NHS England Post Audit Review: Saving Faces - The Facial Surgery Research Foundation
This report provides the formal closure of the remote data sharing audit of Saving Faces - The Facial Surgery Research Foundation between February and March 2023.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Saving Faces - The Facial Surgery Research Foundation (Saving Faces) between 27 February and 3 March 2023 against the requirements of::
- the data sharing framework contract (DSFC): CON-384008-T4W4W-v2.01
- the data sharing agreement (DSA): DARS-NIC-147858-KGYSS-v4.4
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Medical Research Information Service (MRIS) - Members and Postings Report | Identifiable, Sensitive | March 2011 - September 2019 |
| MRIS - Flagging Current Status Report | Identifiable, Sensitive | March 2011 - September 2019 |
| MRIS - Cohort Event Notification Report | Identifiable, Sensitive | March 2011 - September 2019 |
| MRIS - Cause of Death Report | Identifiable, Sensitive | March 2011 - September 2019 |
| Demographics | Identifiable, Sensitive | Latest available |
The Controller is Saving Faces and the Processor is the Cancer Trials Centre (CTC) at University College London (UCL).
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by Saving Faces between April and August 2023.
Post Audit Review Outcome
Based on the evidence provided by Saving Faces, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and Saving Faces.
One of the findings in this report has been classified as “No longer applicable” as the process identified during the original audit is no longer in place. Please note, however, that any findings classified as “No longer applicable” may be subject to further review by NHS England if Saving Faces submits any new application for data.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low
Original risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
Saving Faces has reviewed this report and confirmed that it is accurate.
Status
The following tables identify the 4 agreement nonconformities, 1 organisation nonconformity, 3 opportunities for improvement and 1 point for follow-up raised as part of the original audit.
Saving Faces
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
The standalone laptop used to process the data has an unsupported operating system, is not encrypted, and does not have any malware protection. The laptop is not connected to the Internet but is connected to an encrypted external USB drive which is used to hold the data. However, the USB drive may be temporary connected to a different machine for file transfer. Also, the data is processed on a version of Microsoft Office which is no longer supported. Saving Faces has not conducted a documented risk assessment on the standalone laptop. |
Access Control |
Saving Faces have conducted a documented risk assessment on the standalone laptop and the laptop was replaced. The Audit Team reviewed evidence to confirm Saving Faces are using a new standalone laptop with a supported Operating System, encryption, anti-malware, and the latest version of Microsoft O365. |
Agreement nonconformity | Closed |
| 2 |
The following documents do not reflect current practice regarding the transfer of data from Saving Faces to the CTC:
|
Information Transfer | Saving Faces confirmed to the audit team that the process for any future data transfers will reflect the same methods as stated in the DSA, Selective Elective Neck Dissection study (SEND) SLSP policy and data processing agreement with CTC. | Agreement nonconformity | No longer applicable |
| 3 |
Generic login credentials are being used by two members of staff to access the standalone laptop used to process the data supplied under this DSA. Only two employees have access to the laptop. |
Access Control | The standalone laptop is no longer in use and separate user accounts have been set up for the two employees using the new replacement laptop. The Audit Team received evidence that the separate user accounts have been created. | Agreement nonconformity | Closed |
| 4 |
The SEND data processing agreement with the CTC has not been reviewed on an annual basis. The agreement was last reviewed in December 2020. When reviewing the agreement, Saving Faces should make the CTC aware of the obligations in the DSA and DSFC. |
Operational Management |
The Audit Team received confirmation that the SEND DSA with UCL has been reviewed. The Audit Team received a copy of the latest version of the SEND DSA (v3, 05/06/2023). The following information has been added to the latest version of the SEND data sharing agreement: “The CTC at UCL is declared as a data processor in the DSA to process ONS mortality data from NHS England. Saving Faces and the CTC must abide to the obligations set out in the DSA (NIC-147858-KGYSS-v4.4) and the Data Sharing Framework Contract (DSFC CON-384008-T4W4W-v2.01).” |
Organisation nonconformity | Closed |
| 5 |
There was no reference to the source of the data supplied under the DSA in outputs produced. During the audit, wording was agreed between Saving Faces and the Data Access Request Service (DARS) and a statement is going to be included on the Saving Faces’ website. |
Use and Benefits | A statement has been included on the Saving Faces’ website with the wording agreed between Saving Faces and the DARS at the time of audit. https://savingfaces.co.uk/research-news/the-send-study-update/ | Opportunity for improvement | Closed |
| 6 | Saving Faces should consider carrying out a risk assessment on the unencrypted laptop used to process data as it may store temporary files if there is any abnormal shutdown of the processing application. | Information Transfer |
Saving Faces conducted a documented risk assessment on the standalone laptop and the laptop was replaced. The Audit Team reviewed evidence to confirm Saving Faces are using a new standalone laptop with a supported Operating System, encryption, anti-malware, and the latest version of Microsoft O365. |
Opportunity for improvement | Closed |
| 7 |
At the post review, the Audit Team will review the risk register being developed. Saving Faces currently has a document that lists potential risks with appropriate mitigations, however no formal SEND risk register is in place. |
Risk Management | A SEND risk register has been developed and was provided to the Audit Team. | Follow-up | Closed |
CTC at UCL
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 8 |
Data are being stored at a UCL location not specified on the DSA. It should be noted that the Data Access Request Service (DARS) will exclude processing and storage locations from future DSAs. However, it will be the Controller’s responsibility to maintain a list of all locations where data is being processed and stored and to make this list available to NHS England on request. |
Information Transfer | The latest SEND DSA with UCL has been updated to include all processing locations, including back-ups. The Audit Team received copy of the latest version of the SEND DSA (v3, 05/06/2023 | Agreement nonconformity | Closed |
| 9 | The CTC should consider maintaining a list of hard disk drives (HDD) supplied to the external disposal company for destruction, in order to carry out a reconciliation exercise against the certification of destruction. | Data Destruction | Serial numbers of disk drives are now being recorded prior to physical destruction. The UCL CTC system level security policy v12 (17/07/2023) has been updated to reference this as standard practice. A copy was provided to the Audit Team for review. | Opportunity for improvement | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 28 November 2023 2:44 pm