- Scope of audits
- Audit approach
- Roles and responsibilities
- Audit findings
- Review of this policy
The purpose of this document is to set out established and appropriate confidentiality audit procedures, to monitor access to confidential person-identifiable information throughout the NHS Counter Fraud Authority (NHSCFA). This policy document forms part of the NHSCFA’s overall governance and assurance framework to meet the requirements within:
- the Department of Health’s Data Security and Protection Toolkit; and
- the NHS Confidentiality Code of Conduct
This policy covers all information systems purchased, developed and managed by/or on behalf of the NHSCFA and any individual directly employed or otherwise by the organisation.
Scope of audits
For the purposes of this policy, confidential person-identifiable information is defined as any information about a person which would allow that person to be identified either directly or indirectly.
All work areas within the NHSCFA which processes confidential person-identifiable information will be subject to a confidentiality audit.
Access to both electronic and manual confidential person-identifiable information are liable to be audited. Audits may be undertaken across all the NHSCFA sites, which will help to ensure any inconsistencies in practices are captured. The Board may agree ‘terms of reference’ for an exercise to be undertaken internally by the Governance & Assurance team or agree for an exercise to be undertaken by an external auditor.
Decision as to the scope and location of the audit will be agreed between the Audit Lead, the relevant Senior Management Team Lead and the Information Governance Lead.
What the audits will look for:
- staff awareness of NHSCFA policies and guidelines concerning confidentiality
- appropriate recording of consent (where applicable)
- appropriate allocation of access rights to systems
- appropriate staff access to physical areas
- storage of and access to filed hard copy person-identifiable notes and information
- security of post handling areas (where applicable)
- storage of person-identifiable information in open/public areas
- security of recorded telecommunications and messages
Audit methods used may include horizontal or vertical audit of whole or partial areas of the business. The evidence or information gathered and/or examined may include (although this is not an exhaustive list):
- notified audit visits with structured questionnaires
- spot checks to random work areas
- interviews with staff using structured questionnaires
- annual staff knowledge via e-learning pathways
- results from the IG toolkit training needs analysis
- investigation of reports/or submissions to the Caldicott Guardian
The audit Sponsor will agree how the following deliverables will be provided:
- a nominated lead responsible officer for implementation
- detailed audit procedures and auditor specifications
- trained auditors
- a planned and implemented audit programme
- a spreadsheet/database to record audit outcomes
- audit report/ recommendations for the Board and the Information Governance Lead
- support with action plans to address any areas requiring review
- reports to the Caldicott Guardian concerning any identified breaches.
Audit results will be collected on a standard template and kept for future reporting and analysis.
Roles and responsibilities
It is a requirement for all NHS organisations to appoint a Caldicott Guardian, who must be a senior person within the organisation. The Chief Executive is the NHSCFA’s appointed Caldicott Guardian and they have overall responsibility for protecting the confidentiality of people’s health and care information and making sure that it is used appropriately.
Information Governance Lead
The role of the Information Governance Lead is to help ensure the organisation’s handling and sharing of personal data is undertaken in a confidential and secure manner, to appropriate ethical, professional and legal standards.
The audit lead will ensure the successful design and conduct of the assurance audit.
The pool is comprised of staff, of all grades from across the organisation that have been trained to conduct internal audits under the instruction and guidance of the Senior Governance and Assurance Officer. Where an IG exercise is conducted as part of the wider Governance & Assurance programme, the audit pool may contribute to these exercises.
Results from the audits will be collected on a standard template setting out both findings and recommendations and kept for future reporting and analysis. The report will be submitted to the Information Governance Team, highlighting any areas requiring further development and make recommendations concerning any corrective actions required.
The Information Governance Lead will ensure that action plans agreed with the Audit Sponsor are compiled with and implemented, to rectify any issues identified from the audit. This will include co-ordinating the review of relevant policy and procedures and suggesting recommended amendments to the staff IG training programme as appropriate.
All audit recommendations and management responses will be captured and fed into the Board Assurance Framework document; providing the Board and the Audit Risk Committee with a thorough oversight the organisation’s operational and strategic risk.
Where breaches or risks of breaches in person-identifiable confidential information are identified from the audits, matters will be reported and investigated through the7 NHSCFA’s Service Desk. Where appropriate the Caldicott Guardian will also be notified so that the issue can be entered in the relevant ‘Caldicott ‘Incident Log’, which may be reviewed by the Information Governance Team & IT Security Group.
Review of this policy
This procedure will be reviewed by the Information Governance team on an annual basis as part of a responsive approach to learn lessons and deliver continued improvement.