NHS England Data Sharing Remote Audit: Saving Faces - The Facial Surgery Research Foundation
This report records the key findings of a remote data sharing audit of Saving Faces - The Facial Surgery Research Foundation in February and March 2023.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Saving Faces - The Facial Surgery Research Foundation (Saving Faces) between 27 February and 3 March 2023. It provides an evaluation of how Saving Faces conforms to the requirements of both:
- the data sharing framework contract (DSFC): CON-384008-T4W4W-v2.01
- the data sharing agreement (DSA): DARS-NIC-147858-KGYSS-v4.4
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) - Members and Postings Report | Identifiable, Sensitive | March 2011 - September 2019 |
| MRIS - Flagging Current Status Report | Identifiable, Sensitive | March 2011 - September 2019 |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | March 2011 - September 2019 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | March 2011 - September 2019 |
| Demographics | Identifiable, Sensitive | Latest available |
| Civil Registration - Deaths | Identifiable, Sensitive | Latest available |
The Controller is Saving Faces and the Processor is the Cancer Trials Centre (CTC) at University College London (UCL).
The SEND (selective neck dissection used electively) trial compares two standard surgical treatments for early oral cancer with no clinical evidence of lymph node metastases in the neck. The fundamental aim of the trial is to find better ways of treating patients with early mouth cancer. Saving Faces holds data previously disseminated and has requested new data for the SEND trial.
The trial has been closed to new patient recruitment since 2015. Findings published in 2019 showed patients with early mouth cancer who have resection of the cancer in the mouth and elective neck dissection at the same time have a survival benefit of 30% compared to patients who only have resection of the mouth cancer leaving the neck glands untouched. Based on these findings, Saving Faces believes there is reason to follow up patients for 10 years due to the risk of the cohort of patients getting new tumours.
This report also considers whether Saving Faces and its Processor conform to their own policies, processes and procedures.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Remote Audit Guide version 1.
Audit type and scope
| Audit type | Routine |
|---|---|
| Scope areas |
Information Transfer |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
Saving Faces and the CTC have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
Saving Faces and the CTC will establish a corrective action plan to address each finding shown in the findings table below. The Audit Team will validate this plan and the resultant actions at a post audit review with Saving Faces to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
Findings
The following tables identify the 4 agreement nonconformities, 1 organisation nonconformity, 3 opportunities for improvement and 1 point for follow-up raised as part of the audit.
In addressing a finding, the data recipient must take account of any referenced supplementary notes.
Saving Faces
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 1 |
The standalone laptop used to process the data has an unsupported operating system, is not encrypted, and does not have any malware protection. The laptop is not connected to the Internet but is connected to an encrypted external USB drive which is used to hold the data. However, the USB drive may be temporary connected to a different machine for file transfer. Also, the data is processed on a version of Microsoft Office which is no longer supported. Saving Faces has not conducted a documented risk assessment on the standalone laptop. |
Access Control |
DSFC, Schedule 2, Section A, Clause 4.7 DSFC, Schedule 2, Section A, Clause 1.1 |
Agreement nonconformity | |
| 2 |
The following documents do not reflect current practice regarding the transfer of data from Saving Faces to the CTC:
|
Information Transfer |
DSA, Annex A, section 5b SEND, SLSP, Version 6 SEND, Data Sharing Agreement, Version 2 |
Agreement nonconformity | |
| 3 |
Generic login credentials are being used by two members of staff to access the standalone laptop used to process the data supplied under this DSA. Only two employees have access to the laptop. |
Access Control |
DSFC, Schedule 2, Section A, Clause 1.1 DSA, Clause 7 |
Agreement nonconformity | |
| 4 |
The SEND data processing agreement with the CTC has not been reviewed on an annual basis. The agreement was last reviewed in December 2020. When reviewing the agreement, Saving Faces should make the CTC aware of the obligations in the DSA and DSFC. |
Operational Management | SEND, Data Sharing Agreement, Version 2 | Organisation nonconformity | 1 |
| 5 |
There was no reference to the source of the data supplied under the DSA in outputs produced. During the audit, wording was agreed between Saving Faces and the Data Access Request Service (DARS) and a statement is going to be included on the Saving Faces’ website. |
Use and Benefits | Opportunity for improvement | ||
| 6 | Saving Faces should consider carrying out a risk assessment on the unencrypted laptop used to process data as it may store temporary files if there is any abnormal shutdown of the processing application. | Information Transfer | Opportunity for improvement | ||
| 7 |
At the post review, the Audit Team will review the risk register being developed. Saving Faces currently has a document that lists potential risks with appropriate mitigations, however no formal SEND risk register is in place. |
Risk Management | Follow-up |
CTC at UCL
| Ref | Finding | Link to area | Clause | Designation | Notes |
|---|---|---|---|---|---|
| 8 |
Data are being stored at a UCL location not specified on the DSA. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS England on request. |
Information Transfer | DSA, Annex A, section 2b | Agreement nonconformity | |
| 9 | The CTC should consider maintaining a list of hard disk drives (HDD) supplied to the external disposal company for destruction, in order to carry out a reconciliation exercise against the certification of destruction. | Data Destruction | Opportunity for improvement |
Supplementary notes
The following note refers to the tables above and provides additional commentary on the linked finding.
Note 1. Saving Faces declared that the CTC is no longer actively using the data as it is waiting for the next stage of the clinical trial when further data will be supplied, however the data is still being held by the CTC. Data was last supplied in 2018.
Use of data
Saving Faces confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with the datasets explicitly allowed in the DSA.
Data location
Saving Faces and UCL confirmed that processing and storage locations, including disaster recovery and backups, of the dataset was limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| Saving Faces | England / Wales |
| UCL | England / Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Saving Faces | Backup USB drive | To meet contractual requirements |
| UCL | Backup disk | 10 days |
Good Practice
During the audit, the Audit Team noted the following area of good practice:
- There were clear benefits from this clinical trial using the supplied data to health and social care. The following points were noted:
- the SEND trial compared two standard treatments for early mouth cancer. Its findings showed that one method cures 30% more patients. This means that every five minutes, somewhere in the world, the life of one more person with mouth cancer is saved
- the clinical trial enables surgeons for the first time to provide clear evidence regarding the benefits and impact of elective neck dissection for their patients thereby enabling patients to participate more effectively with decision-making regarding their treatment
- patients therefore benefit by being offered more appropriate treatment based on their individual diagnosis, meaning they are less likely to need multiple surgeries.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 18 April 2023 9:23 am