9 |
Users from NWEH with access to data supplied by NHS Digital held on Microsoft Azure did not hold valid honorary contracts with SRFT. The DSA requires the NWEH Database Administrator and Statistics team to hold honorary NHS contracts with SRFT. |
Use and Benefits |
NWEH has been working with the Northern Care Alliance NHS Foundation Trust (NCA) (which replaced SRFT) to form a basis for a Memorandum of Understanding to replace the honorary contract model for NWEH staff.
Progress has been slow due to a reorganisation at NCA, however, honorary contracts were discussed at the September 2022 Information Governance Steering Group. A copy of the minutes was supplied to the Audit Team.
|
Agreement nonconformity |
Open |
10 |
NWEH did not complete the Data Security Protection Toolkit (DSPT) in 2019/20 and 2020/21 as required by the MSD’s System Level Security Policy (SLSP) that was agreed with NHS Digital in February 2020. |
Access Control |
NWEH notified the Data Access Request Service (DARS) team in July 2022 that it had not completed the DSPT submission for 2021/22, due to internal resource issues.
NWEH reported that it has recruited an additional member of staff and is progressing with the DSPT submission for 2022/23.
|
Agreement nonconformity |
Open |
11 |
No justification to support the presence of a domain administrator account on the Microsoft Azure platform was provided. SRFT stated that it should be disabled. |
Access Control |
NWEH reported that the account has now been removed. A screenshot was supplied for Defender for Cloud, however, this did not show that the account had been removed.
NWEH further reported a review of all accounts had been performed and security processes in relation to Azure Account management are being updated.
|
Agreement nonconformity |
Open |
12 |
NWEH to review and update its Record of Processing Activities (ROPA) as it includes inaccurate information. This includes fields on special category data, missing joint controller information and missing data source. |
Operational Management |
The ROPA has been updated to correct the information held. A copy of the ROPA was shared with the Audit Team. |
Agreement nonconformity |
Closed |
13 |
There is an inconsistency between the MSD’s SLSP and NWEH Security Testing policy with respect to the penetration testing of the Azure platform. The SLSP states that testing will be carried out annually and the NWEH policy states that it will be every 2 years.
The last penetration test was conducted in the last 12 months. |
Access Control |
NWEH has updated the statement in the SLSP to be consistent with other documents. A copy of SLSP v2 was supplied to the Audit Team. |
Observation |
Closed |
14 |
MSD’s SLSP includes a statement that IP filtering based on “Deny-all first” principle will be in place and is managed by the SRFT via a change management process. Both SRFT and NWEH should consider reviewing the rules setup to ensure that they are up to date. |
Access Control |
NWEH reported SRFT has IP filtering rules in place, however, NWEH has postponed the implementation of rule changes until the first quarter in 2023 due to ongoing projects and to limit disruption. |
Opportunity for improvement |
Open |
15 |
NWEH should consider if technical controls could be implemented to prevent users transferring data from the Azure platform to their own corporate machines. |
Access Control |
NWEH supplied details on the technical controls that have been implemented. Screenshots of the settings were shared with the Audit Team. |
Opportunity for improvement |
Closed |
16 |
NWEH should consider including additional fields in the Information Asset Register (IAR) such as details on the datasets received (type of data and classification), date of receipt, date of data deletion, linking to which version of the DSA it came with and certificate of destruction. |
Operational Management |
NWEH has considered and decided to use one of the suggested fields. A copy of the revised IAR was shared with the Audit Team. |
Opportunity for improvement |
Closed |
17 |
A Microsoft Azure vulnerability security scan covering various parts of the platform has been recently conducted which highlighted a number of findings. At the post audit review, the Audit Team will ensure that all of the highlighted vulnerabilities have been adequately addressed. |
Access Control |
NWEH shared an internal report which included the actions taken to address the findings, however, some actions are still in progress. |
Follow-up |
Open |
18 |
The DSA includes a statement that NWEH should only hold data in accordance with the consent material provided 5 years before and 2 years after diagnosis. All data outside this window should be securely deleted and evidence provided to NHS Digital by 31/7/2021. At the time of the audit, this has not been completed as NWEH was waiting for further data and should seek further guidance from the Data Access Request Service team. |
Data Destruction |
NWEH deleted the data and completed a Certificate of Destruction (CoD) in June 2022. The DARS team has confirmed that the CoD was approved in July 2022. A copy of the CoD was shared with the Audit Team. |
Follow-up |
Closed |
19 |
At the post audit review, the Audit Team will review the following:
- audit reports conducted on the Microsoft Azure platform
- documented procedures to support the management of privilege accounts.
|
Access Control |
NWEH shared an Azure access audit report and the updated access control procedure that covered the 2 points in the findings with the Audit Team. |
Follow-up |
Closed |