Birmingham Women s NHS Foundation Trust

Transcription

1 Birmingham Women s NHS Foundation Trust Data protection audit report Executive summary January Background

2 The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. Birmingham Women s NHS Foundation Trust (the Trust ) has agreed to a consensual audit by the ICO of its processing of personal data. An introductory meeting was initially held on the 04 August 2014 with a representative of the Trust to identify and discuss the scope of the audit. ICO data protection audit report executive summary 2 of 6

3 2. Scope of the audit Following pre-audit discussions with the Trust it was agreed that the audit would focus on selected controls and processes within the following areas: a. Training and awareness The provision and monitoring of staff data protection training and the awareness of data protection requirements relating to their roles and responsibilities. b. Security of personal data The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. The focus will in particular be on mobile devices and media and also the security of patient records on wards and clinics. The following controls will be assessed: asset management, training, physical security and remote working. ICO data protection audit report executive summary 3 of 6

4 3. Audit opinion The purpose of the audit is to provide the Information Commissioner and the Trust with an independent assurance of the extent to which the Trust, within the scope of the agreed audit, is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA Overall Conclusion Limited Assurance There is a limited level of assurance that robust controls and processes are in place to help deliver data protection compliance. The audit has identified scope for improvement in existing arrangements to minimise the risk of non-compliance with the DPA. We have made one reasonable assurance and one limited assurance assessment where controls could be improved to address the issues summarised below and presented fully in the detailed findings and action plan section of this report. ICO data protection audit report executive summary 4 of 6

5 Summary of audit findings Areas of good practice There is an approved and regularly updated information governance training programme for all permanent staff. This includes basic training on appointment and annual updates thereafter, as well as additional training for selected roles and staff groups. There are good security measures to manage removable storage media. For example, write access to removable storage media is disabled by default without an authorised exception, and personal information transferred via USB flash drives is encrypted to minimise the risk of data loss. There are good security measures in place to support mobile and remote working. For example, full disk encryption protects personal information at rest, and a secure VPN connection protects personal information in transit. Areas for improvement Basic information governance training needs have not been identified for locum, temporary, student and contract staff; and additional training needs have not been identified for Information Asset Owners or Medical Records staff. The Mobile and Remote Working Policy has not been updated in line with planned reviews or when required to ensure it remains suitable and relevant, and end users are not educated about the information security risks associated with this type of working. The Trust does not maintain an up-to-date inventory of all key information assets, including mobile computing devices and removable storage media, together with assigned owners to ensure that assets receive appropriate protection. For example, audio files stored on digital Dictaphones are not encrypted to protect against data loss. Inspections of selected departments indicate opportunities for improvement in relation to staff understanding and compliance with clear desk and clear screen policies and the Trust s safe haven procedures to help ensure the physical security and confidentiality of information assets. ICO data protection audit report executive summary 5 of 6

6 The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Birmingham Women s NHS Foundation Trust. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 6 of 6