Post audit review: The Institute of Psychiatry, Psychology and Neuroscience, King’s College London

This report provides the formal closure of the data sharing audit of The Institute of Psychiatry, Psychology and Neuroscience, King’s College London in November 2019.

Audit summary

This report provides the formal closure of the data sharing audit at the Institute of Psychiatry, Psychology and Neuroscience, King’s College London (KCL) on 14 and 15 November 2019 against the requirements of both:

the data sharing framework contract (DSFC) CON-302837-H8G8T
the data sharing agreement (DSA) DARS-NIC-188499-K4G0M-v0.3

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Adult Psychiatric Morbidity Survey	Aggregated, Non-sensitive	2019-2022

The Controller is KCL.

Following a post audit review conducted in February 2021, 1 organisation nonconformity and 3 opportunities for improvement remained open.

Further guidance on the terms used in this post audit review report can be found in version 3 of the NHS Digital Data Sharing Audit Guide.

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by KCL in June 2021.

Post audit review outcome

Based on the evidence provided by KCL, the Audit Team has closed the nonconformity. Although no further action is required by the Audit Team, there are 3 opportunities for improvement still open, and KCL should complete the actions against these findings.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

The following table also shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.

Original risk statement: Medium

Previous risk statement: Low

Current risk statement: Low

Data recipient’s acceptance statement

KCL has reviewed this report and confirmed that it is accurate.

Status

The following table identifies the 2 agreement nonconformities, 3 organisation nonconformities, 1 observation, 7 opportunities for improvement and 1 point for follow-up raised as part of the original audit.

Findings 1 to 4, 6 to 9, 12 and 14 were closed as part of the post audit review conducted in February 2021.

Ref	Finding	Link to area	Update	Designation	Status
1	KCL is storing data supplied by NHS Digital at a location not declared in the DSA. This location is outside the UK.	Information transfer	KCL has reviewed its internal advice about the storage of data, specifically around the use of public cloud storage. As part of this exercise KCL has confirmed that data is stored in the UK. KCL is currently in discussion with NHS Digital about revising the DSA, however, no new DSA has yet been approved. However, NHS Digital has approved the use of cloud storage and in the in-progress DSA the territory of use has been changed from 'England and Wales' to 'UK'.	Agreement nonconformity	Closed
2	The two users with direct access to the dataset have not completed annual data protection training, as required by the DSFC. Specialist SIRO training should also be considered.	Operational management	The two users with direct access to the dataset have completed the KCL GDPR e-learning. Copies of their certificates were supplied to the Audit Team. No specific SIRO training has been planned.	Agreement nonconformity	Closed
3	A data classification has not been applied to the dataset as required by KCL’s Information Classification procedure.	Operational management	The data has now been classified in accordance with the KCL Information Classification procedure. The information provided to the Audit Team also identified specific controls under each of the six headings in the table shown in section 6.1 of the information classification procedure.	Organisation nonconformity	Closed
4	The storage method for the dataset was incorrectly stated in the KCL’s Data Protection Register (KDPR) entry.	Operational management	KCL provided a copy of a KDPR modification request which showed the correct storage method.	Organisation nonconformity	Closed
5	Some requirements of KCL’s IT Password procedure were different to the technical controls observed being enforced through group policy.	Access control	The password requirements for system administrators, defined in the latest 'IT Acceptable Use Policy - Password Procedure', has been aligned with the technical control. A hyperlink to the updated document was provided to the Audit Team.	Organisation nonconformity	Closed
6	KCL does not have a Patch Management policy or procedure document to outline the processes and timescales for patch installations. Such documentation would be mandatory, should KCL be required to complete and submit a NHS Digital Data Security and Protection Toolkit.	Operational management	KCL provided a copy of its Server Update Schedule to the Audit Team which shows its server patching cycle. KCL also confirmed that the patching of user equipment is centrally managed. KCL stated that since the audit, it had been certified to Cyber Essentials which requires all vendor critical vulnerabilities to be patched within a 14-day period.	Observation	Closed
7	KCL should consider adopting longer passwords as per the National Cyber Security Centre’s latest guidance.	Access control	KCL has increased the password length for its users. The Audit Team was provided with a screenshot from Active Directory along with the revised password procedure.	Opportunity for Improvement	Closed
8	KCL should consider re-assessing its current default screen inactivity lock-out settings.	Access control	KCL provided a screenshot showing the enforced screen inactivity lock-out setting, which was accepted by the Audit Team.	Opportunity for Improvement	Closed
9	KCL should ensure that all relevant members of staff are aware of the obligations within the DSFC and DSA prior to sign off.	Information transfer	KCL stated its Information Compliance team will make the DSFC available to applicants during an application process. It was confirmed by KCL that the current applicant and the IT department had a copy of the current DSFC.	Opportunity for Improvement	Closed
10	KCL should document a process for data erasure which can be applied to data held at a cloud-based storage provider and data held on the local hard disk drive on a desktop.	Data destruction	KCL reported requests for data erasure continue to be handled on a case-by-case basis via a ticket raised through its IT Service Desk. The consideration of a more formal process will be discussed as part of the requirements for the IT policy review scheduled for 2021/22.	Opportunity for Improvement	Open, but not for follow-up
11	KCL should retain a copy of the data erasure log files generated by the specialist data deletion software when data is erased, to ensure there is an audit trail.	Data destruction	KCL confirmed commercial data deletion software will be used to wipe the data, where possible, and a certificate of destruction produced as proof of destruction thereby producing an audit trail. Where this data deletion software cannot be used, KCL stated IT Assurance will oversee the deletion of the data and confirm deletion using a KCL headed letter. A copy of this confirmation will be held in a service request for the destruction as an audit trail. As no data has been deleted then no records are currently available.	Opportunity for Improvement	Open, but not for follow-up
12	KCL should update the link in the KCL Data Breach Management Procedure to the ‘Checklist guidance for reporting, managing and investigating information governance and cybersecurity serious incidents requiring investigation’ in Section 7.1, and Appendix 7, to refer to current NHS Digital guidance.	Operational management	The Data Breach Management Procedure has been updated to link to the 'Guide to the Notification of Data Security and Protection Incidents – Reporting Incidents Post the Adoption of GDPR 25 May 2018 and NIS Directive May 2018'. The Audit Team was supplied with the revised version.	Opportunity for Improvement	Closed
13	KCL should consider using the Data Protection Impact Assessment (DPIA), the KDPR entry and the Data Management Plan relating to the dataset to carry out a risk assessment and implement any controls deemed necessary.	Risk management	KCL has produced several sources of information around data protection and these were provided to the Audit Team. KCL has proposed a checklist for researchers of the points to be considered when making an application to NHS Digital for data. This checklist has not yet been published.	Opportunity for Improvement	Open, but not for follow-up
14	The approach to vulnerability scanning is currently being considered by KCL. The Audit Team was not provided with details on site but KCL has subsequently provided a description of the existing processes. At the post audit review the Audit Team will review the declared approach and output from any scans undertaken.	Access control	KCL reported that since the audit, it had installed asset management agents on its standard operating environment end points and performs vulnerability scanning on all managed servers. The results of these assessments are now reported at weekly service reviews through PowerBI. This tool was demonstrated to the Audit Team.	Follow-up	Closed

Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 30 June 2021 1:20 pm