HSCIC Post Audit Review of Data Sharing Activities:



Similar documents
HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

Information Governance

COMBINE. Part B. Manual for Marine Monitoring in the. Programme of HELCOM. General guidelines on quality assurance for monitoring in the Baltic Sea

Policy Document Control Page

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Information Governance Strategy :

How To Write A National Information Board Paper

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

Information Governance Management Framework

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE

Informatics: The future. An organisational summary

Information Governance Framework and Strategy. November 2014

How is RBAC used in SUS?

Core Fittings C-Core and CD-Core Fittings

Health and Social Care Information Centre

NATIONAL HEALTH SERVICE, ENGLAND

IT control environment Caerphilly County Borough Council

Shropshire Community Health Service NHS Trust Policies, Procedures, Guidelines and Protocols

BOARD PAPER - NHS ENGLAND. Title: Publication of Directions to Health and Social Care Information Centre for the collection of primary care data

Programme Update. Eve Roodhouse Programme Director, care.data

A Guide to Clinical Coding Audit Best Practice

Information Security Assurance Plan 2015/16

A Question of Balance

The Role of the Information Governance & Standards Assurance Directorate Post- IGAR

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

<INSERT PROJECT NAME> DATA MIGRATION CHECKLIST

Customers and Corporate Services Directorate (Corporate Support) Plan

iso20000templates.com

ICT Strategy

JSP 886 THE DEFENCE LOGISTIC SUPPORT CHAIN MANUAL VOLUME 7 INTEGRATED LOGISTICS SUPPORT PART 8.11 QUALITY MANAGEMENT

Rules & Regulations Handbook

Smart Meters Programme Schedule 8.6. (Business Continuity and Disaster Recovery Plan) (CSP North version)

Committees Date: Subject: Public Report of: For Information Summary

Cardiff Council. Data protection audit report. Executive summary June 2014

Title: Rio Tinto management system

DATA SECURITY ASSESSMENT REQUIREMENTS QUESTIONNAIRE RESPONSE GUIDANCE, EVALUATION AND MARKING SCHEME CROWN TRAVEL SERVICES REFERENCE NUMBER RM1081

IRCA Certificated QMS Lead Auditor Training Course. Programme

Gloucestershire Hospitals

Quality Management System for Continuing Vocational Training in Training Centers and Enterprises

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

Information Governance Policy

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

TL 9000 and TS16949 Comparison

Information Governance Policy

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Internal Audit Report Business Continuity Planning Arrangements

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Clinical Risk Management: Agile Development Implementation Guidance

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

PFE Programme. - Demand side management for efficient production. EMSA Swedish Workshop on Motors Stockholm,

BS BUSINESS CONTINUITY MANAGEMENT

Certification Body Quarterly Data Submission Instructions QFE-016 Version 1.0

How small and medium-sized enterprises can formulate an information security management system

Environmental management systems Requirements with guidance for use

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

ROLE PROFILE. Business Function: Software Operations Managed Cloud Services eg s Head Office, Dunston Business Village, Staffordshire

ISO BUSINESS CONTINUITY MANAGEMENT SYStEMS (BCMS) EXPERT IMPLEMENTER

The Encana Service Provider Safety Manual

Competency Unit: Exemplar Global SCY Security Management Systems Auditing

Mecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452

Quick Guide: Meeting ISO Requirements for Asset Management

ISO 9001:2000 AUDIT CHECKLIST

INTERNAL QUALITY AUDITS

Remote Data Extraction Policy and Procedure

ISO Business Continuity Management Systems (BCMS) LEAD AUDITOR

TRUST POLICY FOR DATA QUALITY

ISO 9001 Quality Management System Lead Auditor Training (IRCA)

BS EN Energy Management Systems VICTORIA BARRON, PRODUCT MARKETING MANAGER, BSI

Data Quality Policy SH NCP 2. Version: 5. Summary:

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

Bedfordshire Fire and Rescue Authority Corporate Services Policy and Challenge Group 9 September 2014 Item No. 6

CONTROLLED DOCUMENT. Traffic Management Policy

INTERNAL AUDIT SOFTWARE BUYER S GUIDE

INFORMATION GOVERNANCE POLICY

IAPT Data Standard. Frequently Asked Questions

High Assurance Overall, very good management of risk. An effective control environment appears to be in operation.

QMS. Rev COMPANY PROPRIETARY INFORMATION Prior to use, ensure this document is the most recent revision by checking the Master Document List.

Aerospace Guidance Document

Best Practice Network. Graduate Leaders in Early Years Programme Audit Monitoring Report by the Quality Assurance Agency for Higher Education

Joint Audit Report for South Lakeland District Council. & Eden District Council

SLMS-IG16 Training Needs Analysis

Project Roles and Responsibilities

Complaint: NHS Data Storage in the Google Cloud

ISO 9000 Introduction and Support Package: Guidance on the Documentation Requirements of ISO 9001:2008

Monitoring records management. Catherine Robinson Senior Project Officer, Government Recordkeeping

Information Governance Policy

ISO 9001:2000 Gap Analysis Checklist

ISO 14001:2004 Environmental Management System Manual

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

Correspondence between ISO 9001:2008 and 14001:2004, OHSAS 18001:2007, ISM and the SeaBird Management System

Communications Strategy and Department Work Plan

Policy. VBA Enterprise Risk Management. Governance Unit

Risk Committee Charter

Interreg CENTRAL EUROPE Programme. Application Manual. Part E: What support we offer

Information Governance Strategy

Transcription:

Directorate / Programme Data Dissemination Services Project / Work Data Sharing Audits Status Final Acting Director Chris Roebuck Version 1.0 Owner Rob Shaw Version issue date 16-Jun-2015 HSCIC Post Audit Review of Data Sharing Activities: University Hospitals Birmingham

Contents Executive Summary 3 1 About this Document 4 1.1 Purpose 4 1.2 Audience 4 1.3 Outstanding Audit Areas 4 1.4 Conclusion 4 2 Conclusions 5 Page 2 of 5

Executive Summary This document records the formal closure of the Data Sharing Audit 1 of University Hospitals Birmingham (UHB) on 27 th August 2014 against the requirements of the Health and Social Care Information Centre (HSCIC) Data Sharing Agreements in relation to data sharing agreement RU396 covering Hospital Episode Statistics (HES) and Office of National Statistics (ONS); both were provided in pseudonymised format. This audit followed an approved and mature methodology based on ISO 19011: 2011 (Guidelines for auditing management systems). The same methodology is used for all DSA audit conducted by HSCIC. In total, one Minor Nonconformity and two Observations were raised: There is insufficient evidence of a comprehensive end to end risk assessment and treatment process; consideration needs to be given as to how to satisfactorily demonstrate compliance (Minor) Documentation version and configuration control would benefit from review and update (Observation) Consider how to use risk assessment and treatment to inform the internal audit programme (Observation) All areas not covered during the initial audit have been assessed and were found to be satisfactorily controlled. In summary, it is the Audit Team s opinion that at the current time and based on evidence presented on the day, there is minimal risk of inappropriate exposure and / or access to data provided by HSCIC to UHB under the terms and conditions of RU396 Data Sharing Agreement signed by both parties. 1 An audit is defined by ISO 9000:2014 as a systematic and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled Page 3 of 5

1 About this Document 1.1 Purpose This report provides an evaluation of the changes made by UHB following the Data Sharing Audit held on 27 th August 2014 against the requirements of the Health and Social Care Information Centre (HSCIC) data sharing agreement RU396 covering Hospital Episode Statistics (HES) and Office of National Statistics (ONS); both were provided in pseudonymised format. This evaluation was conducted on 19 th February 2015. 1.2 Audience This document has been written for the Director of Data Dissemination Services. A copy will be made available to the HSCIC Community of Audit Practitioners, Assurance and Risk Committee and the Information Assurance and Cyber Security Committee for governance purposes. The report will be published in a public forum. 1.3 Outstanding Audit Areas The following areas were identified as requiring follow-up at the initial audit in August 2014: Mandatory IG and IG refresher training records for all staff Guidance handbooks in place for standards processes and procedures used by the organisation Minutes for monthly management meetings Annual Business Plan Information Asset Register Disaster Recovery test All were found to be in place and fit for purpose. No new nonconformities were raised as a result. 1.4 Conclusion All of the nonconformities raised by the Audit Team are now deemed closed. Page 4 of 5

2 Conclusions Table 1 presents the outcomes of the closing meeting to address the nonconformities and observations raised as part of the original audit. Ref Comments Designation Update Status 1. There is insufficient evidence of a comprehensive end to end risk assessment and treatment process; consideration needs to be given as to how to satisfactorily demonstrate compliance Minor Greater effort has been applied to ensuring that risk assessment and treatment is appropriate for the level of risk Risk transferred to ISO 27001 certification body 2. Documentation version and configuration control would benefit from review and update Obs Evidence of improvement, message disseminated across the organisation 3. Consider how to use risk assessment and treatment to inform the internal audit programme Obs Both internal and external audits from a number of sources Two to three topics are selected per time Internal Audit Committee / Informatics Internal Audit will incorporate HES data sharing activity into at least one audit per annum Business continuity failover testing Table 1: Nonconformities and Observations Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information