NHS England Data Sharing Remote Audit: NHS Blood and Transplant
This report records the key findings of a remote data sharing audit of NHS Blood and Transplant in February 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of NHS Blood and Transplant (NHSBT) between 6 and 10 February 2023. It provides an evaluation of how NHSBT conforms to the requirements of both:
- the data sharing framework contract (DSFC) CON-321455-Q0T3Y-v2.01
- the data sharing agreement (DSA) DARS-NIC-476579-S9J4D-v1.1
This DSA covers the provision of the following dataset:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Covid-19 Vaccination Status | Identifiable, Sensitive | Latest Available |
The Controller is NHSBT.
Data provided under this DSA will be used to identify which blood donors registered with NHSBT, who have previously donated convalescent plasma, have received the Covid-19 vaccine. NHSBT requires information on the type of vaccine given to each donor and the date of each dose, as well as indicators where donors have not been vaccinated.
This report also considers whether NHSBT conforms to its own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
NHSBT has reviewed this report and confirmed that it is accurate. NHSBT is aware that there are known issues in terms of some of the findings, in particular findings 1, 2 and 4. However, NHSBT is actively engaging with stakeholders and is currently appraising its services and binding them into an upgrade roadmap.
Data recipient’s action plan
NHSBT will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with NHSBT to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following table identifies the 3 agreement nonconformities, 1 organisation nonconformity, 2 observations, 2 opportunities for improvement and 1 point for follow-up raised as part of the audit.
In addressing a finding, the data recipient must take account of any referenced supplementary notes.
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 |
NHSBT is using machines and servers which are running unsupported software. |
Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity | 1 |
| 2 | Some security assessments have not been performed. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Agreement nonconformity | |
| 3 | There was no evidence to show that user permissions to the network folder holding data supplied under the DSA have been reviewed on a regular basis, nor was there any evidence of privilege/administrative access reviews being conducted. | Access Control | DSA, section 7.1 | Agreement nonconformity | |
| 4 | The NHSBT Password Policy is not consistent with the Active Directory Group Domain Controller settings in place. NHSBT may also wish to review the policy against current National advice. | Access Control | NHSBT, Acceptable Use Policy – IT systems, POL 19/4.1 | Organisation nonconformity | |
| 5 | NHSBT will need to determine how data will be permanently deleted from backups when required. | Data Destruction | DSFC, Part 2, clause 5.4.1 | Observation | |
| 6 | A number of the configuration and operational documents provided to the Audit Team need to be reviewed and updated. | Operational Management | DSFC, Schedule 2, clause 4.11 | Observation | |
| 7 |
The Audit Team suggests that the following fields are added to the Record of Processing Activities (ROPA):
|
Operational Management | Opportunity for improvement | ||
| 8 |
NHSBT uses explicit consent for individuals to participate in the trial and to obtain data from NHS England as the legal basis. However, this is not explicitly mentioned in its privacy notice. NHSBT updated its privacy notice during the audit. |
Operational Management | Opportunity for improvement | ||
| 9 | NHSBT is in the process of updating its procedures in terms of the completion and process for Data Protection Impact Assessments (DPIAs). The current DPIA will need to be updated in line with the revised procedures. | Operational Management | Follow-up |
Supplementary notes
The following note refers to the table above and provides additional commentary on the linked finding.
Note 1. NHSBT is actively engaging with a third-party to understand the roadmap for out of support services. This will allow an improved view of the risk state during 2023. It is intended that Information Asset Owners will appraise their services being out of support and bind them into the upgrade roadmap. NHSBT stated that it has proportionate controls are in place to safeguard these services, but also knows it need to lessen legacy throughout the enterprise.
Use of data
NHSBT confirmed that the dataset was only being processed and used for the purposes defined in the DSA and was only being linked with the dataset explicitly allowed in the DSA.
Data location
NHSBT confirmed that processing and storage locations, including disaster recovery and backups, of the dataset was limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| NHSBT | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| NHSBT | Tape | 10 weeks |
Good Practice
During the audit, the Audit Team noted the following areas of good practice:
- NHSBT was able to clearly demonstrate the value of the data supplied under this DSA has had towards benefitting the provision of health and social care in England, specifically the analysis of the COVID-19 related data
- NHSBT was able to identify and provide a clear roadmap and framework to improve and enhance its operational security requirements.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 21 May 2023 2:46 pm