The Information Commissioner’s Office considers that “audits play a key role in assisting organisations in understanding and meeting their data protection obligations” and can undertake agreed or compulsory audits as part of its regulatory powers. Executive summaries of many audit reports are published on the ICO’s website. We have reviewed 13 recent reports for NHS organisations (twelve trusts and one Welsh health board) to identify common themes for potential learning in several key areas:

• governance and accountability;
• cyber security and information security more generally; and
• business continuity and disaster management.

In the majority of cases, organisational compliance with GDPR and data protection principles was assessed as ‘Reasonable’, with a few assessments at ‘High’ or ‘Limited’ assurance. However, each audit reveals areas for improvement. The ICO expects organisations to learn from others. NHS organisations should therefore consider their own performance against the reports published, as well audit against the DSPT requirements.   

We set out below some of the key themes identified in the ICO’s audit reports in the health sector.

Governance and accountability

Inadequate oversight of Data Protection Impact Assessments (DPIAs)

The need for a central register of DPIAs was identified, with processes for completing DPIAs embedded on a cross-organisation basis. Obtaining assurance that risks are reduced before granting suppliers access to systems was emphasised.

Comment: Staff training should include how to recognise the need for and how to complete DPIAs, the mechanisms to regularly monitor access to patient data, to record the granting of access to secure areas (for example records store) and review of those rights on a regular basis.

Training

In some cases, there was inadequate analysis of training needs and/or mandatory refresher training or a failure to include agency staff in training.

Comment: Trusts need an overarching regular Training Needs Analysis and a rolling programme of training not only on induction, but with regular refreshers. All staff, and relevant contractors, should be included, not just regular employees.

Privacy information and policies

Common themes included information being out of date, not easy to find on the trust’s website and privacy notices not always catering for all service users, for example children. Internal policies were not always user friendly.

Comment: Privacy information should be readily accessible, cover all service users and be understandable to them. It should be up–to-date with automatic triggers for regular review.

Cyber and information security

Review of policies and contractual arrangements

Issues included the need for more regular reviews, compliance with review dates, and a lack of evidence that cyber security arrangements had been reviewed in connection with third-party contracts.

Comment: Regular and fully documented audits and inspections are crucial to ensure that appropriate cyber security controls are in place not only in trusts, but at third-party suppliers.

Use of removable media and mobile apps

Concerns were expressed about proper control of removable media and mobile apps. The ICO recommended maintaining an asset register with regular checks of USB devices which should have effective end-point control. Mobile apps also need accounting for not only to ensure compliance with legislation, but to provide end-users with appropriate privacy information when used. ‘Bring your own device’ policies were not always clear.

Comment: A mechanism should be devised to ensure return of mobile devices to the IT department when no longer needed. The lifecycle of the device needs to be accounted for in order to minimise risk of personal data being stored indefinitely in breach of data protection policy. It is essential for an organisation to ascertain what mobile apps are being used and for what purpose, with close monitoring to ensure access by staff for only legitimate purposes.

Security incident log retention and IT system logging more generally

Issues were identified around the need for and content of a corporate log retention policy.

Comment: Such a policy is vital to allow for full investigation of security incidents and long-term analysis of trends. Equally, records relating to personal data breaches should not be retained indefinitely – the ICO recommends that there is a documented review process for records relating to breaches. Ensuring the capture of all necessary data to account for all processing activities is key to a successful retention policy.

Business continuity, disaster recovery, and incident management

Personal data breach management

A lack of clarity and in some instances a lack of documentation was noted in data breach notification processes, particularly in cases where an individual was at high risk of an impact on their rights and freedoms. The ICO recommends that standard templates can be a useful tool. The statutory reporting timeframe and mechanism of 72 hours via the DSP Toolkit was not always met.

Comment: Key information on contact details, likely cause of breach, measures taken and name of supervisory authority all need to be shared with individuals and documented. Templates can be useful tools. The 72-hour time frame should ordinarily be met and the route to achieving this should be clearly set out in associated documentation, for example the trust’s serious incident or business continuity policy.

Maintenance of security of personal data in a business disaster

The actions to be taken and the process for maintaining security of personal data whilst managing a major business continuity incident had not always been formalised in a document.

Comment:  A standard operating procedure should be devised, demonstrating actions and processes, and disseminated to all staff.

Documentation to prove compliance with strategy and communication of the strategy to staff

This theme encompassed proof of effectiveness of strategy for restoration of back-ups and of projects to manage change. In some cases, the ICO identified that although data restoration processes were tested regularly, there was no documentation regarding the frequency. Change management projects do not always follow a fully documented procedure.

Comment: Simulation testing is not only essential to adequately manage the risk of back-up failure, but documentation of the process is key to demonstrating compliance. The organisation’s disaster recovery plan should be effectively communicated to all staff and business continuity should be included in annual refresher training.

Conclusions

Learning extracted from these assessments demonstrates some of the key ingredients of an effective information governance strategy:

• Resourcing for information governance teams;
• The need for robust but easy-to-understand data protection policies;
• A rolling programme of review (fully documented);
• Close analysis of risk associated with data sharing and tracing data through the information lifecycle;
• Effective communication with stakeholders; and
• Regular staff training (including agency).

Cyber security has been assessed by GCHQ as the biggest threat facing the UK, and NHS providers are subject to particular obligations under the Network and Information Systems (NIS) Regulations. The interface between cyber security and business continuity / disaster management in the health sector is clear, for example the impact of the ‘WannaCry2’ ransomware attack on the NHS in 2017.

How Capsticks can help

Capsticks provides a wide range of support for information governance teams and the wider NHS. We can assist with policy development and review, incident management, responding to complex information rights requests, or simply if you need a sounding board for thorny questions. To discuss any of the issues raised in this insight, please contact Andrew Latham, Nadine Mansell, or Grace Plaxton.