Confidentiality Audit Procedure

Our procedure to monitor access to person-identifiable data.

Published: 28 July 2022

Version: 4.0



The purpose of this document is to set out established and appropriate confidentiality audit process, to monitor access to confidential person-identifiable information throughout the NHS Counter Fraud Authority (NHSCFA). This policy document forms part of the NHSCFA’s overall governance and assurance framework to meet the requirements within:

  • NHS Digital’s Data Security and Protection Toolkit; an
  • the NHS Confidentiality Code of Conduct

This policy covers all information systems purchased, developed and managed by/or on behalf of the NHSCFA and any individual directly employed by or contracted to work for the organisation.

Scope of audits

For the purposes of this policy, confidential person-identifiable information is defined as any information about a living natura person which would allow that person to be identified either directly or indirectly.

All work areas within the NHSCFA which processes confidential person-identifiable information will be subject to a confidentiality audit.

Access to both electronic and manual confidential person-identifiable information are liable to be audited. Audits may be undertaken across all the NHSCFA sites, which will help to ensure any inconsistencies in practices are captured. The Board may agree ‘terms of reference’ for an exercise to be undertaken internally by the Governance & Assurance team or agree for an exercise to be undertaken by an external auditor.

Decision as to the scope and location of the audit will be agreed between the Audit Lead, the relevant Senior Management Team Lead and where appropriate, input from the Information Governance Lead.

Audit approach

The audits will seek to assess:

  • staff awareness of NHSCFA policies and guidelines concerning confidentiality
  • appropriate recording of consent (where applicable)
  • appropriate allocation of access rights to systems
  • appropriate staff access to physical areas
  • storage of and access to filed hard copy person-identifiable notes and information
  • security of post handling areas (where applicable)
  • storage of person-identifiable information in open/public areas
  • security of recorded telecommunications and messages

Audit methods used may include horizontal or vertical audit of whole or partial areas of business divisions. The evidence or information gathered and/or examined may include (although this is not an exhaustive list):

  • notified audit visits with structured questionnaires
  • spot checks to random work areas
  • interviews with staff using structured questionnaires
  • annual staff knowledge via e-learning pathways
  • results from the IG toolkit training needs analysis
  • investigation of reports/or submissions to the Caldicott Guardian

The audit Sponsor will agree how the following deliverables will be provided:

  • a nominated lead responsible officer for implementation
  • detailed audit procedures and auditor specifications
  • trained auditors
  • a planned and implemented audit programme
  • a spreadsheet/database to record audit outcomes
  • audit report/ recommendations for the Board and the Information Governance Lead
  • support with action plans to address any areas requiring review
  • reports to the Caldicott Guardian concerning any identified breaches.

Audit results will be collected on a standard template and kept for future reporting and analysis.

Roles and responsibilities

Caldicott Guardian

It is a requirement for all NHS organisations to appoint a Caldicott Guardian, who must be a senior person within the organisation. The Chief Executive is the NHSCFA’s appointed Caldicott Guardian and they have overall responsibility for protecting the confidentiality of people’s health and care information and making sure that it is used appropriately.

Information Governance Lead

The role of the Information Governance Lead is to help ensure the organisation’s handling and sharing of personal data is undertaken in a confidential and secure manner, to appropriate ethical, professional and legal standards.

Audit Lead

The audit lead will ensure the successful design and conduct of the assurance audit.

Auditor Pool

The pool is comprised of staff, of all grades from across the organisation that have been trained to conduct internal audits, under the instruction and guidance of the Senior Governance and Assurance Officer. Where an IG exercise is conducted as part of the wider Governance & Assurance programme, the audit pool may contribute to these exercises.

Audit findings

Results from the audits will be collected on a standard template setting out both findings and recommendations and kept for future reporting and analysis. The report will be copied to the Information Governance Team, highlighting any areas requiring further development and make recommendations concerning any corrective actions required.

The Information Governance Lead will ensure that action plans agreed with the Audit Sponsor are compiled with and implemented, to rectify any issues identified from the audit. This will include co-ordinating the review of relevant policy and procedures and suggesting recommended amendments to the staff IG training programme as appropriate.

All audit recommendations and management responses will be captured and fed into the Board Assurance Framework document, providing the Board and the Audit Risk and Assurance Committee with a thorough oversight the organisation’s operational and strategic risks.

Where breaches or risk of a breach, of person-identifiable confidential information are identified from an audit, matters will be reported and investigated through the NHSCFA’s Service Desk. Where appropriate the Caldicott Guardian will also be notified so that the issue can be entered in the relevant ‘Caldicott ‘Incident Log’, which may be reviewed by the Information Governance Team & IT Security Group.

Review of this policy

This procedure will be reviewed by the Information Governance team on at least a biennial basis as part of a responsive approach to learn lessons and deliver continued improvement.

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!