1 |
Data is being stored at locations not declared on the DSA. Both locations were UoA buildings. |
Information Transfer |
The UoA supplied the details of the two storage locations to the Data Access Request Service (DARS) team on 21 June 2021.
The details have also been included in an ongoing application. |
Agreement nonconformity |
Closed |
2 |
2 individuals with access to the data supplied by NHS Digital have not completed their annual Information Governance training. |
Operational Management |
The UoA confirmed that the 2 individuals have completed data protection training. The Audit Team were supplied with the training certificates for the 2 individuals showing the training was completed in May and June 2021. |
Agreement nonconformity |
Closed |
3 |
The Controllers should either complete a Data Protection Impact Assessment (DPIA) or document the rational for not completing a DPIA. |
Operational Management |
The Controllers have jointly completed a DPIA screening questionnaire. The Controllers have concluded that a full DPIA is not required.
A signed copy of the questionnaire was supplied to the Audit Team. |
Opportunity for improvement |
Closed |
4 |
The UoA should consider completing a Record of Processing Activities (ROPA) for the data provided, as recommended in the Information Commissioner’s Office (ICO) Accountability Framework. |
Operational Management |
The UoA has completed a ROPA and a high-level extract of the ROPA was supplied to the Audit Team. |
Opportunity for improvement |
Closed |
5 |
The UoA should log all requests to add or remove user access to NHS Digital data via the Service Desk tool, rather than relying on email trails in personal mailboxes. |
Access Control |
The UoA are now using the Service Desk tool to log requests to add and remove a user’s access.
An example of a request and the audit trail to support the request was supplied to the Audit Team. |
Opportunity for improvement |
Closed |
6 |
The System Level Security Policy (SLSP) should include document version control and be reviewed annually, or whenever a change is made to the system. |
Operational Management |
The SLSP was updated and approved in June 2021. The next review date is June 2022. Document control is now managed through the University’s Q-Pulse system.
Screenshots of the SLSP version 5.0, which supports the above statement, was supplied to the Audit Team. |
Opportunity for improvement |
Closed |
7 |
The Audit Team suggested that all appropriate teams within the UoA review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant. |
Operational Management |
The UoA has produced a Research and Innovation Working Procedure for Managing NHS Digital Agreements. This procedure outlines details of the DSA and DSFC review process by internal stakeholders.
A copy of the procedure, Version 1, was supplied to the Audit Team. |
Opportunity for improvement |
Closed |
8 |
At the post audit review, the Audit Team will review the University’s revised approach to risk management, regarding updates to the corporate risk register and the associated risk criteria. |
Risk Management |
The UoA has developed a new University Risk Management Framework and a new supporting Risk Register Template. These documents will allow a consistent approach to risk management across the University.
Minutes from a meeting held on the 29 June 2021 to support the approval of the framework and the template were made available to the Audit Team. |
Follow-up |
Closed |