Skip to main content

NHS Digital Post Audit Review: Public Health England

This report provides the formal closure of the remote data sharing audit of Public Health England in November 2020.

Audit summary

This report provides the formal closure of the remote data sharing audit of Public Health England (PHE) between 9 and 13 November 2020 against the requirements of both:

  • the data sharing framework contract (DSFC) CON-306897-D7N4D v2.01
  • the data sharing agreement (DSA) DARS-NIC-147834-LHQ2R v4.2

 This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
MRIS – Members and Postings Report Identifiable, Sensitive Historic Held (April 1980 – Feb 2019)
MRIS - Flagging Current Status Report Identifiable, Sensitive Historic Held (April 1980 – Feb 2019)
MRIS - Cohort Event Notification Report Identifiable, Sensitive Historic Held (April 1980 – Feb 2019) Latest available release
MRIS - Cause of Death Report Identifiable, Sensitive Historic Held (April 1980 – Feb 2019) Latest available release

 

The Controller is PHE and the Processor is Nuvia Limited (Nuvia).

During the post audit review, it was announced that Nuvia was no longer managing the NHS Digital data on behalf of PHE and had deleted the data from its servers. The Audit Team was supplied with a copy of the Certificate of Destruction that had been supplied to NHS Digital on 1 November 2021. As a result of this announcement, any findings for Nuvia that could not be closed as part of this review have been recorded as “Open, but not for follow-up”. Should Nuvia be re-engaged to process the data, then the Audit Team reserves the right to reopen these findings.

Furthermore, the 2 findings for Public Health England that could not be closed as part of this review have also been recorded as “Open, but not for follow-up” given that Public Health England was dissolved in October 2021.

Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by Nuvia between June and November 2021.

Post audit review outcome

As a result of the changes described above, no further action is required by the Audit Team even though not all the findings have been closed.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: Medium

Current risk statement: Low


Data recipient’s acceptance statement

Nuvia has reviewed this report and confirmed that it is accurate.


Status

The following tables identify the 6 agreement nonconformities, 1 organisation nonconformity, 2 observations and 6 opportunities for improvement raised as part of the original audit.

Nuvia

Ref Finding Link to area Update Designation Status
1 Data is being stored and processed at locations not declared on the DSA. Information Transfer The missing locations have been added to the DSA. A copy of DARS-NIC-147834-LHQ2R-v5.2 was supplied to the Audit Team. Agreement nonconformity Closed
2 The database holding the data supplied under the DSA has not been patched since August 2019. Patches have been released by the manufacturer since that date, however, these have not been applied. Access Control

The database has been patched. A screenshot showing the new version was supplied to the Audit Team.

Agreement nonconformity Closed
3 Whilst Nuvia were very open during the interviews and provided a range of evidence, the company refused to give the Audit Team sight of the vulnerability scan / penetration testing and associated remediation plan(s) citing that evidence had been provided by the Cyber Essential Plus certificate. However, as the Cyber Essential Plus certificate is linked to critical and high findings, the Audit Team did not get any evidence that medium and low issues were being addressed. Operational Management

A new section on managing vulnerability scans was added to the Nuvia procedure “Software and Data Solutions Server Operation, Maintenance and Security”, dated 6 May 2021. The new section also defines the timescales for all vulnerabilities.

A copy of the vulnerability scanning results and associated actions for July 2021 was supplied to the Audit Team. Several of the findings were reported as currently being under test.

No visibility of the Nuvia penetration testing was provided, but as Nuvia is no longer holding the data this finding has been classed as “Open, but not for follow-up”.

Agreement nonconformity Open, but not for follow-up
4 The data supplied under the DSA has been incorrectly classified within a documented policy. Operational Management The policy has been revised to show the correct classification. A copy of the revised policy, dated March 2021, was provided to the Audit Team. Organisation nonconformity Closed
5 An alternative platform will be required to be in place to hold the data when the current database becomes unsupported next year. Access Control The database has been updated to a new version which is supported. A screenshot showing the new version was supplied to the Audit Team. Observation Closed
6 Nuvia to dispose of a previous server and associated backup tapes which contain data supplied by NHS Digital, held in a secure room, in accordance with current NHS Digital requirements and ensure that a certificate of destruction is raised. Data Destruction A copy of the Certificate of Destruction for the server equipment that had been supplied to NHS Digital on 1 November 2021 was forwarded to the Audit Team. Nuvia stated that the backup tapes had actually been destroyed in 2018 and provided copies of certificates of destruction for these tapes. Observation Closed
7 The Audit Team suggested that PHE/Nuvia ensures appropriate teams and stakeholders review any new DSFC and DSA so the parties are fully aware of their responsibilities and are fully compliant. Operational Management Nuvia stated team members were verbally reminded of their responsibilities. The company also reported that should it be involved in another DSA then a review of responsibilities would be included at the start and evidence retained. Opportunity for Improvement Open, but not for follow-up
8 Nuvia should develop a single Information Asset Register (IAR) using documentation that already exists. The Information Commissioner’s Office (ICO) has a template that could be used as the basis for a new IAR. Operational Management Following an internal discussion, Nuvia has decided to continue with separate registers rather than creating a single document. Opportunity for Improvement Rejected
9 Nuvia should reassess the current password settings to be in-line with published National Cyber Security Centre (NCSC) guidance. Access Control

The password requirements for the Windows servers were revised which included NCSC considerations. A screenshot of the new server security policy settings was provided to the Audit Team.

It was also reported that comparable changes had also been made to the database.

Opportunity for Improvement Closed
10 Nuvia should have a standalone Data Protection Impact Assessment (DPIA), rather than one stored within in a policy document. The ICO has a template that could be used as the basis for a new DPIA. Operational Management Nuvia has created a standalone version of its DPIA, March 2021, based on the format originally contained in the policy document. Copies of the DPIA and the revised policy document were supplied to the Audit Team. Opportunity for Improvement Closed
11 Nuvia should produce a standalone risk assessment, rather than one stored within in a policy document. In creating the new document, the scope of risk analysis should be expanded, and the impacts of the current identified risks should be re-evaluated. Risk Management Nuvia has created a standalone version of the risk register, 1 March 2021, based on the format originally contained in the policy document. Copies of the risk register and the revised policy document were supplied to the Audit Team. Opportunity for Improvement Closed
12 Nuvia should recognise incidents, breaches or deviations to the DSFC are to be reported directly to NHS Digital. This type of reporting should be recognised in addition to any other regulatory reporting. Operational Management Nuvia stated team members were verbally reminded of their responsibilities. The company also reported that should it be involved in another DSA then a review of responsibilities would be included at the start and evidence retained. Opportunity for Improvement Open, but not for follow-up

 

PHE

Ref Finding Link to area Update Designation Status
13 The Information Asset Owner (IAO) role has not been formally identified. Operational Management Nuvia reported that PHE’s role as IAO is expected to be confirmed when the ownership of the cohort is formally transferred from the Nuclear Decommissioning Authority to PHE at the end of the financial year 2021/2022. Agreement nonconformity Open, but not for follow-up
14 The IAR does not include the data assets supplied under the DSA. Operational Management The Audit Team was informed that a new IAR entry has been drafted to take account of the merger of the declared cohort into the National Registry for Radiation Workers (NRRW), however, it has yet to be approved. Agreement nonconformity Open, but not for follow-up
15 The Information Governance policy has not been reviewed since March 2015. The policy contains a number of incorrect statements including references to performance measures that are now obsolete. Operational Management The Information Governance policy was updated in March 2019, v2.0, but its addition to the PHE intranet had been delayed. Since then, v3.0 was released in March 2021. A copy of the latest version was supplied to the Audit Team. Agreement nonconformity Closed

  


Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 24 January 2022 10:59 am