Skip to main content

NHS Digital Post Audit Review: Small Area Health Statistics Unit at Imperial College London

This report provides the formal closure of the remote data sharing audit of the Small Area Health Statistics Unit at Imperial College London between June and July 2021

Audit summary

This report provides the formal closure of the remote data sharing audit of the Small Area Health Statistics Unit (SAHSU) at Imperial College London (ICL) between 28 June and 2 July 2021 against the requirements of both:

  • the data sharing framework contact (DSFC) CON-312177-J7P3H
  • the data sharing agreement (DSA) DARS-NIC-204903-P1J7Q-v3.8

 This DSA covers the provision of the following datasets: 

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Identifiable, Sensitive 1990/91 - 2021/22_M06
HES Critical Care Identifiable, Sensitive 2008/09 - 2021/22_M06
HES Accident and Emergency Identifiable, Sensitive 2008/09 - 2018/19
Emergency Care Data Set (ECDS) Identifiable, Sensitive 2018/19 - 2021/22_M06
HES: Civil Registration (Deaths) bridge Identifiable, Non-sensitive Latest available
Civil Registration (Deaths) - Secondary Care Cut Identifiable, Sensitive Latest available

The Controller is ICL. 

Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide. 

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the SAHSU between December 2021 and March 2022. Evidence was also viewed by the Audit Team during a video call in January 2022. 

Post audit review outcome

Based on the evidence provided by ICL and the SAHSU, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team, ICL and the SAHSU.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: High

Current risk statement: Low


Data recipient’s acceptance statement

The SAHSU has reviewed this report and confirmed that it is accurate. 


Status

The following table identifies the 6 agreement nonconformities, 1 organisation nonconformity, 2 observations, 9 opportunities for improvement and 1 point for follow-up raised as part of the original audit. 

Ref Finding Link to area Update Designation Status
1 The database holding data supplied by NHS Digital has not been patched for some time. Access control

The SAHSU installed the patches available for the database following the audit. 

A screenshot of the patching details was supplied to the Audit Team.  

Agreement nonconformity Closed
2 Data in transit between the primary datacentre and the backup sites is not fully encrypted as required by the DSFC. Information transfer

ICL has completed a risk assessment which assesses the threats and the vulnerabilities of the un-encrypted connection and identifies the mitigating controls in place. The assessment was approved by the ICL Chief Information Security Officer and submitted to the Data Access Request Service (DARS) team. 

A copy of the risk assessment was supplied to the Audit Team. 

Agreement nonconformity Closed
3 Vulnerability scans have not been conducted on elements of the infrastructure. Access control

The SAHSU is now running a regular scan on the missing elements identified during the audit.  

A copy of the vulnerability scan report from November 2021 was supplied to the Audit Team. 

Agreement nonconformity Closed
4 Findings from validation testing have not been cleared within a reasonable timescale and no formal remediation plan has been established. Access control

A validation report from September 2021 and supporting remediation plan was supplied to the Audit Team. 

Further documentation to support action taken to address those issues identified, was seen during a video call. 

Agreement nonconformity Closed
5 ICL has not carried out a formal risk assessment of the physical controls at ICL’s data centres. Access control ICL has completed a formal risk assessment of each of its data centres and two risk reports were supplied to the Audit Team.  Agreement nonconformity Closed
6

Two master students had been given access to data supplied by NHS Digital, which is not permitted by the DSA. 

During the audit access to the data by the master students was suspended by SAHSU, and a request was made to DARS to update the DSA.

Use and benefits

ICL has updated the DSA to allow ICL registered students (including PhD and Masters students) to access the data. The updated DSA has been approved by the DARS team. 

A copy of the updated DSA (DARS-NIC-204903-P1J7Q-v4.6) signed in October 2021 was supplied to the Audit Team. 

Agreement nonconformity Closed
7 The data supplied by NHS Digital has not been classified in line with SAHSU Information Classification Policy. Operational management

The data has been classified in line with the Information Classification, Labelling and Handling Procedure v1.3 and the assigned classification has been recorded in the data asset register. 

Copies of the procedure and the data asset register were supplied to the Audit Team. 

Organisation nonconformity Closed
8 Although the DSA requires all PhD students to have substantive contracts in place with Imperial College London, no such contracts could be provided for any of the PhD students in the Unit. Use and benefits

ICL has drafted a data access contract which has been approved by the DARS team. The contract, in place of a substantive employment contract, allows registered students (including PhD and Masters students) to access the data. 

Copies of the template contract, the approval by the DARS team and a signed copy of the contract were seen by the Audit Team. 

Observation Closed
9 Anti-virus alerts for the servers holding data supplied by NHS Digital are only forwarded to a single IT contact. If the contact was unavailable, then no action would be taken against the alerts. It was, however, stated that SAHSU plan to utilise the anti-virus solution used by the rest of ICL, where events would be captured in a log management tool and alerts issued to a group email address. Access control

Antivirus alerts are now being sent to a number of key personnel within ICL.

A copy of the email alerts and a list of the recipients of the emails were seen by the Audit Team. 

Observation Closed
10 SAHSU should consider developing procedures or enhancing existing documentation to cover the following: 
  • the local storage of Active Directory (AD) administrator account passwords
  • firewall management, for example, responsibilities, rule changes and configuration changes
  • assessing security incidents and informing NHS Digital where appropriate
  • electronic destruction of data supplied by NHS Digital
Operational management

The SAHSU has enhanced its documentation for the management of administrator passwords, firewall management, NHS Digital incident reporting and electronic destruction of data.  

Documentation to support the above processes was seen by the Audit Team.  

Opportunity for improvement Closed
11 SAHSU should proactively monitor the database logs. Operational management

The database logs now feed into a log management tool and alerts are generated to inform key staff of certain events. 

An example of an alert was supplied to the Audit Team. 

Opportunity for improvement Closed
12 The Information Asset Owner (IAO) should consider completing specialist IAO training. Operational management

The IAO has completed specialist IAO training. 

An email confirming when the training was completed, and the associated training material were supplied to the Audit Team. 

Opportunity for improvement Closed
13 SAHSU should consider adding appropriate document management information to its Data Protection Impact Assessment (DPIA). Operational management

ICL stated that the current documentation management system retains version history. 

A copy of the updated DPIA which includes documentation management information was seen by the Audit Team. 

Opportunity for improvement Closed
14 SAHSU should consider deactivating user accounts that have not been accessed for more than six months. Access control

The SAHSU has developed a process to deactivate user accounts not being accessed over a defined period of time. 

The process was explained to the Audit Team and supporting evidence was provided. 

Opportunity for improvement Closed
15 SAHSU risk management process could be improved by regular review of the risk register at a group meeting, including the IAO. SAHSU should also consider formal risk management training. Risk management

The SAHSU confirmed that key members of staff from the unit have completed risk management training and will be leading risk activities going forward. This includes reviewing and updating the risk register. 

Risk management is now also part of the agenda at monthly meetings and includes bi-annual review of the risk register.

The Audit Team was supplied with relevant training records and examples of meeting agendas. 

Minutes that showed risk assessments were being reviewed, were seen during a video call.  

Opportunity for improvement Closed
16 SAHSU should consider automatically blocking remote connections in certain circumstances.  Access control

The SAHSU is using a new system to block remote connections in certain circumstances. Screenshots to demonstrate how it worked were supplied to the Audit Team. 

Opportunity for improvement Closed
17 ICL should consider proactive review of swipe card access to the datacentre as currently this is only done when users join or leave the organisation. Access control

The ICT Data Centre Policy has been updated and reviews of swipe card access are taking place on a regular basis at its datacentres. Further work is required for the other datacentres, which is in progress. 

A copy of the updated ICT Data Centre Policy, version 2.8, and an example to support the reviews being conducted, were seen by the Audit Team during a video call.  

Opportunity for improvement Closed
18 SAHSU should consider carrying out a risk assessment on the statistical server as it may store temporary files if there is any abnormal shutdown of the statistical tools. Risk management

The SASHU has carried out an informal risk assessment and additional mitigating controls have been implemented. 

Evidence was supplied to the Audit Team which showed temporary files are automatically deleted at a frequent interval.  

Opportunity for improvement Closed
19 At the time of audit, ‘old’ servers had not been destroyed but still contained data supplied by NHS Digital. At the post audit review, the Audit Team will review the data destruction process and view a completed certificate of destruction. Data destruction

The SASHU confirmed that the data on the old servers had been wiped using specialist data deletion software. 

The SASHU has completed NHS Digital’s certificate of destruction. This certificate together with the erasure report generated by the specialist data deletion software were sent to NHS Digital in August 2021. 

Follow-up Closed

 


Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 9 May 2022 4:30 pm