1 |
The UHBFT has not mitigated against identified critical and high findings from a security report in a timely manner. |
Access Control |
A new security test was planned for the end of August 2021 with a report expected to be available in September 2021. However, due to the pandemic, this test has been delayed and is now expected to be completed in early 2022. |
Agreement nonconformity |
Open |
2 |
Data supplied by NHS Digital is being stored at a secondary location not declared on the DSA. This location is a data centre owned and located at the UHBFT. It should be noted that the primary location was declared in the DSA. |
Information Transfer |
The DSA has been updated with a secondary storage location. A copy of the updated DSA was supplied to the Audit Team.
|
Agreement nonconformity |
Closed |
3 |
There is no regular review of user access for the folder holding data supplied under the DSA.
Furthermore, the Audit Team found that a legacy administration group had access to the folder for IT administration purposes, however it was no longer required. It should be noted that the files that contain the data are password protected, which is not known by the IT teams. |
Access Control |
The UHBFT stated that a system of regular checks has now been set up and a log maintained of when the checks took place and any issues identified. A copy of the log was provided to the Audit Team.
A review of the admin groups and group members was carried out on 25 January 2021 by UHBFT to confirm that it met the IT operational requirements. No issues were identified. An email was supplied to the Audit Team to support this statement. |
Agreement nonconformity |
Closed |
4 |
The portable encrypted drive used to transfer data between the UHBFT and UoB was not listed on an equipment asset register. |
Access Control |
The UHBFT reported the portable encrypted drive has now been recorded on the IT asset register. A screenshot of the asset register with the encrypted drives used to transfer the data was supplied to the Audit Team. |
Agreement nonconformity |
Closed |
5 |
The UHBFT has not carried out a formal risk assessment of the physical access controls at the Trust’s data centres. |
Access Control |
The Trust has completed a risk assessment which covers both UHBFT data centres. A copy of the risk assessment was supplied to the Audit Team. |
Agreement nonconformity |
Closed |
6 |
The file storage system holding the data supplied under the DSA has not been patched since September 2019. There have been patches released by the manufacturer since that date however these have not been applied. There has been no risk assessment to determine whether these should be applied in line with Trust policy. |
Access Control |
The file storage system has been updated and had the latest patch installed at the time of the interview. A screenshot was supplied to the Audit Team to support this.
The Trust also plans to introduce an assessment process for patches.
|
Organisation nonconformity |
Closed |
7 |
The desktop computers used to access data supplied by NHS Digital are not encrypted as required by Trust policy. |
Access Control |
The UHBFT stated the desktop computers, used by the Head and Neck 5000 team, had been encrypted. Screenshots of the Windows Bitlocker settings on the desktop computers were supplied to the Audit Team. |
Organisation nonconformity |
Closed |
8 |
The Trust has a Training Needs Analysis for specialist information governance (IG) training; however, this is not being followed for Information Asset Owners (IAO) or Information Asset Administrators (IAA). The Audit Team noted that there was an entry in the Information Risk Register which identified this issue with a remedial action to develop bespoke training for these roles. |
Operational Management |
The IAO and IAA have completed specialist role-based training using the NHS IAO Guidance handbook. The training was completed in November and December 2020. Training records for these roles were supplied to the Audit Team.
The UHBFT reported that further bespoke training for these roles is still being arranged, however this has been delayed due to the Trust’s Covid-19 pandemic response. |
Organisation nonconformity |
Closed |
9 |
The Information Asset Register (IAR) is not being suitably updated.
The IAR indicated that no Data Privacy Impact Assessment (DPIA) had been completed, however, a DPIA had been completed and approved by the Data Protection Officer (DPO) in January 2020. |
Operational Management |
The UHBFT stated the IAR for Head and Neck 5000 has been updated and a regular quarterly system of checking the entry has been set up. A screenshot of the IAR which shows that the DPIA has been completed was supplied to the Audit Team. |
Organisation nonconformity |
Closed |
10 |
The UHBFT should consider conducting regular reviews of who has access to the data centre, where data supplied under the DSA is held, and this review should be documented. Currently, this review is carried out on an ad-hoc basis and is not documented. |
Access Control |
A review of access was carried out by the UHBFT in October 2020, January 2021, and April 2021. This review is carried out every 3 months. A copy of the log to support the reviews and process notes were seen by the Audit Team during a video conference call in July 2021. |
Opportunity for Improvement |
Closed |
11 |
The UHBFT should consider carrying out a sample check to confirm that the degauss process for Hard Disk Drives (HDD) has been successful. HDD are removed from end of life machines and then degaussed before they are provided to a disposal contractor for destruction. The Audit Team noted that there is no verification check to confirm that the degaussing has been successful. |
Data Destruction |
The UHBFT reported that the HDD destruction process has changed, and the Trust no longer degauss HDDs.
The Trust is now using wiping software to wipe the hard drives. A screen shot of the report was provided to the Audit Team.
|
Opportunity for Improvement |
Closed |
12 |
The arrangement between the UoB and UHBFT as Joint Controller, was setup in the current DSA. Both parties should consider the guidance on Joint Controller arrangements available on the Information Commissioners Office website. |
Operational Management |
The Joint Controller agreement is still under discussion. The UHBFT stated there has been a slight delay due to a change of staff. |
Opportunity for Improvement |
Open |
13 |
The Trust should establish a mechanism that clearly demonstrates how the risks identified in the DPIA have been actioned and mitigated. |
Operational Management |
The UHBFT has updated the DPIA workbook which includes a more detailed risk section and details of mitigations. A copy of the UHBFT DPIA Workbook v2.0 was supplied to the Audit Team. |
Opportunity for Improvement |
Closed |
14 |
The password policy documented in the Trust policy does not currently align with attributes enforced by the system, due to limitations within the system. There is ongoing work to address this including updating the documented password policy and supporting systems to allow system enforced changes. |
Access Control |
The UHBFT reported that the domain controller has been updated, however, the Audit Team has not seen any evidence to support this.
At the next post audit review, the Audit Team will check that the system enforced attributes are aligned to the documented password policy.
|
Follow-up |
Open |