Skip to main content

NHS Digital Data Sharing Remote Audit: NHS Dorset Clinical Commissioning Group

This report records the key findings of a remote data sharing audit of NHS Dorset Clinical Commissioning Group in January 2022.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of NHS Dorset Clinical Commissioning Group (CCG) between 10 and 14 January 2022.  It provides an evaluation of how the CCG conforms to the requirements of both:

  • the data sharing framework contract CON-338307-D8Z0G
  • the data sharing agreement (DSA) DARS-NIC-54727-S3Y1T-v4.3

This DSA covers the provision of the following datasets, though not all are supplied to the CCG: 

Dataset Classification of data Dataset period
SUS for Commissioners Pseudo/Anonymised, Sensitive 2008/09 – 2021/22
Emergency Care - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Acute - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Ambulance - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Community - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Demand for Service - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Diagnostic Services - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Experience, Quality and Outcomes - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Mental Health - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Other Not Elsewhere Classified (NEC) - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Population Data - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Primary Care Services - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Public Health and Screening Services - Local Provider Flows Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Mental Health Minimum Data Set Pseudo/Anonymised, Sensitive 2014/15 - 31/12/2015 
Mental Health and Learning Disabilities Data Set Pseudo/Anonymised, Sensitive 2013/14
Improving Access to Psychological Therapies Data Set Pseudo/Anonymised, Sensitive 2016/17 – 2021/22
Diagnostic Imaging Dataset Pseudo/Anonymised, Sensitive 2016/17 – 2021/22
Mental Health Services Data Set Pseudo/Anonymised, Sensitive 01/01/2016 – 2021/22
Maternity Services Data Set Pseudo/Anonymised, Sensitive 2016/17 – 2021/22
Children and Young People Health Pseudo/Anonymised, Sensitive 2016/17 - 31/10/2017
Civil Registration - Deaths Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Civil Registration - Births Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Community Services Data Set Pseudo/Anonymised, Sensitive 01/11/2017 – 2021/22
National Cancer Waiting Times Monitoring Data Set (CWT) Pseudo/Anonymised, Sensitive 2009/10 – 2021/22
National Diabetes Audit Pseudo/Anonymised, Sensitive 2013/14 – 2021/22
Patient Reported Outcome Measures Pseudo/Anonymised, Sensitive 2013/14 – 2021/22

 

The Controller is the CCG, and the Processors are the Dorset Healthcare University NHS Foundation Trust (DHC) and Microsoft Limited. Microsoft Limited supplies cloud storage services, via the Microsoft Azure platform, and don’t process the data. 

The Dorset Intelligence & Insight Service (DiiS) reporting solution is hosted on Azure and managed by DHC. The DHC and Dorset County Hospital NHS Foundation Trust are both Joint Controllers for DiiS. The above datasets are supplied directly to the DiiS platform by NHS Digital. 

The CCG was working in the spirt of an Integrated Care System (ICS) in advance of the changes when the CCG will be absorbed into an ICS. The ICS is expected to take on the commissioning responsibility that currently sits with the CCG. It will also be responsible for broader aims such as strategic planning for the area. The DiiS is expected to be part of the ICS and help support its responsibilities across Dorset.

The pseudonymised data supplied by NHS Digital, along with health data from other providers, is used to provide intelligence across the Dorset ICS (“Our Dorset”) and its constituent Primary Care Networks to support population health management. The DiiS reporting solution brings together data from multiple organisations across Dorset to support the needs of the population within the CCG area.

Towards the end of 2021, NHS Digital identified specific concerns with respect to the ‘Our Dorset’ Power BI dashboards published by the CCG on the internet. NHS Digital was of the view that these dashboards were displaying pseudonymised patient data without small number suppression, without adequate Role-Based Access Controls (RBAC) and with a risk of re-identification. 

As part of the planned development and phased roll out of the solution, RBAC had been implemented and small number suppression was implemented for aggregated presentations prior to the audit. Thereby the audit being carried out was undertaken on the latest version of the solution.

Based on these concerns, this audit was restricted to the dashboards published by DiiS and therefore excluded other Processors named in the DSA that provide support to the wider commissioning services. 

This report also considers whether the CCG and relevant Processors conforms to their own policies, processes and procedures. 

The interviews during the audit were conducted through video conferencing. 

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.


Audit type and scope

Audit type Heightened Concern:
NHS Digital identified specific concerns with respect to the ‘Our Dorset’ Power BI dashboards published by the CCG on the internet. NHS Digital is of the view that these dashboards are displaying pseudonymised patient data without small number suppression, without adequate role-based access controls and with a risk of re-identification.
Scope areas

Information transfer
Access control
Data use and benefits
Risk management
Operational management and control
Data destruction

Restrictions

The above scope areas are limited to the DiiS PowerBI dashboards

 

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low

Current risk statement: Medium

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.


Data recipient’s acceptance statement

The CCG has reviewed this report and confirmed that it is accurate. 

Data recipient’s action plan

The CCG and DHC will establish a corrective action plan to address each finding shown in the findings tables below. NHS Digital will validate this plan and the resultant actions at a post audit review with the CCG to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.


Findings

The following tables identifies the 6 agreement nonconformities, 1 organisation nonconformity, 7 opportunities for improvement and 3 points for follow-up raised as part of the audit. 

CCG

Ref Finding Link to area Clause Designation
1 Some of the core dashboards available to authorised end users display pseudonymised record-level data which is not consistent with the data sharing statements in the DSA. Use and Benefits DSA, Annex A, Section 5b  Agreement nonconformity
2

The active DSA needs to be updated as it does not reflect current practice, including (but not limited to):

  • the role of DiiS and the reporting solution
  • the use of a cloud provider to store the data supplied by NHS Digital
  • the datasets made available 
  • the use of a pseudonymisation tool 
  • the re-identification process for users with responsibility for direct care for that patient
  • permitted linkage to other datasets.
Use and Benefits DSA, Annex A, Sections 3 and 5 Agreement nonconformity
3

The DPIA needs to be updated to reflect current practice including:

  • DiiS analysts can re-identify the NHS number, however, the DPIA currently states that developers and analyst cannot reidentify the NHS number. DiiS stated this service is provided on behalf of GPs who required assistance in reidentifying NHS number for patients in their direct care 
  • the data available on some of the dashboards is pseudonymised record level data, however, the DPIA currently states aggregated data
  • clarification that signed confidentiality agreements are only required by external contractors. The DPIA is not clear and could be interpreted as it applied to all users.
Operational Management

DSFC, Schedule 3, Applicable Law and Guidance - General Data Protection Regulation

Agreement nonconformity
4 The Information Asset Register (IAR) and Record of Processing Activities (ROPA) need to be updated to reflect current practice. Operational Management DSFC, Schedule 2, Section A, Clause 3.2
DSFC, Schedule 3, General Data Protection Regulation (GDPR)
Agreement nonconformity
5 The Audit Team suggested that any new DSA and DSFC be reviewed by all stakeholders to ensure that they are aware of their responsibilities and obligations. Operational Management   Opportunity for improvement
6 The CCG should establish formal agreements between the Controller(s) and each partner organisations who have users that can access the dashboards. Operational Management

 

Opportunity for improvement

DHC / DiiS

Ref Finding Link to area Clause Designation
7 Some of the configuration settings on the Azure platform are not in line with the DSA, DSFC and DiiS documentation.  Information Transfer DSFC, Schedule 2, Section A, Clause 4.6
DSA, Annex A, Sections 5b
DiiS Solution Architecture document
Agreement nonconformity
8 Security testing had not been carried out on the Azure platform where the data is held. DiiS confirmed that such testing is being planned for later in 2022. Access Control DSFC, Schedule 2, Section A, Clause 1.1 Agreement nonconformity
9 Data supplied by NHS Digital held on the SQL database had not been marked to indicate its source as defined in the DiiS Solution Architecture. Operational Management DiiS, Solution Architecture, v3.0, 21 June 2021 Organisation nonconformity
10 DiiS should consider developing documentation that outlines the technical re-identification process (for example, the systems involved) and the business re-identification process (for example, the authorisation approval process). Operational Management   Opportunity for improvement
11 DiiS should review the following elements to identify any gaps in controls around:
  • the management of the salt, pseudonym and NHS Number
  • monitoring access to the salt, pseudonym and NHS Number.
Operational Management   Opportunity for improvement
12 DiiS should consider if any additional Azure services should be enabled to improve the security and management of the platform. Access Control   Opportunity for improvement
13 DiiS should clarify which supervisory checks for users with access to the Azure environment are to be carried out. The results of these checks should be documented to provide an audit trail.  Access Control   Opportunity for improvement
14 DiiS should remind all dashboard users that they are only allowed to access the dashboard within England and Wales. This is defined in the DSA as the territory of use.  Operational Management   Opportunity for improvement
15 At the post audit review, the Audit Team will review the process developed around managing user access. For example, regular checks on last login, check for dormant accounts, movers/leavers process, etc. Access Control   Follow-up
16 At the post audit review, the Audit Team will review the work to refine the permissions for authorised dashboard users. DiiS reported that the same permissions had been applied to all authenticated dashboard end users given access to the core reports and there was work planned to refine the permissions even further. Access Control   Follow-up
17 At the post audit review, the Audit Team will review the user access list to the mapping table held at DHC. Access Control   Follow-up

Use of data

The datasets were not being processed or used for the purposes defined in the DSA, see findings 1 and 2. The datasets were only being linked with those datasets explicitly allowed in the DSA.

Data location

The CCG and DHC confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
Microsoft England/Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
Microsoft Disk  7 days

Good Practice

During the audit, the Audit Team noted the following area of good practice:

  • the DiiS team and dashboard end user (Dorset General Practitioner) were able to clearly demonstrate the value the data supplied under this DSA has had with proactively benefiting health and social care within Dorset area.

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 11 March 2022 5:12 pm