Post audit review: BRACE
This report provides the formal closure of the remote data sharing audit of BRACE in November 2020.
Audit summary
This report provides the formal closure of the remote data sharing audit of BRACE, a collaboration between the Health Services Management Centre at the University of Birmingham, the independent research consultancy RAND Europe Community Interest Company, and the Department of Public Health and Primary Care at the University of Cambridge. The audit was conducted between 2 and 6 November 2020 against the requirements of:
- the data sharing framework contracts (DSFC):
- CON-321529-Q1B0S (University of Cambridge)
- CON-313328-W1X6G (University of Birmingham)
- CON-331851-D7V3F (RAND Europe Community Interest Company)
- the data sharing agreement (DSA) DARS-NIC-243359-X4T5M-v0.15
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Emergency Care Data Set (ECDS) | Anonymised/Pseudonymised, Non-sensitive | 2019/20 to 2021/22 |
| Hospital Episode Statistics (HES) Admitted Patient Care | Anonymised/Pseudonymised, Non-sensitive | 2013/14 to 2021/22 |
| HES Outpatients | Anonymised/Pseudonymised, Non-sensitive | 2013/14 to 2021/22 |
| HES Accident and Emergency | Anonymised/Pseudonymised, Non-sensitive | 2013/14 to 2019/20_M12 |
The Controllers are University of Cambridge, University of Birmingham and RAND. As the DSA only allows the data supplied by NHS Digital to be processed at RAND, the audit focussed predominantly on the controls maintained by this joint Controller.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by RAND in June 2021. A video conference was also held with RAND to review additional evidence.
Post audit review outcome
Based on the evidence provided by RAND, the Audit Team has closed all of the findings except for one opportunity for improvement. Although no further action is required by the Audit Team, RAND should complete the outstanding action when a new DSFC or DSA is issued.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
BRACE has reviewed this report and confirmed that it is accurate.
Status
The following table shows the 3 observations, 7 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | RAND has not completed and submitted a Data Security and Protection Toolkit (DSPT) as required by the DSA’s special conditions. | Operational management | RAND completed and submitted its 2020/21 DSPT on 07 June 2021. The company provided a copy of the details from the DSPT organisation search function to the Audit Team. | Observation | Closed |
| 2 | Data supplied by NHS Digital are to be processed using locally installed statistical analysis applications. RAND to assess any risks arising from their use, for example caching of temporary files on the unencrypted operating system partition, and consider whether additional controls are required. | Information transfer | RAND reported that the operating system partition is now encrypted, and the “HES Server Procedures” document was updated to reflect this requirement. A screenshot of the encryption settings and a copy of the new procedures, v1.1 dated 11 June 2021, were provided to the Audit Team. | Observation | Closed |
| 3 | RAND to implement a more frequent review of “HES server” access logs to ensure that only authorised RAND staff / users are accessing the HES folders in accordance with the DSA special condition. Reviews are currently undertaken annually. At the time of the audit, RAND had only received data in April 2020. | Access control | A system access log report is automatically produced at the start of each month. This log is then reviewed by the IT team and a copy of the report saved. A copy of an example log was provided to the Audit Team. | Observation | Closed |
| 4 | RAND should determine the process and need for any additional controls around transferring files from the “HES server” to offsite researchers to ensure only aggregated, small number suppressed information is transferred. RAND should also consider whether logs for any transfers are retained to provide an audit trail. | Information transfer | RAND reported that a register has been created to record file transfers to and from the HES server along with supporting details. The “HES Server Procedures” document was also updated to reflect the requirement to populate this register. A screenshot of the data transfer register was provided to the Audit Team. | Opportunity for improvement | Closed |
| 5 | The Audit Team suggested that the item “Data suppliers” is added to the potential parties to contact in the event of a data breach, listed in the Data Breach Procedure, to ensure that the notification requirement in Part 2 section 4.18 of the DSFC is not overlooked in the event of a breach. Note: The Data Breach Procedure was updated prior to the closing meeting to include “Data suppliers”. |
Operational management | The Data Breach Procedure was updated whilst the Audit Team was onsite. | Opportunity for improvement | Closed |
| 6 | RAND should ensure the risk assignment presented in the Data Protection Impact Assessment (DPIA) and in the associated risk assessment worksheet are consistent. RAND should also consider more frequent reviews of the DPIA as per the Information Commissioner’s Office recommendation “Document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purpose of the processing changes”. | Operational management |
The DPIA was updated in March 2021 to simply reference the existing risk assessment worksheets. RAND’s projects register now includes dates for last review and next review of the DPIA. A copy of the latest DPIA and an extract of the projects register, for the BRACE project, was provided to the Audit Team. |
Opportunity for improvement | Closed |
| 7 | A formal mechanism for cascading changes to policies should be considered by RAND, so that all staff are aware of any changes to existing policies / procedures or new publications. | Operational management | The Information Security Management System Communications Plan has been updated to require staff to be notified via email or the Intranet following changes to policy. A copy of the Plan, v1.6 dated 3 March 2021, was provided to the Audit Team. A copy of an email announcing a new Data Protection Policy and a new Fair Processing Notice, including relevant links, was also shown to the Audit Team. | Opportunity for improvement | Closed |
| 8 | RAND should consider a formal position as to how it treats lower level security risks (medium and below) arising from its security assessments. | Risk management | The Patching Policy has been revised to incorporate a process for the review of medium and lower-level risks. This process involves a risk to be logged along with the outcome of the review. A copy of the new procedure, v1.3 dated 14 January 2021, and a screenshot of an extract from the log, for risks identified during June 2021, were provided to the Audit Team. | Opportunity for improvement | Closed |
| 9 | BRACE should review and update the BRACE roles and responsibilities document created at the start of the project. For example, to recognise the DSFC and DSA, as well as other internal statements such as responsibilities around quality assurance. | Operational management | The Roles and Responsibilities document has been updated to recognise the points raised by the Audit Team. | Opportunity for improvement | Closed |
| 10 | The Audit Team suggested that the joint Controllers ensure appropriate teams and stakeholders review any new DSFC and DSA so the parties are fully aware of their responsibilities and are fully compliant. | Operational management | RAND reported that whilst the DSA was already shared with those directly accessing data, it has now extended its practice to also share the DSFC and DSA with the designated Principal Investigator and Project Manager. The RAND register has been updated to include these roles for BRACE projects. | Opportunity for improvement | Open, but not for follow-up |
| 11 | RAND to seek updates from the United States (US) security team with respect to actions arising from the results of an annual penetration test, to ensure any infrastructure issues that pose a risk to the data supplied by NHS Digital have been suitably addressed. | Access control | Quarterly reviews are now held with the US security team in which findings and improvement actions from penetration tests are shared and reviewed. RAND reported that any findings that directly affects the UK operation are capture in its own service improvement plans. A copy of a recent mitigation log was displayed to the Audit Team. | Follow-up | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 27 July 2021 2:45 pm