Directorate / Programme
Data Dissemination Services
Project
Data Sharing Audits
Status
Approved
Director
Terry Hill
Version
1.0
Owner
Rob Shaw
Version issue date
02/11/2015
HSCIC Post Audit Review of
Data Sharing Activities:
Dr Foster Intelligence
Copyright ©2015 Health and Social Care Information Centre
Data Sharing Post Audit Report: Dr Foster Intelligence
v1.0 Approved 02/11/2015
Contents
Executive Summary
3
1
4
2
About this Document
1.1
Purpose
4
1.2
Audience
4
1.3
Outstanding Audit Areas
4
1.4
Conclusion
4
Status
Page 2 of 6
5
Copyright ©2015 Health and Social Care Information Centre
Data Sharing Post Audit Report: Dr Foster Intelligence
v1.0 Approved 02/11/2015
Executive Summary
This document records the formal closure of the data sharing audit of Dr Foster Intelligence
on 17th and 18th March 2015 against the requirements of the Health and Social Care
Information Centre (HSCIC) data sharing agreements covering Hospital Episode Statistics
(HES) data, Office of National Statistics (ONS) mortality data and Summary Hospital-Level
Mortality Indicator (SHMI) data.
In total, three minor nonconformities and two observations were closed during the follow-up
visit on 28th September 2015:

No acknowledgment of deleted / destroyed data has been provided to HSCIC as required
by the data sharing agreement (minor).

The mandated HSCIC copyright statement specified in the data sharing agreements was
not cited on publications and websites (minor).

The information recorded in the asset register is not linked to specific data sharing
agreements (minor).

There is no evidence of the implemented controls and justifications as to the perceived
risk reduction following the application of a control especially with respect to reductions in
impact (observation).

Version control of written documents needs to be improved (observation).
Furthermore, all of the areas raised but not covered during the initial audit have been
assessed and were found to be satisfactorily controlled.
In summary, it is the Audit Team’s opinion that at the current time and based on evidence
presented during the audit, there is minimal risk of inappropriate exposure and / or access to
data provided by HSCIC to Dr Foster Intelligence under the terms and conditions of the data
sharing agreements signed by both parties.
Page 3 of 6
Copyright ©2015 Health and Social Care Information Centre
Data Sharing Post Audit Report: Dr Foster Intelligence
v1.0 Approved 02/11/2015
1 About this Document
1.1 Purpose
This report provides an evaluation of the changes made by Dr Foster Intelligence
following the Data Sharing Audit in March 2015 against the requirements of the Health
and Social Care Information Centre (HSCIC) data sharing agreement covering Hospital
Episode Statistics (HES) data, Office of National Statistics (ONS) mortality data and
Summary Hospital-Level Mortality Indicator (SHMI) data. This evaluation was conducted
on 28th September 2015.
1.2 Audience
This document has been written for the Director of Data Dissemination Services. Copies
will be made available to the HSCIC Community of Audit Practitioners, Assurance and
Risk Committee and the Information Assurance and Cyber Security Committee for
governance purposes. The report will be published in a public forum.
1.3 Outstanding Audit Areas
The following areas were identified as requiring follow-up at the audit in March 2015:
 CCTV access / retention records;
 process for cleansing access cards before they are re-used;
 monitoring of customer access and usage logs;
 malware / firewall policy;
 authentication mechanism associated with the display of Imperial College held data;
 deletion of data with respect to retained backup tapes;
 review of risks by the Information Security Management Forum; and
 audit planning.
All were found to be in place and fit for purpose. No new nonconformities were raised as
a result.
Dr Foster Intelligence also presented its ISO 27001:2013 certificate, dated 9th
September 2015.
1.4 Conclusion
All of the nonconformities and observations raised by the Audit Team are now deemed
closed.
Page 4 of 6
Copyright ©2015 Health and Social Care Information Centre
Data Sharing Post Audit Report: Dr Foster Intelligence
v1.0 Approved 02/11/2015
2 Status
Table 1 identifies status minor nonconformities and observations raised as part of the audit.
Ref
Comments
Designation
Update
Status
1
No acknowledgment of deleted / destroyed data has been provided to HSCIC as
required by the data sharing agreement
Minor
Example of three completed data
destruction notes and various covering
emails to HSCIC were presented to the
Audit Team.
Closed
2
The mandated HSCIC copyright statement specified in the data sharing
agreements was not cited on publications and websites
Minor
The current tool was viewed by the
Audit Team and the HSCIC copyright
statement was visible both on the webbrowser and in the pdf reports
generated by the tool.
Closed
An entry has been added to a Project
Manager’s checklist to ensure that the
required copyright statements are
included as required.
3
The information recorded in the asset register is not linked to specific data
sharing agreements
Page 5 of 6
Minor
The content of the asset register has
been expanded since the original visit
and now included fields associated
with each data sharing agreement.
Closed
Copyright ©2015 Health and Social Care Information Centre
Data Sharing Post Audit Report: Dr Foster Intelligence
v1.0 Approved 02/11/2015
Ref
Comments
Designation
Update
Status
4
Provide evidence of the implemented controls and justifications as to the
perceived risk reduction following the application of a control especially with
respect to reductions in impact
Obs
The risk methodology has evolved and
has been subject to review by the
external ISO 27001 auditor. Risks are
reviewed by the ISMF, which sits
approximately every six weeks. As
such, Dr Foster Intelligence is
comfortable with the approach taken
and the level of scrutiny given within
the organisation, though the Audit
Team still expressed reservation with
the extensive use of reducing impact
following the application of controls.
HSCIC expects that evolution of the
process and analysis will be examined
as part of the regular ISO 27001
surveillance visits.
Closed
A number of internal audits have been
undertaken with respect to current
processes/procedures and further
ones are planned. These internal
audits should ensure that practices are
fit for purpose and are delivering
necessary controls.
5
Version control of written documents needs to be improved
Obs
This continues to be improved, though
a single error was noted.
Closed
Table 1: Nonconformities and Observations
Page 6 of 6
Copyright ©2015 Health and Social Care Information Centre