Post Audit Review: Carnall Farrar Limited
This second post audit report provides the formal closure of the remote data sharing audit of Carnall Farrar Limited in December 2020.
Audit summary
This second post audit report provides the formal closure of the remote data sharing audit of Carnall Farrar Limited (CF) between 1 and 7 December 2020 against the requirements of:
- the data sharing framework contract (DSFC) CON-194564-H7S7F
- the data sharing agreement (DSA) DARS-NIC-243790-Y8K8C-v1.5
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Mental Health and Learning Disabilities Data Set |
Pseudonymised/Anonymised, Non-sensitive | 2015/16 |
|
Hospital Episode Statistics (HES) Admitted Patient Care |
Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| HES Critical Care | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| HES Outpatients | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| HES Accident and Emergency | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
|
Secondary Uses Service (SUS) Payment by Results (PbR) Episodes |
Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| SUS PbR Spells | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| SUS PbR Outpatients | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
| SUS PbR Accident & Emergency | Pseudonymised/Anonymised, Non-sensitive | 2015/16 - 2020/21 |
|
Bridge file: HES to Mental Health Minimum Data Set |
Pseudonymised/Anonymised, Non-sensitive | Latest available |
| Mental Health Services Data Set | Pseudonymised/Anonymised, Non-sensitive | 2016/17 - 2019/20 |
| Emergency Care Data Set | Pseudonymised/Anonymised, Non-sensitive | 2019/20 - 2020/21 |
The Controller is CF and the Processor is Amazon Web Services (AWS). AWS provides cloud storage services to CF.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post audit review
Following a post audit review published in July 2022, 1 agreement nonconformity remained open. This second post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by CF for the remaining nonconformity.
Post audit review outcome
Based on the evidence provided by CF, the Audit Team has closed all the findings. No further action is required by the Audit Team and CF.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
The following table shows the risk assigned in the original audit, along with the risk assigned in the previous and latest post audit review.
Original risk statement: Medium
Previous risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
CF has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 2 agreement nonconformities, 1 organisation nonconformity, 1 observation and 5 opportunities for improvement raised as part of the original audit.
Findings 2 – 9 were closed as part of the post audit review conducted in July 2022. Therefore this report highlights the outcome for the remaining finding as indicated.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Validation testing of required security controls has not been conducted. Any future test should consider NHS Digital requirements in the Cloud Good Practice Guidance. | Access Control | Two security assessments were commissioned by CF in 2023 and an output report was shared with the Audit Team in September 2023. The report provided evidence that any risks identified were being satisfactorily addressed. | Agreement nonconformity | Closed |
| 2 | The release of the database within the externally managed docker container used by CF to maintain its system was out of date. The latest version of the database application addresses a number of security vulnerabilities and fixes. No risk assessment has been undertaken to determine any risk posed to the system by using an older version of the database | Access Control |
CF has introduced a process to monitor new releases of the database by subscribing to the developer’s mailing list. It was reported by CF that when a new stable version is released the system will be rebuilt around the new version of the software. This process will be continuous and ongoing. CF shared a document that outlined its assessment on each database version release, risk, benefit, and action. The Audit Team would recommend that any security vulnerabilities on the systems used to process and hold data supplied by NHS Digital are fed into the risk register. |
Agreement nonconformity | Closed |
| 3 | Version control information on documentation was variable and was found to be incorrect on several documents. | Operational Management |
A screenshot was supplied to the Audit Team of the change history in the documents that stated the version control had been edited for the following documents:
CF have updated the Information Security Policy and is now in a new format. A copy of the document was supplied to the Audit Team. The document included a change log section. |
Organisation nonconformity | Closed |
| 4 | CF was able to present evidence of data protection training material being produced and sent to all staff by email, however there was no evidence that there was monitoring of compliance to ensure staff had understood and completed the training in the last 12 months. | Operational Management |
CF has developed an online assessment that needs to be completed as part of the information governance training. It was reported that the training needs to be completed by staff on an annual basis and by new starters. The training is now monitored through a tracker. A screenshot was supplied to the Audit Team of names and dates when staff had completed the online quiz as part of the training. |
Observation | Closed |
| 5 | The Information Asset Register (IAR) could include a column to indicate which datasets have been destroyed. The DSA requires datasets be destroyed on a 5-year rolling period. | Operational Management |
A column has been added to the IAR to reflect which data sets have been destroyed. A copy of the IAR was supplied to the Audit Team. |
Opportunity for Improvement | Closed |
| 6 | CF should retain auditable evidence to demonstrate the permanent deletion of electronic data. Such records could be used as supporting evidence for a certificate of destruction submitted to NHS Digital. | Data Destruction | CF deleted data in June 2021 and completed a NHS Digital Certificate of Destruction (CoD). A copy of the COD was supplied to the Audit Team. | Opportunity for Improvement | Closed |
| 7 | CF should consider formalising its approach to the destruction of hardware for failed disks under warranty | Data Destruction | This finding has been rejected by CF as it considers the current procedures in the information governance training material is sufficient for staff members to correctly identify hardware that needs to be destroyed. | Opportunity for Improvement | Rejected |
| 8 | CF should consider expanding the current documentation around patch management to cover hardware that is used to store and process data supplied by NHS Digital. | Operational Management |
CF has decided not to expand its current documentation around patch management. CF stated that the current patch management solution that CF uses is not available for Linux, and they will instead use a separate solution from the hardware provider. |
Opportunity for Improvement | Rejected |
| 9 | CF should consider producing a detailed data flow diagram, which clearly shows which data is derived and processed through which portal. It could include details for the foresight and capacity work, as well as benchmark activities indicated within the DSA. | Information Transfer | CF has produced a summary data flow diagram. The diagram outlines the process from receipt of datasets to the end products. A copy of the data flow diagram was supplied to the Audit Team. | Opportunity for Improvement | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 19 October 2023 2:15 pm