NHS Digital Data Sharing Remote Audit: Westminster City Council

This report records the key findings of a remote data sharing audit of Westminster City Council and Royal Borough of Kensington and Chelsea in November 2021

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of Westminster City Council (WCC) and Royal Borough of Kensington and Chelsea (RBKC) between 8 and 12 November 2021. It provides an evaluation of how WCC and RBKC conform to the requirements of:

the data sharing framework contracts (DSFC)

o CON-55596-J4J4B (WCC)

o CON-161738-S2G0Z (RBKC)

the data sharing agreement (DSA) DARS-NIC-75133-N8S0N-v2.5

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Vital Statistics Service	Aggregated with small numbers not suppressed, Non-sensitive Pseudo/Anonymised, Non-sensitive	1993 - 2022
Primary Care Mortality Data	Identifiable, Sensitive	1996 - 2024
Civil Registration - Births	Identifiable, Sensitive	1995 - 2023

Dataset

Classification of data

Dataset period

Vital Statistics Service

Aggregated with small numbers not suppressed, Non-sensitive

Pseudo/Anonymised, Non-sensitive

1993 - 2022

Primary Care Mortality Data

Identifiable, Sensitive

1996 - 2024

Civil Registration - Births

Identifiable, Sensitive

1995 - 2023

The Joint Controllers are WCC and RBKC; RBKC does not process the data. The Processor is BT (undeclared in the DSA) who provides cloud services to WCC. The data supplied by NHS Digital is stored on BT’s cloud infrastructure. BT also provide IT service management support to WCC including the management of the IT infrastructure and undertaking backups.

The births and deaths data requested is of significant value to the Local Authorities in enabling analysts to respond to local public health needs.

This report also considers whether WCC and RBKC conform to their own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type	Routine
Scope areas	Information transfer Access control Data use and benefits Risk management Operational management and control Data destruction
Restrictions	Access control - limited visibility of physical controls

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low

Current risk statement: Medium

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.

Data recipient’s acceptance statement

WCC and RBKC have reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

WCC and RBKC will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the WCC to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.

Findings

The following table identifies the 7 agreement nonconformities, 1 observation, 6 opportunities for improvement and 2 points for follow-up raised as part of the audit.

WCC

Ref	Finding	Link to area	Clause	Designation	Notes
1	A third-party cloud provider (BT) is being used to process and store the data supplied by NHS Digital. The provider also manages the IT infrastructure and the backups. This Processor is not declared in the current DSA even though WCC has been using this provider for over six years. WCC stated it had notified NHS Digital on the 18 October 2021 that it was using an undeclared third-party provider.	Access Control	DSA, Annex A, Section 1c	Agreement nonconformity
2	The data processing and storage locations specified on the active DSA do not accurately reflect the current locations. WCC stated it had notified NHS Digital on the 18 October 2021 of the new processing and storage locations.	Information Transfer	DSA, Annex A, Section 2	Agreement nonconformity
3	The Data Protection Impact Assessment (DPIA) needs to be reviewed and updated as information on the third-party cloud provider is missing. Also, the DPIA had not been signed off by the Information Asset Owner (IAO) or Senior Information Risk Officer (SIRO) as required by the guidance within the DPIA.	Operational Management	DSFC, Schedule 3, Applicable Law and Guidance - General Data Protection Regulation WCC, DPIA, October 2021	Agreement nonconformity
4	There was no evidence to show that access to the network folder holding the data supplied by NHS Digital is reviewed on a regular basis.	Access Control	DSA, Clause 7 DSFC, Schedule 2, Section A, Clause 4.1	Agreement nonconformity
5	Validation testing of required security controls has not been conducted.	Access Control	DSFC, Schedule 2, Section A, Clause 1.1	Agreement nonconformity
6	Data in transit between the primary and secondary location is not encrypted as required by the DSFC. BT have reported that transit is via a private link.	Information Transfer	DSFC, Schedule 2, Section A, Clause 4.6	Agreement nonconformity	1
7	Key documents that are referenced in the Information Security Policy (version 0.5 approved on 23 May 2020) were either not available or were in draft at the time of the audit. These documents include: Anti-Virus Policy (not available) Patch Management Policy (not available) IT Third Party Management Policy (not available) Data Classification Policy (not available) Vulnerability Management Policy (first draft - v0.1)	Access Control	DSFC, Schedule 2, Section A, Clause 4.11	Agreement nonconformity
8	Some policies require review as they are past their review date. For example: Information Security Policy – Review date: 23 July 2021 Data Protection Policy – Review date: August 2020 Data Disposal Policy – Review date: 23 July 2021	Operational Management	WCC, Information Security Policy, Version 0.5 WCC, Data Protection Policy, 12 August 2019 WCC, Data Disposal Policy, Version 0.6	Observation	2
9	Authorised personnel at both WCC and RBKC should sign off the overarching Joint Controller agreement that commenced in July 2018. The document had been signed off by the legal department, but was missing the signatures for the authorised personnel.	Operational Management		Opportunity for improvement
10	Staff need to be aware of the DSFC and DSA requirements. The organisation should consider undertaking a compliance check against both documents. This check should also be carried out prior to signing a new DSFC and DSA to ensure all parties are compliant with any new requirements.	Operational Management		Opportunity for improvement
11	WCC should consider including additional fields in the Information Asset Register (IAR) such as details on the datasets received (type of data and classification), date of receipt, version of the DSA, date of data deletion and certificate of destruction.	Operational Management		Opportunity for improvement
12	The IAO should consider undertaking specialist role-based training.	Operational Management		Opportunity for improvement
13	WCC should consider implementing a system that allows security logs to be proactively monitored.	Access Control		Opportunity for improvement
14	WCC should refer to the Data Access Request Service (DARS) team for the latest guidance on data destruction before deleting any further data. WCC should retain auditable evidence to demonstrate the permanent deletion of electronic data. Such records could be used as supporting evidence for a certificate of destruction submitted to NHS Digital.	Data Destruction		Opportunity for improvement
15	At the post audit review, the Audit Team will review the documented procedures to support the leavers process and the review of dormant accounts.	Access Control		Follow-up

BT

Ref	Finding	Link to area	Clause	Designation	Notes
16	The following documentation will be examined at the post audit review: Vulnerability management BT’s ISO 27001 Statement of Applicability Management and review of privileged account	Operational Management		Follow-up

Supplementary notes

Note 1. One option to progress this finding, is for a risk assessment to be completed. The risk assessment shall assess the threats to and the vulnerabilities of the un-encrypted connection and identify the mitigating controls in place. This assessment shall be signed off by the organisation’s Senior Information Risk Officer (or equivalent) and this should be submitted to the Data Access Request Service (DARS) team. If the risk is considered acceptable and all aspects of the connection are inside the area of direct control by BT, then the link need not be encrypted. NHS Digital reserves the right to review this assessment.

Note 2. This finding would normally be classified as an Organisation Nonconformity, however, the Data Protection Officer (DPO) at WCC provided a statement that the review of the policies had been delayed due to resources being diverted in response to the Covid-19 pandemic.

Use of data

WCC confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

WCC confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation	Territory of use
BT	England / Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation	Media type	Period
BT	Disk	12 months

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 17 January 2022 3:51 pm