Skip to main content

Post Audit Review: Wilmington Healthcare

This report provides the formal closure of the remote data sharing audit of Wilmington Healthcare in December 2020.

Audit summary

This report provides the formal closure of the remote data sharing audit of Wilmington Healthcare (Wilmington) between 7 and 11 December 2020. It provides an evaluation of how Wilmington conforms to the requirements of both:

  • the data sharing framework contract (DSFC) CON-312817-H5L7G v2.01
  • the data sharing agreement (DSA) DARS-NIC-16016-Y9H1D-v9.6

 This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Mental Health Services Data Set Pseudonymised / Anonymised,
Sensitive 		 Latest available
Hospital Episode Statistics (HES) Admitted Patient Care Pseudonymised / Anonymised,
Non-sensitive		 2006/07 – 2021/22_M02
HES Critical Care Pseudonymised / Anonymised,
Non-sensitive		 2012/13 – 2021/22_M02
HES Outpatients Pseudonymised / Anonymised,
Non-sensitive		 2008/09 - 2021/22_M02
HES Accident and Emergency Pseudonymised / Anonymised,
Non-sensitive		 2010/11 - 2019/20_M12
Diagnostic Imaging Dataset Pseudonymised / Anonymised,
Non-sensitive		 2012/13 - 2016/17
Bridge file: HES to Mental Health Minimum Data Set Pseudonymised / Anonymised,
Non-sensitive		 Latest available
Bridge file: HES to Diagnostic Imaging Dataset Pseudonymised / Anonymised,
Non-sensitive		 Latest available
Mental Health Minimum Data Set Pseudonymised / Anonymised,
Sensitive 		 2011/12 – 2013/14
Mental Health and Learning Disabilities Data Set Pseudonymised / Anonymised,
Sensitive 		 2014/15 – 2015/16
 
Emergency Care Data Set  Non-sensitive 2017/18 - 2021/22_M02

 

The Controller is Wilmington and the Processor is Nasstar Group Limited (Nasstar). Nasstar is contracted to supply managed hosting and support services to Wilmington Healthcare.

Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide. 

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by Wilmington between June and September 2021. A video call was also held to view sensitive documents.

Post audit review outcome

Based on the evidence provided by the Wilmington, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and Wilmington. 

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: Low

Current risk statement: Low

Data recipient’s acceptance statement

Wilmington has reviewed this report and confirmed that it is accurate.

Status

The following table identifies the 1 agreement nonconformity, 2 organisation nonconformities, 5 opportunities for improvement and 1 point for follow-up raised as part of the original audit. 

Ref Finding Link to area Update Designation Status
1 A backup of the data is being stored at locations not declared in the DSA. Information Transfer The missing locations have been included in the DSA. A copy of DARS-NIC-16016-Y9H1D-v10.9 was supplied to the Audit Team. Agreement nonconformity Closed
2 The encryption algorithm observed on local devices was different to that specified in the Licensed Data Protocol v5.0. Access Control The encryption algorithm on local devices has been changed to match the Licensed Data Protocol. The method of encryption for the new storage system was also shown to meet the Protocol. Organisation nonconformity Closed
3

Some requirements of the written password policy were different to the technical controls observed being enforced through group policy.

 Access Control The password controls for the HES environment have been updated in line with the written password policy. A screenshot showing the new password settings was provided to the Audit Team. Organisation nonconformity Closed
4 The statements around only processing non-sensitive data should be corrected within subsequent versions of the DSA and internal documents. Information Transfer The DSA has been amended to include statements that sensitive mental health data are also processed. A copy of DARS-NIC-16016-Y9H1D-v10.9 was supplied to the Audit Team. Opportunity for Improvement Closed
5 Wilmington should consider including guidance for the electronic deletion of data within in the documentation addressing physical equipment destruction. Data Destruction Statements have been added to the Data Destruction Policy to recognise the electronic deletion of data. A copy of the revised policy, v2.0 dated September 2021, was supplied to the Audit Team.  Opportunity for Improvement Closed
6 The incident response form could be extended to capture interested external parties, such as NHS Digital, along with any data specific requirements and notification details. Such parties could also be added as a generic item to the list under “Official notification”. Operational Management A column for capturing external bodies has been added to the incident log. A screenshot of the revised incident log template, dated June 2021, was provided to the Audit Team. Opportunity for Improvement Closed
7 Wilmington should provide traceability with respect to applicable risks between the Data Protection Impact Assessment (DPIA) and the organisation’s risk register. Operational Management Wilmington displayed the most recent version of the DPIA, v2.1, which now included the ID numbers of the relevant risks recorded in the organisation’s risk register. Opportunity for Improvement  Closed
8 Wilmington should consider how any pertinent IT Provider infrastructure risks are reconciled within Wilmington’s risk register. Risk Management Both the Risk Assessment Process and the Risk Assessment Procedure have been revised to include the requirement to review the IT Provider risk register and incorporate into its risk assessment as required. Copies of the Risk Assessment Process, v1.3 dated 26 March 2021, and Risk Assessment Procedure, v1.2 dated 26 March 2021, were provided to the Audit Team. 
Wilmington stated that the exercise of reviewing the Nasstar risks, whilst worthwhile, did not highlight any specific risks that needed to be added to the Wilmington risk register. 		 Opportunity for Improvement Closed
9 At the post audit review the Audit Team will review the actions taken by Wilmington to address the findings of the recent penetration test. Access Control Wilmington displayed the remediation plan for the December 2020 penetration test. All the findings are shown as closed except for one low finding which Wilmington is in discussion with the supplier to find a suitable fix. 
The organisation also described the future approach to penetration testing.		 Follow-up Closed

 

Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 4 March 2022 2:28 pm