1 |
A backup of the data is being stored at locations not declared in the DSA. |
Information Transfer |
The missing locations have been included in the DSA. A copy of DARS-NIC-16016-Y9H1D-v10.9 was supplied to the Audit Team. |
Agreement nonconformity |
Closed |
2 |
The encryption algorithm observed on local devices was different to that specified in the Licensed Data Protocol v5.0. |
Access Control |
The encryption algorithm on local devices has been changed to match the Licensed Data Protocol. The method of encryption for the new storage system was also shown to meet the Protocol. |
Organisation nonconformity |
Closed |
3 |
Some requirements of the written password policy were different to the technical controls observed being enforced through group policy.
|
Access Control |
The password controls for the HES environment have been updated in line with the written password policy. A screenshot showing the new password settings was provided to the Audit Team. |
Organisation nonconformity |
Closed |
4 |
The statements around only processing non-sensitive data should be corrected within subsequent versions of the DSA and internal documents. |
Information Transfer |
The DSA has been amended to include statements that sensitive mental health data are also processed. A copy of DARS-NIC-16016-Y9H1D-v10.9 was supplied to the Audit Team. |
Opportunity for Improvement |
Closed |
5 |
Wilmington should consider including guidance for the electronic deletion of data within in the documentation addressing physical equipment destruction. |
Data Destruction |
Statements have been added to the Data Destruction Policy to recognise the electronic deletion of data. A copy of the revised policy, v2.0 dated September 2021, was supplied to the Audit Team. |
Opportunity for Improvement |
Closed |
6 |
The incident response form could be extended to capture interested external parties, such as NHS Digital, along with any data specific requirements and notification details. Such parties could also be added as a generic item to the list under “Official notification”. |
Operational Management |
A column for capturing external bodies has been added to the incident log. A screenshot of the revised incident log template, dated June 2021, was provided to the Audit Team. |
Opportunity for Improvement |
Closed |
7 |
Wilmington should provide traceability with respect to applicable risks between the Data Protection Impact Assessment (DPIA) and the organisation’s risk register. |
Operational Management |
Wilmington displayed the most recent version of the DPIA, v2.1, which now included the ID numbers of the relevant risks recorded in the organisation’s risk register. |
Opportunity for Improvement |
Closed |
8 |
Wilmington should consider how any pertinent IT Provider infrastructure risks are reconciled within Wilmington’s risk register. |
Risk Management |
Both the Risk Assessment Process and the Risk Assessment Procedure have been revised to include the requirement to review the IT Provider risk register and incorporate into its risk assessment as required. Copies of the Risk Assessment Process, v1.3 dated 26 March 2021, and Risk Assessment Procedure, v1.2 dated 26 March 2021, were provided to the Audit Team.
Wilmington stated that the exercise of reviewing the Nasstar risks, whilst worthwhile, did not highlight any specific risks that needed to be added to the Wilmington risk register. |
Opportunity for Improvement |
Closed |
9 |
At the post audit review the Audit Team will review the actions taken by Wilmington to address the findings of the recent penetration test. |
Access Control |
Wilmington displayed the remediation plan for the December 2020 penetration test. All the findings are shown as closed except for one low finding which Wilmington is in discussion with the supplier to find a suitable fix.
The organisation also described the future approach to penetration testing. |
Follow-up |
Closed |