NHS England Post Audit Review: Liverpool Heart and Chest NHS Foundation Trust

This report provides the formal closure of the remote data sharing audit of the Liverpool Heart and Chest Foundation Trust and the University Hospital Southampton NHS Foundation Trust in December 2021.

Audit summary

Purpose

This report provides the formal closure of the remote data sharing audit of the Liverpool Heart and Chest Foundation Trust (LHCFT) and the University Hospital Southampton NHS Foundation Trust (UHSFT) between 7 and 14 December 2021, against the requirements of:

the data sharing framework contracts (DSFC)
- CON-317153-H1H47-v2.01 (LHCFT)
- CON-321802-G4C6W-v2.01 (UHSFT)
the data sharing agreement (DSA) DARS-NIC-303379-H4C8H-v0.6

This DSA covers the provision of the following datasets:

Dataset	Classification of data	Dataset period
Bridge file: Hospital Episode Statistics (HES) to Diagnostic Imaging Dataset	Identifiable, Non-sensitive	Historic Data Request
HES Admitted Patient Care	Identifiable, Non-sensitive	2016/17 - 2019/20_M11
HES Critical Care	Identifiable, Non-sensitive	2016/17 - 2019/20_M11
HES Outpatients	Identifiable, Non-sensitive	2016/17 - 2019/20_M11
HES Accident and Emergency	Identifiable, Non-sensitive	2016/17 - 2019/20_M11
Diagnostic Imaging Dataset	Identifiable, Non-sensitive	Historic Data Request
HES: Civil Registration (Deaths) bridge	Identifiable, Non-sensitive	Latest available
Civil Registration (Deaths) - Secondary Care Cut	Identifiable, sensitive	Historic Data Request

The joint Controllers are the LHCFT and the UHSFT. The UHSFT does not receive, process, or store any data, but the Chief Investigator is employed by this Trust. The UHSFT is the Sponsor and primary source of funding for the research project RIPCORD2.

Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the LHCFT and the UHSFT between May 2022 and January 2023. A video call was also held in July 2022 to review some of the evidence.

Note, this desk-based review took place just before the merger of NHS Digital and NHS England. Therefore, this report contains references to both organisations.

Post audit review outcome

Based on the evidence provided by the LHCFT and the UHSFT, the Audit Team has closed all of the findings except for 1 observation. Although no further action is required by the Audit Team the LHCFT and the UHSFT should complete the action against this finding.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original Risk Statement: Medium

Current Risk Statement: Low

Data recipient’s acceptance statement

The LHCFT and the UHSFT have reviewed this report and confirmed that it is accurate.

Status

The following tables identify the 7 agreement nonconformities, 2 organisation nonconformities, 2 observations, 5 opportunities for improvement and 1 point for follow-up raised as part of the original audit.

LHCFT

Ref	Finding	Link to area	Update	Designation	Status
1	A third-party data centre, not declared on the DSA, is being used to store the data supplied by NHS Digital. The hardware in the datacentre is, however, owned by the LHCFT.	Information Transfer	The LHCFT is currently in the process of renewing its DSA and including the third-party data centre. The Audit Team has checked the DARS application DARS-NIC-303379-H4C8H-v1.2 to confirm that the required amendment is in progress.	Agreement nonconformity	Closed
2	The file containing the data supplied by NHS Digital is not encrypted. The DSA states this file will be encrypted.	Access Control	The LHCFT provided evidence to confirm that the files are restricted to named individuals and are password protected.	Agreement nonconformity	Closed
3	The LHCFT has not included the data received from NHS Digital on an Information Asset Register (IAR), nor has the LHCFT clearly identified the Information Asset Owner (IAO).	Operational Management	The LHCFT provided a screenshot from its IAR which now includes an entry for the data received under this DSA and identifies the IAO.	Agreement nonconformity	Closed
4	Although the LHCFT stated the findings from the recent security testing had been addressed, there was no evidence to show findings were actively managed and addressed.	Access Control	The LHCFT provided a screenshot of the papers sent to the IT Operations board to confirm that the recent security test actions were closed. Furthermore, the LHCFT showed the Audit Team on screen how it is now proactively managing findings from subsequent security tests.	Agreement nonconformity	Closed
5	The LHCFT has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA.	Operational Management	The LHCFT has developed a ROPA for the processing of data supplied under this DSA. A copy of the ROPA was provided to the Audit Team.	Agreement nonconformity	Closed
6	Data in transit between the processing and storage locations is not encrypted as required by the DSFC. LHCFT stated that data is transferred on a dedicated network from the primary data centre to the secondary (disaster recovery) data centre.	Information Transfer	The LHCFT has undertaken a risk assessment with respect to the encryption of data in transit. The recommendation from the assessment is to accept and register this as a known risk due to the unquantified impact of enabling the encryption and the relatively low risk of data being intercepted by this transfer.	Agreement nonconformity	Closed
7	There was no evidence to show that access to the folders holding data supplied by NHS Digital is reviewed on a regular basis.	Access Control	The LHCFT provided evidence from its IT department that an annual review of the access permissions to the NHS England folders was completed, and no changes were required. The LHCFT stated a further review will be performed in 12 months.	Agreement nonconformity	Closed
8	The Data Protection Impact Assessment (DPIA) states that the scope of the data processing will also include mental health related hospital admissions. However, the DSA does not include the provision of any mental health datasets. LHCFT should also consider updating the DPIA with appropriate version control and dates.	Operational Management	The LHCFT provided a copy of its updated DPIA which has been amended to remove reference to mental health related data. In addition, the DPIA now contains version control and dates.	Organisation nonconformity	Closed
9	Data held by the LHCFT are not being classified in accordance with the document classification types, which define the required controls.	Operational Management	The LHCFT provided an extract from its IAR which now includes the classification types.	Organisation nonconformity	Closed
10	The LHCFT did not meet all the Data Security Protection Toolkit (DSPT) requirements in its recent submission but is working towards full compliance.	Operational Management	The Audit Team has confirmed the LHCFT’s DSPT submission status is now “Standards Met”.	Observation	Closed
11	The LHCFT should consider developing a backup Standard Operating Procedure (SOP) and a vulnerability assessment SOP. These processes are in place but not documented.	Access Control	The LHCFT has developed a server backup policy and provided a copy to the Audit Team. In addition, the LHCFT also provided a copy of its server build procedure which outlines the tasks and processes for vulnerability assessments.	Opportunity for improvement	Closed
12	The LHCFT should consider implementing an alert functionality when administration or privileged rights have been granted.	Access Control	The LHCFT provided a screenshot to confirm that an alert functionality has been implemented.	Opportunity for improvement	Closed
13	The appointed IAO should consider completing specialist IAO training.	Operational Management	The LHCFT supplied evidence that the IAO has completed local IAO training provided by the local Information Governance team.	Opportunity for improvement	Closed
14	The LHCFT should consider carrying out a risk assessment on the unencrypted desktop PCs used to access and process the data as there is a risk that temporary files could be cached on the machines	Operational Management	The LHCFT provided a screenshot to confirm that the desktop PC’s hard drive has been encrypted.	Opportunity for improvement	Closed
15	At the post audit review, the Audit Team will assess whether the anomalies identified during the reconciliation process for the disposal and destruction of hardware assets have been addressed.	Data Destruction	The anomalies identified during the original audit have been addressed by the LHCFT.	Follow-up	Closed

UHSFT

Ref	Finding	Link to area	Update	Designation	Status
16	In its recent submission the UHSFT has not met all the DSPT requirements.	Operational Management	The status for the UHSFT DSPT submission is still showing as “Approaching Standards.” However, the UHSFT has contacted NHS England and there is an agreed improvement plan in place with the NHS England DSPT team.	Observation	Open, but not for follow-up
17	The UHSFT as a joint Controller should consider reviewing and counter signing the DPIA completed by the LHCFT.	Operational Management	The DPIA has been updated and the UHSFT has been added as a reviewer and has counter-signed the document.	Opportunity for improvement	Closed

Disclaimer

NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 20 March 2023 11:40 am