NHS England Post Audit Review: NHS Blood and Transplant
This report provides the formal closure of the remote data sharing audit of NHS Blood and Transplant (NHSBT) in February 2023.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of NHS Blood and Transplant (NHSBT) between 6 and 10 February 2023 against the requirements of
- the data sharing framework contract (DSFC) CON-321455-Q0T3Y-v2.01
- the data sharing agreement (DSA) DARS-NIC-476579-S9J4D-v1.1
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following dataset:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Covid-19 Vaccination Status | Identifiable, Sensitive | Latest Available |
The Controller is NHSBT.
Data provided under this DSA will be used to identify which blood donors registered with NHSBT, who have previously donated convalescent plasma, have received the Covid-19 vaccine. NHSBT requires information on the type of vaccine given to each donor and the date of each dose, as well as indicators where donors have not been vaccinated.
Further guidance on the terms used in this post audit review report can be found in version 1 of the Data Sharing Remote Audit Guide.
1.2 Post Audit Review
This post audit review comprised of a desk-based assessment, video calls of the action plan and supporting evidence supplied by the NHSBT between September and December 2023.
1.3 Post Audit Review Outcome
Based on the evidence provided by NHSBT, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and NHSBT.
Updated risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Original risk statement: Medium
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
NHSBT has reviewed this report and confirmed that it is accurate.
Status
The following table identifies the 3 agreement nonconformities, 1 organisation nonconformity, 2 observations, 2 opportunities for improvement and 1 point for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
NHSBT is using machines and servers which are running unsupported software. |
Access Control | The Audit Team received evidence to confirm that the data provided by NHS England are being stored on a server with supported software. | Agreement nonconformity | Closed |
| 2 | Some security assessments have not been performed. | Access Control | The Audit Team received evidence to confirm regular security assessments are performed on the server being used to store data provided by NHS England. | Agreement nonconformity | Closed |
| 3 | There was no evidence to show that user permissions to the network folder holding data supplied under the DSA have been reviewed on a regular basis, nor was there any evidence of privilege/administrative access reviews being conducted. | Access Control | The Audit Team received evidence to confirm user permissions to the network folder holding data supplied under the DSA are reviewed on a regular basis. The most recent user permission reviews were performed in September and July 2023, and on both occasions the permissions were correct, and no amendments were required. The next review was scheduled for January 2024. | Agreement nonconformity | Closed |
| 4 | The NHSBT Password Policy is not consistent with the Active Directory Group Domain Controller settings in place. NHSBT may also wish to review the policy against current National advice. | Access Control | The Audit Team received evidence to confirm that the Active Directory Group Domain Controller settings are now in line with NHSBT Password Policy. | Organisation nonconformity | Closed |
| 5 | NHSBT will need to determine how data will be permanently deleted from backups when required. | Data Destruction | NHSBT have considered all available options and concluded that it is not technically feasible to permanently delete data from backups when required. Instead NHSBT would have to wait for backups to cycle out after 12 months. NHSBT accepts the risk which this presents. NHSBT provided evidence to the Audit Team to confirm after the backup retention period (12 months) the respective data is marked as expired and cannot be restored. The Audit Team also received evidence to confirm backup data on tape is encrypted. | Observation | Closed |
| 6 | A number of the configuration and operational documents provided to the Audit Team need to be reviewed and updated. | Operational Management | The Audit Team received evidence to confirm a review of all Data Security, Privacy and Records (DSPR) Management specific operational documents was completed subsequent to the original audit. NHSBT provided evidence to confirm 70 DSPR controlled documents have been reviewed, including 16 new policies. A tracker document was also provided to the Audit Team to evidence progress updates for each document. | Observation | Closed |
| 7 |
The Audit Team suggests that the following fields are added to the Record of Processing Activities (ROPA):
|
Operational Management | The Audit Team reviewed the updated ROPA via screen sharing on MS Teams and confirmed that Date of deletion and Data classification fields had been added. | Opportunity for improvement | Closed |
| 8 |
NHSBT uses explicit consent for individuals to participate in the trial and to obtain data from NHS England as the legal basis. However, this is not explicitly mentioned in its privacy notice. NHSBT updated its privacy notice during the audit. |
Operational Management | NHSBT updated its privacy notice during the audit. | Opportunity for improvement | Closed |
| 9 | NHSBT is in the process of updating its procedures in terms of the completion and process for Data Protection Impact Assessments (DPIAs). The current DPIA will need to be updated in line with the revised procedures. | Operational Management | The Audit Team reviewed the new CoreStream online platform for managing DPIAs and confirmed that the DPIA had been updated in line with the revised procedures. | Follow-up | Closed |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 4 March 2024 12:18 pm