From: (HEALTH AND SOCIAL CARE INFORMATION CENTRE) [mailto @hscic.gov.uk] Sent: 24 November 2015 16:41 To: Subject: RE: Bupa supporting documents Dear Further to the data sharing audit conducted by HSCIC on 30 October 2015,our subsequent email exchange on 9 November and your email on 24 November in which you included further information. We have reviewed this information along with the findings from the day of the audit and require further clarification on all of the points below. We have concerns that the information supplied in your emails on 9 th and 24 th November 2015 provides contradictory evidence to the description of BUPA s equipment and processes regarding the disposal of HES data given at the Data Sharing Audit on 30 October 2015. We therefore do not have assurance from BUPA, at this present time, that data supplied by the HSCIC has been deleted in accordance with the Data Sharing Framework Contract and without adequate assurance a major non-conformity will be raised in line with the definitions given in section 1.4.1 of our data sharing audit reports. I therefore request that you respond to the four queries below by 8 December 2015. Should we not receive a satisfactory response by the above date this matter will be escalated to the Data Dissemination Director for further action and the findings of the Data Sharing Audit will be published publically as a Data Sharing Audit report on the HSCIC website in due course. REF FINDING EXPECTED ACTION FROM BUPA 1 The description of equipment on the Certificate of Erasure, ID dated 2 November 2015, does not align with the description of the equipment used for the download and transfer of HES Data given on 30 October 2015. The description of two small portable drives given during the on-site audit is contradicted by the certificate which details a server and two disks. Although an explanation has been given that disks and ProLiant are two unrelated items, the disk ID s are clearly described within the ProLiant hardware information and therefore appear to be part of this server rather than two separate portable devices. 2 The of Erasure, dated 2 November 2015, replaced a certificate with same ID and digital signature dated 2 May 2011. 3 A clear statement is required from BUPA identifying the actual media utilised for the download and transfer of data from the HSCIC SEFT portal. If this statement is different from the description on the certificate of erasure, the status for the equipment used (e.g. the portable drives) should be given and further evidence is required that data has been disposed of from that device(s). If it is as described on the certificate of erasure an explanation is required as to why there is a discrepancy between the description of two portable devices on the day of the audit rather than a server as described on the certificate. BUPA to ask Krome for a formal statement as to why they issued a certificate containing incorrect information and how the date contained on the corrected certificate was derived. The initial certificate as a formal audit record is questionable in that it contains an incorrect date. The BUPA to request that Krome contact to second certificate updated the date but the ID and verify the validity of the certificate of erasure and the digital signature were not affected. It is unclear whether formal statement from is then forwarded to the certificate is valid - the software supplier can check the accuracy of the certificates. HSCIC. If Krome are unable to do this then HSCIC can do this on their behalf. 3 The contract supplied for dated 15 January 2009 is for the movement and storage of items only there is no detail in agreement for BUPA to forward a current contract for the 3 rd party responsible for the destruction of media defined below in reference 4. destruction of media or the process involved 4 No certificates of destruction have been received for the Certificates of destruction for back-up device should
destruction of back-up tapes within the specified timescales. BUPA stated that these certificates were on file and therefore should have been available to HSCIC within the time specified. The description of the backup device given during onsite audit is contradicted by your latest email which stated that the Commvault backup tape system inherited from Health Dialogue was decommissioned about two years ago and all the media destroyed and the certificate issued for that cannot now be found. be sought from the 3 rd party organisation that destroyed it and this be forwarded to HSCIC. BUPA to provide a statement as to why these tapes entered the general tape population rather than being destroyed as indicated during the audit. BUPA to provide an extract(s) from the CMDB clearly specifying the deletion of the backup system and the involvement of the relevant teams within BUPA. In the email it is also stated the Oracle system that was live until recently had all the backup schedules deleted and the media wiped, to be returned to the general tape pool, but we do not have a certificate for that as it was done as BAU. So the tapes were deleted and will have now been over written with other data. This information is contrary to what was expressed on the day. I am out of the office until Thursday if you wish to discuss please feel free to call. Kind Regards Information Governance Lead Auditor Health and Social Care Information Centre Tel: Mob: www.hscic.gov.uk Twitter: @HSCIC For general enquiries please call 0300 303 5678 or email enquiries@hscic.gov.uk www.hscic.gov.uk From: [mailto: @BUPA.com] Sent: 24 November 2015 09:35 To: (HEALTH AND SOCIAL CARE INFORMATION CENTRE) Subject: RE: Bupa supporting documents Hi I was chasing up about the deletion certificate for the backup tape and it turned out he was confused because the back up media technology changed a couple of years ago. The old system we inherited from Health Dialogue was the ComVolt system you heard mentioned. This was decommissioned about two years ago and all the media destroyed and the certificate issued for that, which cannot now find. 4
12
************************** recipient please inform the ************************** Visit www.bupa.com for the story of who we are, where we've come from and what we do. Bupa House 15-19 Bloomsbury Way London WC1A 2BA Internet communications are not secure and therefore Bupa does not accept legal respons bility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Bupa. Bupa Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The Financial Conduct Authority does not regulate the activities of Bupa Insurance Limited that take place outside of the UK. Bupa Insurance Services Limited and Goldsborough Estates Limited are authorised and regulated by the Financial Conduct Authority. For a list of Bupa's main UK trading companies visit www.bupa.co.uk/html/statements/trading addresses.html ************************** 15
recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** 16
recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** 17
recipient please inform the ************************** ************************** recipient please inform the ************************** ************************** recipient please inform the ************************** 18