1 |
A third-party data centre, not declared on the DSA, is being used to store the data supplied by NHS Digital. The hardware in the datacentre is, however, owned by the LHCFT. |
Information Transfer |
The LHCFT is currently in the process of renewing its DSA and including the third-party data centre. The Audit Team has checked the DARS application DARS-NIC-303379-H4C8H-v1.2 to confirm that the required amendment is in progress. |
Agreement nonconformity |
Closed |
2 |
The file containing the data supplied by NHS Digital is not encrypted. The DSA states this file will be encrypted. |
Access Control |
The LHCFT provided evidence to confirm that the files are restricted to named individuals and are password protected. |
Agreement nonconformity |
Closed |
3 |
The LHCFT has not included the data received from NHS Digital on an Information Asset Register (IAR), nor has the LHCFT clearly identified the Information Asset Owner (IAO). |
Operational Management |
The LHCFT provided a screenshot from its IAR which now includes an entry for the data received under this DSA and identifies the IAO. |
Agreement nonconformity |
Closed |
4 |
Although the LHCFT stated the findings from the recent security testing had been addressed, there was no evidence to show findings were actively managed and addressed. |
Access Control |
The LHCFT provided a screenshot of the papers sent to the IT Operations board to confirm that the recent security test actions were closed. Furthermore, the LHCFT showed the Audit Team on screen how it is now proactively managing findings from subsequent security tests. |
Agreement nonconformity |
Closed |
5 |
The LHCFT has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. |
Operational Management |
The LHCFT has developed a ROPA for the processing of data supplied under this DSA. A copy of the ROPA was provided to the Audit Team. |
Agreement nonconformity |
Closed |
6 |
Data in transit between the processing and storage locations is not encrypted as required by the DSFC.
LHCFT stated that data is transferred on a dedicated network from the primary data centre to the secondary (disaster recovery) data centre. |
Information Transfer |
The LHCFT has undertaken a risk assessment with respect to the encryption of data in transit. The recommendation from the assessment is to accept and register this as a known risk due to the unquantified impact of enabling the encryption and the relatively low risk of data being intercepted by this transfer. |
Agreement nonconformity |
Closed |
7 |
There was no evidence to show that access to the folders holding data supplied by NHS Digital is reviewed on a regular basis.
|
Access Control |
The LHCFT provided evidence from its IT department that an annual review of the access permissions to the NHS England folders was completed, and no changes were required. The LHCFT stated a further review will be performed in 12 months. |
Agreement nonconformity |
Closed |
8 |
The Data Protection Impact Assessment (DPIA) states that the scope of the data processing will also include mental health related hospital admissions. However, the DSA does not include the provision of any mental health datasets. LHCFT should also consider updating the DPIA with appropriate version control and dates. |
Operational Management |
The LHCFT provided a copy of its updated DPIA which has been amended to remove reference to mental health related data. In addition, the DPIA now contains version control and dates. |
Organisation nonconformity |
Closed |
9 |
Data held by the LHCFT are not being classified in accordance with the document classification types, which define the required controls. |
Operational Management |
The LHCFT provided an extract from its IAR which now includes the classification types. |
Organisation nonconformity |
Closed |
10 |
The LHCFT did not meet all the Data Security Protection Toolkit (DSPT) requirements in its recent submission but is working towards full compliance. |
Operational Management |
The Audit Team has confirmed the LHCFT’s DSPT submission status is now “Standards Met”. |
Observation |
Closed |
11 |
The LHCFT should consider developing a backup Standard Operating Procedure (SOP) and a vulnerability assessment SOP. These processes are in place but not documented. |
Access Control |
The LHCFT has developed a server backup policy and provided a copy to the Audit Team. In addition, the LHCFT also provided a copy of its server build procedure which outlines the tasks and processes for vulnerability assessments. |
Opportunity for improvement |
Closed |
12 |
The LHCFT should consider implementing an alert functionality when administration or privileged rights have been granted. |
Access Control |
The LHCFT provided a screenshot to confirm that an alert functionality has been implemented. |
Opportunity for improvement |
Closed |
13 |
The appointed IAO should consider completing specialist IAO training. |
Operational Management |
The LHCFT supplied evidence that the IAO has completed local IAO training provided by the local Information Governance team. |
Opportunity for improvement |
Closed |
14 |
The LHCFT should consider carrying out a risk assessment on the unencrypted desktop PCs used to access and process the data as there is a risk that temporary files could be cached on the machines |
Operational Management |
The LHCFT provided a screenshot to confirm that the desktop PC’s hard drive has been encrypted. |
Opportunity for improvement |
Closed |
15 |
At the post audit review, the Audit Team will assess whether the anomalies identified during the reconciliation process for the disposal and destruction of hardware assets have been addressed. |
Data Destruction |
The anomalies identified during the original audit have been addressed by the LHCFT. |
Follow-up |
Closed |