REF FINDING EXPECTED ACTION FROM BUPA

Similar documents
"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

Audit Report. The Chartered Institute of Personnel and Development (CIPD)

Audit Report. The Prince s Trust. 27 September 2017

DATA SUBJECT ACCESS REQUEST PROCEDURE

Audit Report. Scottish Bakers. 30 March 2015

Provider Monitoring Report. City and Guilds

Data Subject Access Request Form

Data Subject Access Request

Data Protection Policy

Data Privacy Notice. Madsen Advisory Limited ("Madsen") is committed to protecting and respecting your privacy.

Procedure re-written. (i.e. All staff with responsibility for the creation, use and management of organisational responsibility)

REPORT 2015/149 INTERNAL AUDIT DIVISION

Audit Report. Chartered Management Institute (CMI)

Audit Report. Association of Chartered Certified Accountants (ACCA)

SUS RBAC Assignment Guide User guidance on Payment by Results (PbR) in SUS Payment by Results (PbR) in SUS

MESH General Practice Clinical System Changes and Impacts on Addressing

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

Data Subject Data Portability Request Form

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

PS Mailing Services Ltd Data Protection Policy May 2018

MBNL Landlord Privacy Notice. This notice sets out how we handle landlord personal data as part of our General Data Protection policies (GDPR).

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

Data Subject Access Request Form (GDPR)

Staff and Recruitment Privacy Notice Your personal information

GENERAL PRIVACY POLICY

Site Builder Privacy and Data Protection Policy

INNOVENT LEASING LIMITED. Privacy Notice

Motorola Mobility Binding Corporate Rules (BCRs)

Talenom Plc. Description of Data Protection and Descriptions of Registers

Coutts Online Application Form for PLCs and Limited Companies

Data Protection Policy

Data Subject Access Request Form

Table of Contents. PCI Information Security Policy

APPLICATION FOR ACCREDITATION OF CERTIFICATION BODIES

BCS, Professional Certifications

CHASE GRAMMAR SCHOOL PRIVACY STATEMENT General Data Protection Regulations (GDPR)

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

NSPCC JOB DESCRIPTION

Care Recruitment Matters Limited Privacy Notice

Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017

esolutions Your guide to quoting and applying for Healthier Solutions our individual private medical insurance aviva.co.

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

International Standard on Auditing (UK) 505

BEEDS portal Bank of England Electronic Data Submission portal. User guide. Credit unions Version 1.2

Website Privacy Notice

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

LOUGHBOROUGH UNIVERSITY RESEARCH OFFICE STANDARD OPERATING PROCEDURE. Loughborough University (LU) Research Office SOP 1027 LU

Error! No text of specified style in document.

Cloud Security Standards and Guidelines

Order Type Order time (Day 0) Delivery day VOR Before 4pm Day 2 After 4pm Day 3 STOCK Before 4pm Day 3 After 4pm Day 4

Castle View Primary School Data Protection Policy

Data Subject Access Request Form Product Expectations Limited

Data Protection Policy

BOROUGH MARKET (SOUTHWARK) TRUST DATA SUBJECT REQUEST FORM

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Prohire Software Systems Limited ("Prohire")

COMPLAINTS HANDLING PROCEDURE

Data Processing Agreement

REQUIREMENT FOR MEMBERS TO SUBMIT A PERSONALLY IDENTIFIABLE INFORMATION (PII) FILE

Service Level Agreement Domain Registration Services

Important Information

University College Cork National University of Ireland, Cork Data Access Request Procedure

This document provides a general overview of information security at Aegon UK for existing and prospective clients.

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

SERVICE DESCRIPTION. Population Register Centre s online services

Ombudsman s Determination

HRP GDPR Subject Access Request procedure for website , version: v1

BODY CORPORATE REGISTRATION Application form

Audit Report. Mineral Products Qualifications Council (MPQC) 31 March 2014

New Zealand Certificate in Contact Centres (Level 3)

1. Muscat & Co Mortgage Solutions Ltd - Privacy Notice

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

Promise Dreams Privacy Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Shared Services Directorate 2 Marsham Street London SW1P 4DF

Technical Requirements of the GDPR

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

SOUTHFIELD SCHOOL PROCEDURE FOR RECEIVING AND RESPONDING TO SUBJECT ACCESS REQUESTS

FSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN

EIT Health UK-Ireland Privacy Policy

Use of data processor (external business unit)

HPE DATA PRIVACY AND SECURITY

Fritztile is a brand of The Stonhard Group THE STONHARD GROUP Privacy Notice The Stonhard Group" Notice Whose Personal Data do we collect?

Audit Report. English Speaking Board (ESB)

Coutts Online Application Form for Limited Liability Partnerships

Introduction. Quick Steps to Submission. How to Read the ROC Meter. Important Things to Note. Queries. Sample Table for Recording your Readings

HIPAA Compliance Checklist

TINOPOLIS PRIVACY NOTICE

Re: request for information under The Freedom of Information Act.

Procedures for responding to requests for personal data to support Data Protection Policy

Data Subject Access Request Form (GDPR)

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

Complaint Handling Procedure and Escalation Policy

UWC International Data Protection Policy

Transcription:

From: (HEALTH AND SOCIAL CARE INFORMATION CENTRE) [mailto @hscic.gov.uk] Sent: 24 November 2015 16:41 To: Subject: RE: Bupa supporting documents Dear Further to the data sharing audit conducted by HSCIC on 30 October 2015,our subsequent email exchange on 9 November and your email on 24 November in which you included further information. We have reviewed this information along with the findings from the day of the audit and require further clarification on all of the points below. We have concerns that the information supplied in your emails on 9 th and 24 th November 2015 provides contradictory evidence to the description of BUPA s equipment and processes regarding the disposal of HES data given at the Data Sharing Audit on 30 October 2015. We therefore do not have assurance from BUPA, at this present time, that data supplied by the HSCIC has been deleted in accordance with the Data Sharing Framework Contract and without adequate assurance a major non-conformity will be raised in line with the definitions given in section 1.4.1 of our data sharing audit reports. I therefore request that you respond to the four queries below by 8 December 2015. Should we not receive a satisfactory response by the above date this matter will be escalated to the Data Dissemination Director for further action and the findings of the Data Sharing Audit will be published publically as a Data Sharing Audit report on the HSCIC website in due course. REF FINDING EXPECTED ACTION FROM BUPA 1 The description of equipment on the Certificate of Erasure, ID dated 2 November 2015, does not align with the description of the equipment used for the download and transfer of HES Data given on 30 October 2015. The description of two small portable drives given during the on-site audit is contradicted by the certificate which details a server and two disks. Although an explanation has been given that disks and ProLiant are two unrelated items, the disk ID s are clearly described within the ProLiant hardware information and therefore appear to be part of this server rather than two separate portable devices. 2 The of Erasure, dated 2 November 2015, replaced a certificate with same ID and digital signature dated 2 May 2011. 3 A clear statement is required from BUPA identifying the actual media utilised for the download and transfer of data from the HSCIC SEFT portal. If this statement is different from the description on the certificate of erasure, the status for the equipment used (e.g. the portable drives) should be given and further evidence is required that data has been disposed of from that device(s). If it is as described on the certificate of erasure an explanation is required as to why there is a discrepancy between the description of two portable devices on the day of the audit rather than a server as described on the certificate. BUPA to ask Krome for a formal statement as to why they issued a certificate containing incorrect information and how the date contained on the corrected certificate was derived. The initial certificate as a formal audit record is questionable in that it contains an incorrect date. The BUPA to request that Krome contact to second certificate updated the date but the ID and verify the validity of the certificate of erasure and the digital signature were not affected. It is unclear whether formal statement from is then forwarded to the certificate is valid - the software supplier can check the accuracy of the certificates. HSCIC. If Krome are unable to do this then HSCIC can do this on their behalf. 3 The contract supplied for dated 15 January 2009 is for the movement and storage of items only there is no detail in agreement for BUPA to forward a current contract for the 3 rd party responsible for the destruction of media defined below in reference 4. destruction of media or the process involved 4 No certificates of destruction have been received for the Certificates of destruction for back-up device should

destruction of back-up tapes within the specified timescales. BUPA stated that these certificates were on file and therefore should have been available to HSCIC within the time specified. The description of the backup device given during onsite audit is contradicted by your latest email which stated that the Commvault backup tape system inherited from Health Dialogue was decommissioned about two years ago and all the media destroyed and the certificate issued for that cannot now be found. be sought from the 3 rd party organisation that destroyed it and this be forwarded to HSCIC. BUPA to provide a statement as to why these tapes entered the general tape population rather than being destroyed as indicated during the audit. BUPA to provide an extract(s) from the CMDB clearly specifying the deletion of the backup system and the involvement of the relevant teams within BUPA. In the email it is also stated the Oracle system that was live until recently had all the backup schedules deleted and the media wiped, to be returned to the general tape pool, but we do not have a certificate for that as it was done as BAU. So the tapes were deleted and will have now been over written with other data. This information is contrary to what was expressed on the day. I am out of the office until Thursday if you wish to discuss please feel free to call. Kind Regards Information Governance Lead Auditor Health and Social Care Information Centre Tel: Mob: www.hscic.gov.uk Twitter: @HSCIC For general enquiries please call 0300 303 5678 or email enquiries@hscic.gov.uk www.hscic.gov.uk From: [mailto: @BUPA.com] Sent: 24 November 2015 09:35 To: (HEALTH AND SOCIAL CARE INFORMATION CENTRE) Subject: RE: Bupa supporting documents Hi I was chasing up about the deletion certificate for the backup tape and it turned out he was confused because the back up media technology changed a couple of years ago. The old system we inherited from Health Dialogue was the ComVolt system you heard mentioned. This was decommissioned about two years ago and all the media destroyed and the certificate issued for that, which cannot now find. 4

12

************************** recipient please inform the ************************** Visit www.bupa.com for the story of who we are, where we've come from and what we do. Bupa House 15-19 Bloomsbury Way London WC1A 2BA Internet communications are not secure and therefore Bupa does not accept legal respons bility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Bupa. Bupa Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The Financial Conduct Authority does not regulate the activities of Bupa Insurance Limited that take place outside of the UK. Bupa Insurance Services Limited and Goldsborough Estates Limited are authorised and regulated by the Financial Conduct Authority. For a list of Bupa's main UK trading companies visit www.bupa.co.uk/html/statements/trading addresses.html ************************** 15

recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** 16

recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** 17

recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** recipient please inform the ************************** 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback