Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Similar documents
Asda. Privacy and Electronic Communications Regulations audit report

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

AUDIT OF ICT STRATEGY IMPLEMENTATION

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Stopsley Community Primary School. Data Breach Policy

Information Security Controls Policy

AUTHORITY FOR ELECTRICITY REGULATION

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

INFORMATION SECURITY AND RISK POLICY

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

ICT Portable Devices and Portable Media Security

Threat and Vulnerability Assessment Tool

Information Security BYOD Procedure

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

Identification and Authentication

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

HSCIC Audit of Data Sharing Activities:

NEN The Education Network

Bring Your Own Device (BYOD) Policy

INFORMATION ASSET MANAGEMENT POLICY

Network Security Policy

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Information Security Strategy

GDPR Compliance. Clauses

ITG. Information Security Management System Manual

Mobile Computing Policy

Information Technology Branch Organization of Cyber Security Technical Standard

Data Encryption Policy

External Supplier Control Obligations. Cyber Security

NDIS Quality and Safeguards Commission. Incident Management System Guidance

Patient Information Security

Corporate Information Security Policy

Information Security Policy

Data Protection Policy

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Motorola Mobility Binding Corporate Rules (BCRs)

Information Governance Incident Reporting Procedure

GENERAL PRIVACY POLICY

Information Security Controls Policy

Data protection. 3 April 2018

DATA PROTECTION POLICY THE HOLST GROUP

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Data Protection and GDPR

ITG. Information Security Management System Manual

Eco Web Hosting Security and Data Processing Agreement

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Introduction to SURE

Data Processor Agreement

Internal Audit Report DATA CENTER LOGICAL SECURITY

SECURITY & PRIVACY DOCUMENTATION

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

IT Security Evaluation and Certification Scheme Document

ADMA Briefing Summary March

QuickBooks Online Security White Paper July 2017

Governance and Compliance Learning from the Private Sector. David Coverdale

Data Protection Policy

Follow-up to Information Technology Security Audit

Introductory guide to data sharing. lewissilkin.com

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

PS Mailing Services Ltd Data Protection Policy May 2018

A practical guide to IT security

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

ISO/IEC INTERNATIONAL STANDARD

Application for connection to YJS CUG and Hub (v6.0)

Information Technology General Control Review

INFORMATION TECHNOLOGY SECURITY POLICY

Schedule Identity Services

Institute of Technology, Sligo. Information Security Policy. Version 0.2

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Information Governance Incident Reporting Policy

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

General Data Protection Regulation

Use of and Instant Messaging (IM) Policy

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

DATA PROCESSING TERMS

Nottinghamshire Office of the Police & Crime Commissioner & Nottinghamshire Chief Constable

UKAS Guidance for Bodies Offering Certification of Anti-Bribery Management Systems

ANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. And

PS 176 Removable Media Policy

DATA PROTECTION POLICY

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

Data Loss Assessment and Reporting Procedure

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

A guide to the Cyber Essentials Self-Assessment Questionnaire

A company built on security

M&A Cyber Security Due Diligence

Request For Proposal ONWAA Website & E-Learn Portal

The Data Protection Act 1998 Clare Hall Data Protection Policy

University of Sunderland Business Assurance PCI Security Policy

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

A guide to the Cyber Essentials Self-Assessment Questionnaire

Cyber Review Sample report

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Transcription:

Wye Valley NHS Trust Data protection audit report Executive summary June 2017

1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. Wye Valley NHS Trust (the Trust) contacted the ICO in July 2016 requesting an audit. An introductory meeting was held on 1 February 2017 with representatives of the Trust to identify and discuss the scope of the audit and after that to agree the schedule of interviews. The audit field work was undertaken at Hereford County Hospital and Hoople s Plough Lane Offices between 4 April and 6 April 2017. Wye Valley NHS Trust ICO data protection audit report executive summary 2 of 8

2. Scope of the audit Following pre-audit discussions with the Trust, it was agreed that the audit would focus on the following areas: Data protection governance The extent to which data protection responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor DPA compliance are in place and in operation throughout the organisation. Security of personal data The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. Wye Valley NHS Trust ICO data protection audit report executive summary 3 of 8

Impact 3. Audit Approach The audit was conducted following the Information Commissioner s data protection audit methodology. The key elements of this are a desk-based review of selected policies and procedures, on-site visits including interviews with selected staff, and an inspection of selected records. The purpose of the audit was to provide the Information Commissioner and the Trust with an independent assurance of the extent to which the Trust, within the scope of this agreed audit, is complying with the DPA. Where weaknesses were identified recommendations have been made, primarily around enhancing existing processes to facilitate compliance with the DPA. In order to assist data controllers in implementing the recommendations each has been assigned a priority rating based upon the risks that they are intended to address. These ratings are assigned based on the following risk matrix: Severe High Medium Low High High Urgent Urgent Medium Medium High Urgent Low Medium Medium High Low Low Medium High Remote Unlikely Likely Very Likely Likelihood It is important to note that the above ratings are assigned based upon the ICO s assessment of the risks involved. The Trust s priorities and risk appetite may vary and, therefore, they should undertake their own assessments of the risks identified. Wye Valley NHS Trust ICO data protection audit report executive summary 4 of 8

4. Audit opinion The purpose of the audit is to provide the Information Commissioner and the Trust with an independent assurance of the extent to which the Trust, within the scope of this agreed audit, is complying with the DPA. Overall Conclusion Limited assurance There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA. We have made 1 reasonable and 1 limited assurance assessment where controls could be enhanced to address the issues which are summarised below. Wye Valley NHS Trust ICO data protection audit report executive summary 5 of 8

5. Summary of Recommendations Urgent Priority Recommendations These recommendations are intended to address risks which represent clear and immediate risks to the data controller s ability to comply with the requirements of the DPA. High Priority Recommendations - These recommendations address risks which should be tackled at the earliest opportunity to mitigate the chances of a breach of the DPA. Medium Priority Recommendations - These recommendations address risks which can be tackled over a longer timeframe or where mitigating controls are already in place, but which could be enhanced. Low Priority Recommendations - These recommendations represent enhancements to existing good practice or where we are recommending that the data controller sees existing plans through to completion. We have made 0 urgent priority recommendations across both scope areas. We have made 15 high priority recommendations across all scope areas: 2 in data protection governance; and 13 in security of personal data where controls could be enhanced to address the issues identified. We have made 17 medium priority recommendations across all two scope areas: 11 in data protection governance and 6 in security of personal data where controls could be enhanced to address the issues identified. We have made 11 low priority recommendations across all two scope areas: 10 in data protection governance; and 1 in security of personal data where controls could be enhanced to address the issues identified. Wye Valley NHS Trust ICO data protection audit report executive summary 6 of 8

6. Summary of audit findings Areas of good practice The Information Governance (IG) team maintains a comprehensive data flow mapping document which includes whether the flow is an information asset, where the asset is located and who the owner is. It also acts as an information risk register as all flows have been risk assessed. The IG team writes and delivers the face to face IG training used in the mandatory induction and refresher training. Having the team involved at this level has improved the quality of the content of the training and allows any questions to be addressed by the Trust s authoritative IG experts. The network infrastructure, maintained by a third party supplier, is in line with requirements for N3 access. There is a comprehensive monitoring and analytical structure enabling them to identify and respond to external threats. In addition automatic antivirus definitions are uploaded and distributed to connected devices. Remote access from a laptop to the Trust s network uses a secure VPN which requires two-factor authentication. A soft token generating program is installed on the laptop that the user inputs their PIN into to generate a token. This token is then entered with a user name and password to enable access to the VPN. Areas for improvement The Trust would benefit from the establishment of a dedicated IG Steering Group whose membership consists of representation from the IG Team, the Senior Information Risk Owner (SIRO), Information Asset Owners (IAOs) and other roles with IG responsibilities in order to improve the IG framework at the Trust and ensure that all IG matters are comprehensively addressed. To date, there has been no training needs analysis conducted across the Trust to determine which staff would benefit from further, or more specialised, IG training, such as IAO s. Although the Trust have produced a leaflet for patients outlining how they will process their personal data, the leaflet is not made readily available for patients in all main reception areas and there are no awareness posters displayed advising patients of their rights and how data may be used by the Trust. Frontline staff were unsure of fair processing provisions and do not always provide an explanation or any written materials to Wye Valley NHS Trust ICO data protection audit report executive summary 7 of 8

patients to explain how their information will be used and secured by the Trust. Despite the use of USB flash drives being prohibited by Trust policies, there is no up to date whitelist in operation for approved devices or end point controls in place to prevent the use of unauthorised USB devices on Trust computers and laptops. There are inconsistencies in the granting and managing of physical access to certain areas across the Trust and the current security around access control to server rooms and IT hubs on the main site should be reassessed. Standard Operating Procedures should be implemented to help address these variations and mechanisms employed to ensure these procedures are adhered to. The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Wye Valley NHS Trust. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. Wye Valley NHS Trust ICO data protection audit report executive summary 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback