1 |
KCL is storing data supplied by NHS Digital at a location not declared in the DSA. This location is outside the UK. |
Information transfer |
KCL has reviewed its internal advice about the storage of data, specifically around the use of public cloud storage. As part of this exercise KCL has confirmed that data is stored in the UK.
KCL is currently in discussion with NHS Digital about revising the DSA, however, no new DSA has yet been approved. However, NHS Digital has approved the use of cloud storage and in the in-progress DSA the territory of use has been changed from 'England and Wales' to 'UK'.
|
Agreement nonconformity |
Closed |
2 |
The two users with direct access to the dataset have not completed annual data protection training, as required by the DSFC. Specialist SIRO training should also be considered. |
Operational management |
The two users with direct access to the dataset have completed the KCL GDPR e-learning. Copies of their certificates were supplied to the Audit Team.
No specific SIRO training has been planned.
|
Agreement nonconformity |
Closed |
3 |
A data classification has not been applied to the dataset as required by KCL’s Information Classification procedure. |
Operational management |
The data has now been classified in accordance with the KCL Information Classification procedure. The information provided to the Audit Team also identified specific controls under each of the six headings in the table shown in section 6.1 of the information classification procedure.
|
Organisation nonconformity |
Closed |
4 |
The storage method for the dataset was incorrectly stated in the KCL’s Data Protection Register (KDPR) entry. |
Operational management |
KCL provided a copy of a KDPR modification request which showed the correct storage method.
|
Organisation nonconformity |
Closed |
5 |
Some requirements of KCL’s IT Password procedure were different to the technical controls observed being enforced through group policy.
|
Access control
|
The password requirements for system administrators, defined in the latest 'IT Acceptable Use Policy - Password Procedure', has been aligned with the technical control. A hyperlink to the updated document was provided to the Audit Team.
|
Organisation nonconformity |
Closed |
6 |
KCL does not have a Patch Management policy or procedure document to outline the processes and timescales for patch installations. Such documentation would be mandatory, should KCL be required to complete and submit a NHS Digital Data Security and Protection Toolkit.
|
Operational management |
KCL provided a copy of its Server Update Schedule to the Audit Team which shows its server patching cycle. KCL also confirmed that the patching of user equipment is centrally managed.
KCL stated that since the audit, it had been certified to Cyber Essentials which requires all vendor critical vulnerabilities to be patched within a 14-day period.
|
Observation |
Closed |
7 |
KCL should consider adopting longer passwords as per the National Cyber Security Centre’s latest guidance. |
Access control |
KCL has increased the password length for its users. The Audit Team was provided with a screenshot from Active Directory along with the revised password procedure. |
Opportunity for Improvement |
Closed |
8 |
KCL should consider re-assessing its current default screen inactivity lock-out settings. |
Access control |
KCL provided a screenshot showing the enforced screen inactivity lock-out setting, which was accepted by the Audit Team. |
Opportunity for Improvement |
Closed |
9 |
KCL should ensure that all relevant members of staff are aware of the obligations within the DSFC and DSA prior to sign off. |
Information transfer |
KCL stated its Information Compliance team will make the DSFC available to applicants during an application process. It was confirmed by KCL that the current applicant and the IT department had a copy of the current DSFC. |
Opportunity for Improvement |
Closed |
10 |
KCL should document a process for data erasure which can be applied to data held at a cloud-based storage provider and data held on the local hard disk drive on a desktop. |
Data destruction |
KCL reported requests for data erasure continue to be handled on a case-by-case basis via a ticket raised through its IT Service Desk. The consideration of a more formal process will be discussed as part of the requirements for the IT policy review scheduled for 2021/22. |
Opportunity for Improvement |
Open, but not for follow-up |
11 |
KCL should retain a copy of the data erasure log files generated by the specialist data deletion software when data is erased, to ensure there is an audit trail. |
Data destruction |
KCL confirmed commercial data deletion software will be used to wipe the data, where possible, and a certificate of destruction produced as proof of destruction thereby producing an audit trail. Where this data deletion software cannot be used, KCL stated IT Assurance will oversee the deletion of the data and confirm deletion using a KCL headed letter. A copy of this confirmation will be held in a service request for the destruction as an audit trail.
As no data has been deleted then no records are currently available.
|
Opportunity for Improvement |
Open, but not for follow-up |
12 |
KCL should update the link in the KCL Data Breach Management Procedure to the ‘Checklist guidance for reporting, managing and investigating information governance and cybersecurity serious incidents requiring investigation’ in Section 7.1, and Appendix 7, to refer to current NHS Digital guidance. |
Operational management |
The Data Breach Management Procedure has been updated to link to the 'Guide to the Notification of Data Security and Protection Incidents – Reporting Incidents Post the Adoption of GDPR 25 May 2018 and NIS Directive May 2018'. The Audit Team was supplied with the revised version. |
Opportunity for Improvement |
Closed |
13 |
KCL should consider using the Data Protection Impact Assessment (DPIA), the KDPR entry and the Data Management Plan relating to the dataset to carry out a risk assessment and implement any controls deemed necessary. |
Risk management |
KCL has produced several sources of information around data protection and these were provided to the Audit Team.
KCL has proposed a checklist for researchers of the points to be considered when making an application to NHS Digital for data. This checklist has not yet been published.
|
Opportunity for Improvement |
Open, but not for follow-up |
14 |
The approach to vulnerability scanning is currently being considered by KCL. The Audit Team was not provided with details on site but KCL has subsequently provided a description of the existing processes. At the post audit review the Audit Team will review the declared approach and output from any scans undertaken. |
Access control |
KCL reported that since the audit, it had installed asset management agents on its standard operating environment end points and performs vulnerability scanning on all managed servers.
The results of these assessments are now reported at weekly service reviews through PowerBI. This tool was demonstrated to the Audit Team.
|
Follow-up |
Closed |