Confidentiality Audit Procedure
Our procedure to monitor access to person-identifiable data.
Published: 28/07/2022
Version: 4.0
Published: 28/07/2022
Version: 4.0
The purpose of this document is to set out established and appropriate confidentiality audit process, to monitor access to confidential person-identifiable information throughout the NHS Counter Fraud Authority (NHSCFA). This policy document forms part of the NHSCFA’s overall governance and assurance framework to meet the requirements within:
This policy covers all information systems purchased, developed and managed by/or on behalf of the NHSCFA and any individual directly employed by or contracted to work for the organisation.
For the purposes of this policy, confidential person-identifiable information is defined as any information about a living natura person which would allow that person to be identified either directly or indirectly.
All work areas within the NHSCFA which processes confidential person-identifiable information will be subject to a confidentiality audit.
Access to both electronic and manual confidential person-identifiable information are liable to be audited. Audits may be undertaken across all the NHSCFA sites, which will help to ensure any inconsistencies in practices are captured. The Board may agree ‘terms of reference’ for an exercise to be undertaken internally by the Governance & Assurance team or agree for an exercise to be undertaken by an external auditor.
Decision as to the scope and location of the audit will be agreed between the Audit Lead, the relevant Senior Management Team Lead and where appropriate, input from the Information Governance Lead.
The audits will seek to assess:
Audit methods used may include horizontal or vertical audit of whole or partial areas of business divisions. The evidence or information gathered and/or examined may include (although this is not an exhaustive list):
The audit Sponsor will agree how the following deliverables will be provided:
Audit results will be collected on a standard template and kept for future reporting and analysis.
It is a requirement for all NHS organisations to appoint a Caldicott Guardian, who must be a senior person within the organisation. The Chief Executive is the NHSCFA’s appointed Caldicott Guardian and they have overall responsibility for protecting the confidentiality of people’s health and care information and making sure that it is used appropriately.
The role of the Information Governance Lead is to help ensure the organisation’s handling and sharing of personal data is undertaken in a confidential and secure manner, to appropriate ethical, professional and legal standards.
The audit lead will ensure the successful design and conduct of the assurance audit.
The pool is comprised of staff, of all grades from across the organisation that have been trained to conduct internal audits, under the instruction and guidance of the Senior Governance and Assurance Officer. Where an IG exercise is conducted as part of the wider Governance & Assurance programme, the audit pool may contribute to these exercises.
Results from the audits will be collected on a standard template setting out both findings and recommendations and kept for future reporting and analysis. The report will be copied to the Information Governance Team, highlighting any areas requiring further development and make recommendations concerning any corrective actions required.
The Information Governance Lead will ensure that action plans agreed with the Audit Sponsor are compiled with and implemented, to rectify any issues identified from the audit. This will include co-ordinating the review of relevant policy and procedures and suggesting recommended amendments to the staff IG training programme as appropriate.
All audit recommendations and management responses will be captured and fed into the Board Assurance Framework document, providing the Board and the Audit Risk and Assurance Committee with a thorough oversight the organisation’s operational and strategic risks.
Where breaches or risk of a breach, of person-identifiable confidential information are identified from an audit, matters will be reported and investigated through the NHSCFA’s Service Desk. Where appropriate the Caldicott Guardian will also be notified so that the issue can be entered in the relevant ‘Caldicott ‘Incident Log’, which may be reviewed by the Information Governance Team & IT Security Group.
This procedure will be reviewed by the Information Governance team on at least a biennial basis as part of a responsive approach to learn lessons and deliver continued improvement.
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.