Central London Community Healthcare NHS Trust. Data protection audit report

Transcription

1 Central London Community Healthcare NHS Trust Data protection audit report Executive Summary July 2014

2 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. Central London Community Healthcare NHS Trust (CLCH) agreed to a consensual audit by the ICO of its processing of personal data. An introductory meeting was held on 18 March 2014 with representatives of CLCH to identify and discuss the scope of the audit and subsequently to agree the schedule of interviews. The audit field work was undertaken at the following CLCH locations between 13 and 15 May ICO data protection audit report executive summary 2 of 6

3 2. Scope of the audit Following pre-audit discussions with the Trust, it was agreed that the audit would focus on the following areas: a. Security of personal data The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. b. Records management The processes in place for managing both electronic and manual records containing personal data. This will include controls in place to monitor the maintenance, storage, movement, retention and destruction of personal data records. ICO data protection audit report executive summary 3 of 6

4 3. Audit opinion The purpose of the audit is to provide the Information Commissioner and the Trust with an independent assurance of the extent to which the Trust, within the scope of this agreed audit is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Overall Conclusion Limited assurance There is a limited level of assurance that robust controls and processes are in place to help deliver data protection compliance. The audit has identified some scope for improvement in existing arrangements. We have made one reasonable assurance assessment and one limited assurance assessment where controls could be enhanced to address the issues which are summarised below. ICO data protection audit report executive summary 4 of 6

5 4. Summary of audit findings Areas of good practice The Trust makes good use of a combined incident and risk management system that is easily accessible to all staff through the Trust s Intranet. The system has Information Governance and Records Management categories for risks, automatically alerts relevant IG staff of incidents and near misses in those categories and informs regular reports to the Information Governance Group about information risks. Remote and home working is achieved through encrypted laptops and secure VPNs and the Trust is currently piloting the use of mobile devices controlled by a Mobile Device Management (MDM) system and which can be wiped remotely. The Trust has put in place business continuity and security systems to protect its IT systems, including robust uninterruptible power supplies and a secure data centre. Areas for improvement The effectiveness of security doors and zoning varied between Trust sites and at some locations visited paper records were not suitably secured. The Trust has inventories of IT systems but at present there is no complete Trust wide Information Asset Register (IAR) containing all clinical information systems, local systems, paper records, and records libraries which could be used to support information risk management and provide assurance to the SIRO and Board. The Trust does not have a comprehensive network of Information Asset Owners (IAOs), although, assets are currently being mapped and owners identified and a bespoke training program is being developed for them. There is no dedicated records manager or health records management role to provide direction, continuity and oversight across the Trust and across both clinical and non-clinical records management systems and processes. Arrangements for disposal of confidential waste are inconsistent across the Trust and vary greatly in their effectiveness between and even within different Trust locations. ICO data protection audit report executive summary 5 of 6

6 The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Central London Community Healthcare NHS Trust. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report; however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 6 of 6