NHS Digital Post Audit Review: Carnall Farrar Limited
This report provides an update on progress of the remote data sharing audit of Carnall Farrar Limited in December 2020
Audit summary
This report provides an update on progress of the remote data sharing audit of Carnall Farrar Limited (CF) between 1 and 7 December 2020 against the requirements of both:
- the data sharing framework contract (DSFC) CON-194564-H7S7F
- the data sharing agreement (DSA) DARS-NIC-243790-Y8K8C-v1.5
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Mental Health and Learning Disabilities Data Set | Pseudonymised/Anonymised, Non-sensitive | 2015/16 |
| Hospital Episode Statistics (HES) Admitted Patient Care | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| HES Critical Care | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| HES Outpatients | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| HES Accident and Emergency | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2019/20 |
| Secondary Uses Service (SUS) Payment by Results (PbR) Episodes | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| SUS PbR Spells | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| SUS PbR Outpatients | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| SUS PbR Accident & Emergency | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| Bridge file: HES to Mental Health Minimum Data Set | Pseudonymised/Anonymised, Non-sensitive | Latest available |
| Mental Health Services Data Set | Pseudonymised/Anonymised, Non-sensitive | 2016/17 - 2019/20 |
| Emergency Care Data Set | Pseudonymised/Anonymised/Identifiable, Sensitive | 2019/20 - 2020/21 |
The Controller is CF and the Processor is Amazon Web Services (AWS). AWS provides cloud storage services to CF.
Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by CF between August 2021 and April 2022.
Post audit review outcome
Based on the evidence, the Audit Team has found that CF has not suitably addressed the findings. 1 agreement nonconformity remains open and requires further review by the Audit Team. CF is therefore required to update its action plan to align with this post audit review report.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Medium
Current risk statement: Low
Data recipient’s acceptance statement
CF has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 2 agreement nonconformities, 1 organisation nonconformity, 1 observation and 5 opportunities for improvement raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Validation testing of required security controls has not been conducted. Any future test should consider NHS Digital requirements in the Cloud Good Practice Guidance. | Access Control | A security assessment was commissioned by CF and an output report was shared with the Audit Team in March 2022. However, the Audit Team has not seen what action has been taken by CF to address the findings of this assessment. | Agreement nonconformity | Open |
| 2 | The release of the database within the externally managed docker container used by CF to maintain its system was out of date. The latest version of the database application addresses a number of security vulnerabilities and fixes. No risk assessment has been undertaken to determine any risk posed to the system by using an older version of the database. | Access Control |
CF has introduced a process to monitor new releases of the database by subscribing to the developer’s mailing list. It was reported by CF that when a new stable version is released the system will be rebuilt around the new version of the software. This process will be continuous and ongoing. CF shared a document that outlined its assessment on each database version release, risk, benefit, and action. The Audit Team would recommend that any security vulnerabilities on the systems used to process and hold data supplied by NHS Digital are fed into the risk register. |
Agreement nonconformity | Closed |
| 3 | Version control information on documentation was variable and was found to be incorrect on several documents. | Operational Management |
Screenshot were supplied to the Audit Team which showed the version control information had been revised in the following documents:
CF has updated its Information Security Policy and is now in a new format. A copy of the document was supplied to the Audit Team. The document included a change log section. |
Organisation nonconformity | Closed |
| 4 | CF was able to present evidence of data protection training material being produced and sent to all staff by email, however there was no evidence that there was monitoring of compliance to ensure staff had understood and completed the training in the last 12 months. | Operational Management |
CF has developed an online quiz that needs to be completed as part of the information governance training. It was reported that the training needs to be completed by staff on an annual basis and by new starters. The training is now monitored through a tracker. A screenshot was supplied to the Audit Team of names and dates when staff had completed the online quiz as part of the training. |
Observation | Closed |
| 5 | The Information Asset Register (IAR) could include a column to indicate which datasets have been destroyed. The DSA requires datasets be destroyed on a 5-year rolling period. | Operational Management |
A column has been added to the IAR to reflect which datasets have been destroyed. A copy of the IAR was supplied to the Audit Team. |
Opportunity for Improvement | Closed |
| 6 | CF should retain auditable evidence to demonstrate the permanent deletion of electronic data. Such records could be used as supporting evidence for a certificate of destruction submitted to NHS Digital. | Data Destruction | CF deleted data in June 2021 and completed an NHS Digital Certificate of Destruction (CoD). A copy of the CoD was supplied to the Audit Team. | Opportunity for Improvement | Closed |
| 7 | CF should consider formalising its approach to the destruction of hardware for failed disks under warranty. | Data Destruction | This finding has been rejected by CF as it considers the current procedures in the information governance training material is sufficient for staff members to correctly identify hardware that needs to be destroyed. | Opportunity for Improvement | Rejected |
| 8 | CF should consider expanding the current documentation around patch management to cover hardware that is used to store and process data supplied by NHS Digital. | Operational Management |
CF has decided not to expand its current documentation around patch management. CF stated that the current patch management solution that CF uses is not available for Linux, and they will instead use a separate solution from the hardware provider. |
Opportunity for Improvement | Rejected |
| 9 | CF should consider producing a detailed data flow diagram, which clearly shows which data is derived and processed through which portal. It could include details for the foresight and capacity work, as well as benchmark activities indicated within the DSA. | Information Transfer |
CF has produced a summary data flow diagram. The diagram outlines the process from receipt of datasets to the end products. A copy of the data flow diagram was supplied to the Audit Team. |
Opportunity for Improvement | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 July 2022 2:31 pm