Skip to main content

NHS Digital Post Audit Review: The Brain Tumour Charity

This report provides the formal closure of the remote data sharing audit of The Brain Tumour Charity in January 2021.

Audit summary

This report provides the formal closure of the remote data sharing audit of The Brain Tumour Charity (The Charity) between 11 and 15 January 2021 against the requirements of both:

  • the data sharing framework contract (DSFC) CON-180226-S4T7M
  • the data sharing agreement (DSA) DARS-NIC-158754-R5T3V v2.6

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Identifiable, Sensitive 2008/09 to 2019/20_M07
HES Admitted Patient Care Anonymised/Pseudonymised, Sensitive 2008/09 to 2019/20_M07
HES Critical Care Anonymised/Pseudonymised, Non-sensitive 2008/09 to 2019/20_M07
HES Critical Care Identifiable, Sensitive 2008/09 to 2019/20_M07
HES Outpatients Identifiable, Sensitive 2008/09 to 2019/20_M07
HES Outpatients Anonymised/Pseudonymised, Sensitive 2008/09 to 2019/20_M07
HES Accident and Emergency Identifiable, Sensitive 2008/09 to 2019/20_M07
HES Accident and Emergency Anonymised/Pseudonymised, Sensitive 2008/09 to 2019/20_M07
HES: Civil Registration (Deaths) bridge Identifiable, Non-sensitive Latest available
Diagnostic Imaging Dataset Anonymised/Pseudonymised, Non-sensitive Latest available
Bridge file: Hospital Episode Statistics to Diagnostic Imaging Dataset Anonymised/Pseudonymised, Non-sensitive Latest available
Civil Registration (Deaths) - Secondary Care Cut Anonymised/Pseudonymised, Sensitive Latest available

 

The Controller is The Charity, and the Processor is Microsoft UK. Microsoft UK was not included as part of the audit, as the organisation purely provides the cloud storage platform.

Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide. 

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by The Charity between February and March 2022.

Post audit review outcome

Based on the evidence provided by The Charity, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and The Charity. 

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: Low

Current risk statement: Low

Data recipient’s acceptance statement

The Charity has reviewed this report and confirmed that it is accurate. 

Status

The following table identifies the 1 agreement nonconformity, 1 organisation nonconformity, 5 opportunities for improvement and 1 point for follow-up raised as part of the original audit. 

Ref Finding Link to area Update Designation Status
1 Although the Information Asset Register (IAR) presented in the BRIAN Databank Governance Guidelines was correct at the time of the audit, the entry for health data in the overall Charity IAR was out of date. Operational Management The entry in The Charity’s IAR regarding the data provided by NHSD was initially updated in February 2021. The Charity provided a copy of the latest IAR from January 2022. Agreement nonconformity Closed
2 The risk assessment element in the Data Protection Impact Assessment (DPIA) does not fully follow the Information Commissioner’s Officer (ICO) guidance and therefore needs to be amended. Operational Management

The Charity has updated the risk table in the DPIA so that the risk assessment element matches the ICO guidelines. 

A copy of the revised DPIA was provided to the Audit Team.

 Organisation nonconformity Closed
3 The overall approach to risk management should be reviewed to ensure that a consistent definition of risk is used. Pre- and post- mitigation values could also be included in the risk log. The risk management section in the BRIAN Databank Governance Guidelines should also be expanded to provide users with more details around the risk management process. Risk Management

The risk management section of the BRIAN Databank Governance Guidelines was broadened to give more of an overview of the process and to assure all BRIAN team members that they can raise risks with the leadership team.

The risk register was updated in February 2021 to use the same risk evaluation method as the DPIA for consistency, and now includes assessments for both pre- and post-mitigation risk levels.

The Charity provided copies of the latest versions of the BRIAN Databank Governance Guidelines and the risk register to the Audit Team.

 Opportunity for improvement Closed
4 The “Role and Access” table in the BRIAN Databank Governance Guidelines should be updated to reflect who has access to the actual data in addition to simple role access. Access Control

The Charity updated the “Role and Access” table in the BRIAN Databank Governance Guidelines so that it now shows who has direct database access to the Databank.

The Charity provided a copy of the latest version of the BRIAN Databank Governance Guidelines to the Audit Team.

 Opportunity for improvement Closed
5 The process for requesting and approving BRIAN account requests should be made more formal in order to provide an auditable trail. A column could be added to the current access log to record when access was granted or revoked. Access Control

The Charity revised the “Access Policy” section of the BRIAN Databank Governance Guidelines that covers granting and revoking access to the BRIAN databases to formalise the process.

The Charity provided a copy of the latest version of the BRIAN Databank Governance Guidelines to the Audit Team.

In addition, a column was added to the access log to record the date a row was updated. A copy of the access log was provided to the Audit Team. 

 Opportunity for improvement Closed
6 The Charity should consider whether in future penetration test reports, the scope could be better defined in terms of inclusions and exclusions. Access Control

The Charity updated the BRIAN Databank Governance Guidelines in February 2021 to include the requirement for the scope to be clearly defined each time a penetration test is conducted.

The Charity has commissioned testing to be conducted in early 2022 and this includes an improvement to the definition of the scope.

Copies of the BRIAN Databank Guidelines and the statement of work produced by the supplier was provided to the Audit Team.

 Opportunity for improvement Closed
7 The Charity should undertake a training needs analysis for the role of Data Protection Officer (DPO) and determine whether any specialist training is required. Operational Management

The Charity completed a training needs analysis in March 2021. The only immediate training need identified was for the Charity’s DPO to understand changes resulting from the United Kingdom’s exit from the European Union. This need was met by the DPO reading appropriate articles about the changes. 

The analysis also identified that there may be value in the DPO undertaking specific DPO courses in the future.

A copy of the training needs analysis was provided to the Audit Team.

 Opportunity for improvement Closed
8 At the post audit review, The Charity will clarify the physical equipment destruction process with the Audit Team. The Charity has not needed to physically destroy any equipment to date. Data Destruction

The Charity has defined a process for the secure deletion of data from its equipment and has also set out the approach that it would follow in the event that destruction of physical equipment is required. The details have been documented in the “Asset Configuration & Destruction” section of the BRIAN Databank Governance Guidelines. 

The Charity provided a copy of the latest version of the BRIAN Databank Governance Guidelines to the Audit Team.

 Follow-up Closed

 

Disclaimer

NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 24 April 2022 3:49 pm