent versions of the DSA (v2.2 and v3.2).
|
Agreement nonconformity |
Closed |
| 4 |
Data is being processed at a location not stated within the DSA. While this location is part of the NU estate, it is in a different postcode area. |
Information transfer |
The additional location has been included in subsequent versions of the DSA.
|
Agreement nonconformity |
Closed |
| 5 |
The DSFC requires all users with access to NHS Digital data to complete suitable training on an annual basis. The Audit Team noted that not all staff had completed the data protection training in the last 12 months.
|
Operational management
|
Evidence was supplied to the Audit Team illustrating that all study members with access to the folders holding NHS Digital data, had completed suitable data protection training in the previous 12 months period.
|
Agreement nonconformity |
Closed |
| 6 |
The Data Privacy Impact Assessment (DPIA) for the study was not available at the time of the onsite visit. It was reported by NU that a draft version had been created, but University staff were unable to access it during the visit.
|
Operational management |
An approved version of the DPIA was provided to the Audit Team.
|
Agreement nonconformity |
Closed |
| 7 |
The Privacy Notice (PN) does not meet the requirements of General Data Protection Regulation (GDPR) and needs further review and update to ensure that all criteria required are fully completed and accurate. |
Operational management |
A revised PN, which complies with the requirements of GDPR, has been published on the NU website. |
Agreement nonconformity |
Closed |
| 8 |
The cover page information as well as some of the contents of several University policies and process documents are out of date and need to be updated to reflect current practice and versions. |
Operational management |
All documents highlighted as part of the original report have now undergone either a documented review or formal update to reflect changes to content and practice. Revised copies of these documents were supplied to the Audit Team. |
Organisation nonconformity |
Closed |
| 9 |
Validation testing of required security controls is not in place. |
Access control |
NU confirmed that NHS Digital data is held on an internal system which is subject to regular testing. Advice around subsequent actions for any vulnerabilities identified as part of these regular checks was provided to NU separately by the Audit Team. |
Organisation nonconformity |
Closed |
| 10 |
The encryption algorithm observed on some client devices used to access data supplied by NHS Digital was different to that specified in the Information Security Policy v3.0. |
Access control |
Following a review of the Information Security Policy v3.0, a revised updated v4.0 now reflects more accurately the encryption levels required for client devices across the NU estate. |
Organisation nonconformity |
Closed |
| 11 |
NU should consider keeping evidence such as screenshots or log files to provide an audit trail for data destroyed electronically. |
Data destruction |
Certificates of destruction, as provided to NHS Digital, are now retained routinely as part of the project file records. An example of one of these certificates was provided to the Audit Team. |
Opportunity for improvement |
Closed |
| 12 |
Whenever data supplied by NHS Digital is being processed using a third-party application, NU should be aware that if that application experiences an unexpected shutdown, then it could create temporary files. NU should therefore assess any risks arising from this situation and take appropriate action. |
Data destruction |
NU has made an assessment of this potential outcome. Whilst NU accept in some circumstances this may happen, it is mitigated by other controls such as disk encryption and restrictive access controls on any devices used to access the data. |
Opportunity for improvement |
Closed |
| 13 |
When sending end user IT equipment away to a third-party disposal contractor for destruction, NU should maintain an itemised list of the sent assets, including serial numbers of hard disk drives, even where disk encryption mitigates any potential risk.
NU should also request a detailed data destruction certificate from the third-party disposal contractor against which the sent assets can be reconciled by NU, in order to ensure all IT end user equipment sent has been destroyed and accounted for. |
Data destruction |
NU provided a representative itemised list of equipment recently sent for destruction to the third-party disposal contractor, as no actual project specific equipment was due for destruction during the course of this follow up. As the evidence provided showed that items were identified by weight and quantity, the Audit Team suggested that more granular detail, for example, serial number of hard disk drives, be included on future submissions. |
Opportunity for improvement |
Closed |