Accountability report

Remuneration and staff report

This report for the year ended 31 March 2019 deals with the pay of the Chair, Chief Executive and other senior management.

Remuneration Committee

The pay of the executive board directors is set by the Talent, Remuneration and Management Committee based on the recommendations of the Senior Salaries Review Board and is reviewed on an annual basis. NHS Digital operates the NHS Executive and Senior Manager (ESM) pay framework with the approval, where necessary, of the Department of Health and Social Care Remuneration Committee. This includes a job evaluation scheme, administered by the NHS Business Services Authority, and provision for a maximum 5% bonus for not more than the top 25% of performers within the ESM group. Three bonus payments were made in 2018-19 through this mechanism, reflecting performance during 2017-18,  details  of  which  are  contained in the remuneration report. The scheme also provides for an annual pay award as a flat-rate payment based on 1% of the average ESM salary.

The Chief Executive and other executive directors are not present for discussions about their own remuneration and terms of service but are able to attend meetings of the committee, at the Chair’s invitation, to discuss other employees’ pay and terms of service.

Remuneration policy

The standard remuneration arrangements for NHS Digital are those provided under the national NHS Agenda for Change (AfC) terms and conditions of employment. This includes a job-evaluation scheme that has been tested and demonstrated to be equality proofed.

The AfC pay award for 2018-19, as recommended by the NHS Pay Review Body, comprised a 1% increase to all pay points. Comparable arrangements were implemented for staff that had transferred into NHS Digital, with terms and conditions protected under the ‘Transfer of Undertakings (Protection of Employment)’ regulations, except where there was a legal entitlement to a protected pay award.

Service contracts

During 2018-19, all executive directors were employed on permanent employment contracts with a six-month notice period and worked for NHS Digital full-time, except Martin Severs who worked on a part-time basis. If contracts are terminated for reasons other than misconduct, they come under the terms of the NHS compensation schemes.

Non-executive director's contracts are as follows:

Non-executive directors are not entitled to compensation for loss of office or early termination of appointment.

The remuneration and pension disclosures relating to senior staff in post during 2018-19 and 2017-18 are detailed in the tables below and are subject to audit. The figures provided consist of basic pay, performance  pay, pension benefits and benefits in kind. They do not include employee pension contributions nor the cash equivalent transfer of pensions.

¹ Michael Kay is a contractor and the salary is calculated based on the day rate he receives from the recruitment agency

² Mark Stock is seconded from PwC with the rate being his deemed salary charged by PwC

³ Rachael Allsop worked on a part time basis from May 2017 until she resigned on 31 October 2017

⁴ Martin Severs worked on a part time basis from September 2018

⁵ Sean Walsh’s prior-year disclosures have been restated to reflect the benefits in kind paid

The resignation date refers to the resignation from the Board, not necessarily the organisation.

¹ During 2017-18, Sudhesh Kumar was seconded from the University of Warwick and costs relate to the total value of charges net of irrecoverable VAT.

No performance pay, benefits in kind or pension-related benefits were paid.

The emoluments of the Chair and the non-executive directors do not include employer national insurance contributions. The total included in note 5 of the accounts does include such contributions.

Pension benefits were provided through the NHS Pension Scheme.

¹ Ken Baker has no CETV at 31 March 2019 as he reached pensionable age

² No lump sum is disclosed as there is no set minimum lump sum within the 2008 section of the NHS Pension Scheme.

In 2017-18 there was a calculation error such that the CETV factors used for individuals with benefits in the 2015 scheme were incorrect. NHS Pensions have confirmed that the start of year CETVs have been amended to reflect the transfer value at 31 March 2018 using the correct CETV factors.

A Cash Equivalent Transfer Value (CETV) is the actuarially assessed capitalised value of the pension scheme benefits accrued by a member at a particular point in time. The benefits valued are the member’s accrued benefits and any contingent spouse’s pension payable from the scheme. A CETV is a payment made by a pension scheme or arrangement to secure pension benefits in another pension scheme or arrangement when the member leaves a scheme and chooses to transfer the benefits accrued in their former pension scheme.

The pension figures shown relate to the benefits that the individual has accrued as a consequence of their total membership of the pension scheme, not just their service in a senior capacity to which disclosure applies.

The CETV figure and other pension details include the value of any pension benefit in another scheme or arrangement that the individual transferred to the NHS Pension scheme. They also include any additional pension benefit accrued to the member as a result of them purchasing additional years of pension service in the scheme at their own cost. CETVs are calculated within the guidelines and framework prescribed by the Institute and Faculty of Actuaries.

The real increase in CETV reflects the increase effectively funded by the employer. It excludes the increase in accrued pension due to inflation and contributions made by the employee (including the value of any benefits transferred from another pension scheme or arrangements) and uses common market valuation factors for the start and end of the period.

The staff costs, average number of whole-time equivalent persons employed and the relationship between the highest paid director and the median of the workforce are subject to audit:

The average number of whole term equivalent persons employed during the year was:

There were no amounts spent on staff benefits during the year and there were two early retirements on the grounds of ill health.

The relationship between the remuneration of the highest paid director and the median remuneration of the workforce is as follows:

Non-permanent staff remuneration is calculated using the day rate net of irrecoverable VAT, less a deemed employer pension contribution and annualised based on 230 working days.

The increases to the lower range of staff remuneration and the median pay reflects the 2018-19 NHS Agenda for Change pay award.

Five members of staff who are mainly medical professionals received full-time equivalent remuneration in excess of the highest-paid director. There are 11 posts, as of 31 March 2019, that meet the criteria of Board members or senior officials with significant financial responsibility.

Most NHS Digital staff are covered by the NHS Pension Scheme (the 1995/2008 scheme and the 2015 scheme).

NHS Pension Scheme

Past and present employees are covered by the provisions of the two NHS pension schemes. Details of the benefits payable and rules of the schemes can be found on the NHS pension scheme website. Both are unfunded, defined-benefit schemes that cover NHS employers, GP practices and other bodies in England and Wales allowed under the direction of the Secretary of State. They are not designed to be run in a way that would enable NHS bodies to identify their share of the underlying scheme assets and liabilities. Therefore, each scheme is accounted for as if it were a defined contribution scheme, whereby the cost to NHS Digital of participating in the scheme is taken as equal to the contributions payable to that scheme for the accounting period.

In order that the defined benefit obligations recognised in the  financial  statements do not differ materially from those that would be determined at the reporting date by a formal actuarial valuation, the Financial Reporting Manual (FReM) requires that “the period between formal valuations shall be four years, with approximate assessments in intervening years”. An outline of these follows:

a) Accounting valuation

A valuation of scheme liability is carried out annually by the scheme actuary (currently the Government Actuary’s Department) as at the end of the reporting period. This utilises an actuarial assessment for the previous accounting period, in conjunction with updated membership and financial data for the current reporting period, and is accepted as providing suitably robust figures for financial reporting purposes. The valuation of the scheme liability as at 31 March 2019 is based on valuation data for 31 March 2018, updated to 31 March 2019, with summary global member and accounting data.

In undertaking this actuarial assessment, the methodology prescribed in IAS 19, relevant FReM interpretations, and the discount rate prescribed by HM Treasury have also been used.

The latest assessment of the liabilities of the scheme is contained in the scheme actuary report, which forms part of the annual NHS Pension Scheme (England and Wales) Pension Accounts.

These accounts can be viewed on the NHS Pensions website and are published annually. Copies can also be obtained from The Stationery Office.

b) Full actuarial (funding) valuation

The purpose of this valuation is to assess the level of liability in respect of the benefits due under the schemes (taking into account recent demographic experience) and to recommend contribution rates payable by employees and employers.

The latest actuarial valuation undertaken for the NHS Pension Scheme was completed as at 31 March 2016. The results of this valuation set the employer contribution rate payable from April 2019. The Department of Health and Social Care have recently laid scheme regulations confirming that the employer contribution rate will increase from 14.5% to 20.6% of pensionable pay from this date.

The 2016 funding valuation was also expected to test the cost of the scheme relative to the employer cost cap set following the 2012 valuation. Following a judgment from the Court of Appeal in December 2018, the government announced a pause to that part of the valuation process pending conclusion of the continuing legal process.

Members can purchase additional service in the NHS Pension Scheme and contribute to Money Purchase Additional Voluntary Contributions run by the scheme’s approved providers or by other free standing additional voluntary contributions providers.

Employees who do not wish to join the NHS Pension Scheme can opt to join the National Employment Savings Trust (NEST) scheme. This is a stakeholder pension scheme based on defined contributions. The minimum combined contribution is currently 5% of qualifying earnings, of which the employer must pay 2%. This rises to 8% in 2019-20, of which the employer must pay 3%. Employees can choose to pay more into the fund, subject to a current cap of £4,700 per annum. 17 NHS Digital employees were members of the NEST Scheme during 2018-19.

The Principal Civil Service Pension Scheme

The Principal Civil Service Pension Scheme (PCSPS) and the Civil Servant and other Pension Scheme, known as ‘alpha’, are unfunded multi-employer defined benefit schemes. NHS Digital is unable to identify its share of the underlying assets and liabilities. The scheme actuary valued the scheme as at 31 March 2012. Details can be found in the resource accounts of the Cabinet Office.

For 2018-19, employer’s contributions of £431,697 were payable to the PCSPS (2017-18: £444,610) at one of four rates in the range 20.0% to 24.5% of pensionable earnings, based on salary bands. The scheme actuary reviews employer contributions, usually every four years following a full scheme valuation. The contribution rates are set to meet the cost of the benefits accruing during 2018-19 to be paid when the member retires and not the benefits paid during this period to existing pensioners.

The employers contribution rate for 2019-20 ranges from 26.6% to 30.3%.

Employees can opt to open a Partnership Pension Account, which is a stakeholder pension with an employer contribution. Employer contributions are age-related and range from 8% to 14.75% of pensionable earnings. Employers also match employee contributions up to 3% of pensionable earnings. No employees have opted for the Partnership Pension Account.

Sickness absence data

During 2018, 15,240 (2017: 12,940) working days were lost due to sickness absence. This represented 5.2 (2017: 4.5) working days per employee. These figures are based on calendar years, not financial years, and were centrally produced from the Electronic Staff Record. Average sickness absence for 2018 was 2.4%.

Consultancy

The total spend on consultancy, as defined by HM Treasury guidance, was £1,799,000.

Health and safety

We have legal responsibilities for the health, safety and welfare of our employees and for all people using our premises. We comply with the Health and Safety at Work Act (1974) and operate a Health and Safety Committee under the Safety Representatives and Safety Committee regulations (1977). Training on fire-related health and safety is mandatory and there are online learning packages available for other health and safety topics, including manual handling and working with visual-display equipment.

Exit packages

Total staff termination packages are as follows and are subject to audit:

2018-19

Exit packages above relate primarily to ‘Wave 1’ of the organisation’s internal restructure and include payments actually made and accrued. In addition, a provision has been made for £1,290,000 covering a further 17 staff but these are not included above as the individual calculations have not been confirmed.

2017-18

Other departures relate to contractual costs under a mutually agreed resignation scheme.

Review of tax arrangements of public sector appointees – off-payroll engagements 

As part of the Review of Tax Arrangements of Public Sector Appointees, published by the Chief Secretary to the Treasury on 23 May 2012, we are required to publish (via the Department of Health and Social Care) information about the number of off-payroll engagements that are in place and where individual costs exceed £245 per day.

Number of existing engagements as of 31 March 2019: 83

Of which, the number that have existed:

• for less than one year at the time of reporting - 53
• for between one and two years at the time of reporting - 23
• for between two and three years at the time of reporting - 6
• for between three and four years at the time of reporting  - 1
• for four or more years at the time of reporting - 0

Number of new engagements, or those that reached six months in duration, between 1 April 2018 and 31 March 2019 that were for more than £245 per day: 66

Of which, the number:

• assessed as caught by IR35 - 19
• assessed as not caught by IR35 - 47
• engaged directly (via a Personal Service Company contracted to NHS Digital) who are on the payroll – 0
• of engagements reassessed for consistency / assurance purposes during the year - 144
• of engagements that saw a change to IR35 status following the consistency review - 104

We are committed to maintaining in-house capacity but it is recognised that, with a significant element of our activity being project based with peaks and troughs in requirements, making the best use of the temporary labour market is necessary. Many of our programmes require specialist input on a temporary basis and it is not always cost-effective to permanently recruit such skills.

The total cost of temporary labour increased in the year to £16.3 million, compared to £13.1 million in 2017-18, as we brought in specialist resources to assist in the development of our major programmes.

We continue to improve our assurance processes to ensure we categorise all engagements in line with best practice. Up to December 2018, we assessed all contractors using the toolkit supplied by HMRC. From January 2019, we are now making an initial assessment internally. Any contractors considered to be outside of scope are then being reassessed by an external provider.

Following the implementation of the new rules for IR35 introduced for the public sector in April 2017, we undertook a considered assessment of the status for each individual contractor which we believed met the HMRC requirements. However, HMRC have challenged our assessment. We have been in extensive discussions but now consider it appropriate to acknowledge their position and create an accrual covering the period from 1 April 2017 to 31 December 2018. This accrual is £4.3 million including interest and penalties.

Our three key strategic priorities for equality, diversity and inclusion guide our action plans and day-to-day interactions with our employees, and have executive director level accountability across the business.

Priority 1 – A diverse workforce

We aim to create and maintain a diverse, representative workforce within NHS Digital and increase the pool of diverse employees across the health and care technology and data sectors.

During 2018-19, we:

• volunteered to participate in the national Workforce Race Equality Standard (WRES) programme by publishing our WRES report with commitments to close the gap in workforce race equality. Compared to the overall demographic of our workforce, people from Black, Asian and Minority Ethnic backgrounds are over-represented in middle bandings (AfC bands 4-7) and under-represented across all senior pay bands
• promoted the development of diverse talent via executive recruitment agencies and through our NHS Digital Academy, building relationship with inner city schools and universities
• improved our employee lifecycle data with the launch of an exit survey and recruitment survey
• introduced a reasonable adjustment passport to improve communication for staff, allowing employees to provide information about their conditions, impairments or disabilities and to capture all agreed physical or non-physical workplace adjustment requirements. This helps to minimise the need to reiterate or renegotiate workplace adjustments on moving assignments or locations
• worked to remove bias from our organisational change programme
• continued with our membership of the NHS Equality and Diversity Council
• established a steering group chaired by a non-executive director, to provide oversight and promote collaborative work on improving equality, diversity and inclusion

Priority 2 - Inclusive behaviours and leadership

We are creating a working environment that values differences and fosters an inclusive culture in which our employees from all backgrounds can give their best, are treated fairly, are valued for their contributions and can progress their careers. Leaders and managers will demonstrate inclusive behaviours.

During 2018-19, we:

• supported various initiatives such as the National Inclusion Week and the Race at Work Charter
• created an animated ‘call to action’ on inclusive leadership which supported the launch of a Reverse Mentoring programme. This is a programme of culture change and an opportunity for senior leaders to hear the voices at all levels of the organisation and to access a rich diversity of thinking, to make positive changes. The benefits of Reverse Mentoring include recognition that diversity is taken seriously and having a workforce that feels more engaged and listened to
• undertook a range of internal support activities including creating a new senior leadership community for engagement. We provided unconscious bias training to the leading in NHS Digital cohort, rolled out mandatory ‘equality essentials’ e-learning and nominated a Board level “speak up” champion
• built a visible network of over 100 LGBT allies. Many LGBT people still have negative experiences in the workplace and rainbow lanyards are a visible sign to show support
• rolled out LGBT awareness workshops to staff with pastoral responsibilities, increasing knowledge of LGBT issues and confidence to talk about them
• established a ‘Culture, Values and Behaviour’ task and finish group to oversee a pivotal part of the transformation agenda
• became a Stonewall Diversity Champion and agreed our commitment to the Workplace Equality Index
• supported our staff-led diversity networks and provided access to short, group coaching sessions with over 80 attendees in total at the monthly Leeds and London sessions

Priority 3 – User equality

We will develop and provide digital and data services that are accessible and useable by the widest possible range of users, particularly for patient and public-facing services. We will appropriately reflect our public-sector duty in our communications, policies, programmes, processes and training.

During 2018-19, we:

• supported the development of NHS.UK which has accessibility at its core, allowing teams to build new web services with code that works well with assistive technology
• developed the NHS Digital corporate website to become ranked second overall and first in England in the NHS Website Accessibility Index
• ensured that all of our digital health services and products are inclusive and accessible to everyone, particularly the hardest to reach, through the Widening Digital Participation programme
• ensured that our existing properties, and the planning for the Leeds Hub, have appropriate facilities including prayer rooms and contemplation rooms

Over the next three years we will continue to progress these priorities in particular:

• continue to improve our provision for accessible workplaces, in terms of ICT and estates provision
• introduce enhanced leadership and line management training and review our mandatory equality, diversity and inclusion training
• continue to develop our diversity staff networks to ensure their sustainability
• embed accessibility standards across all our services, particularly those with a significant public or patient dimension
• engage diverse communities in product development through user research and testing

Staff-led Diversity Networks

Our staff-led diversity networks continue to grow and become more embedded in how we work. We now have seven staff-led diversity networks including:

• LGBT and allies
• Ethnic Minorities Broadening Racial Awareness
• and Cultural Exchange
• Age Aware
• Ability (Disabilities, long term conditions
• and carers)
• Deaf Awareness
• Women’s
• Multifaith

Staff-led activities are based upon the life experience of staff and network members and raise awareness of difference and diversity within the organisation. All staff-led networks have an executive sponsor and a workforce ally. They are critical to nurturing the culture and structures of mutual support that help NHS Digital drive continuous improvement.

Our staff-led diversity networks have celebrated a range of events and festivals, including the International Day of Persons with Disabilities, Deaf Awareness Week, International Womens Day, Ramadan and Eid.

The gender distribution in NHS Digital for each Agenda for Change equivalent grade is provided below:

There has been no significant change in the gender or grade split of our workforce. 58% of employees are male (2017-18: 57%). We are acting to promote digital careers for women, including working with Women in Digital to get more women into digital apprenticeships.

Our gender pay gap for the reporting period to March 2019 was:

The gap between the median salaries of women and men is gradually reducing and this contrasts with the trend across the public sector as a whole where there is still a median gap of 14.1%. However, on average, men continue to occupy more of the senior pay bands than women at NHS Digital. Men also attract more recruitment and retention premiums (applied to certain types of specialist and technical roles for which recruitment is a challenge) and ‘on call’ premiums. Two men applied for every management role at NHS Digital for every woman who applied, and there was a similar ratio in the numbers shortlisted and appointed, with some slight differences between grades.

NHS Digital uses the national Agenda for Change Job Evaluation Scheme, which provides a clear framework for defining roles within pay bands. We publish an annual Diversity and Inclusion Workforce Report. The 2017-18 report includes details of our gender pay gap for this period. Our 2018-19 report is scheduled for publication in autumn 2019.

Community and social responsibility 

We have a special leave policy that allows staff to take paid leave for public duties (for example, magistrate, school governor and reserve forces roles). We have also developed work experience and placement programmes for schools, colleges and universities near our office locations. We also support the government’s objective of eradicating modern slavery and human trafficking.

Anti-fraud, bribery and corruption

We have an anti-fraud, bribery and corruption policy in place and will always seek the appropriate disciplinary, regulatory, civil and criminal sanctions against those who commit fraud and, where possible, recover losses.

Public sector facility time publication requirements

We work in partnership with trades union representatives on all matters affecting our employees, to ensure an effective and successful organisation. Regular Joint Negotiation and Consultation Committee meetings are held to allow discussion, consultation and negotiation on employment-related matters.

Staff members are permitted time to engage in appropriate trades union activities. Details are below:

All elements of this report are subject to audit.

Losses and special payments

Losses and special payments are items that Parliament would not have contemplated when it agreed funds for the health service or passed legislation. By their nature, they are items that ideally should not arise. They are, therefore, subject to special control procedures.

During 2018-19 there were 207 losses and special payments (2017-18: 94), amounting to £4,292,450 (2017-18: £20,452). Losses include £4,266,597 in relation to IR35 liabilities.

Other losses and special payments include bad debts written off, losses of minor IT equipment and mobile phones and payment of tax penalties and interest. Interest paid under the Late Payment of Commercial Debt (Interest) Act 1998 amounted to £39 (2017-18: £nil).

Political and charitable donations

No political or charitable donations were made in the year. 

Remote contingent liabilities

We have not identified any significant remote contingent liabilities. These are liabilities for which the likelihood of a transfer of economic benefit in settlement is too remote to meet the definition of contingent liability within the meaning of IAS 37.

Our constitution is set out in Schedule 18 of the Health and Social Care Act 2012. The formal arrangements are detailed in the Accounting Officer Memorandum sent to our Chief Executive by the Department of Health and Social Care Accounting Officer.

Our relationship with the Department of Health and Social Care is set out in a framework agreement, with annual objectives conveyed through an annual remit letter. A specific Department of Health and Social Care sponsor team engages with and oversees our activities, provides support and undertakes regular reviews via quarterly meetings.

The Board

We are led by a Board consisting, at 31 March 2019, of three executive and nine non-executive members (including the Chair) and one ‘ex-officio’ member. The Board is the senior decision-making body. Other senior executives attend the Board as required. The Board supports the Chief Executive, who is the Accounting Officer and is therefore accountable to both the Secretary of State for Health and Social Care and to Parliament for the performance of the organisation.

The Board has a responsibility to ensure that NHS Digital complies with all statutory and administrative requirements and for its use of public funds. Details of the conduct of the Board and the roles and responsibilities of members are set out in the Terms of Reference which are derived from our Corporate Governance Manual, which includes our Standing Orders, Standing Financial Instructions and Scheme of Delegation. All these documents are reviewed annually. Details of the Board biographies and the Register of Interests are in Appendix B.

A Register of Interests of all Board members is maintained, updated and published in advance of every statutory board meeting. The Chair or Senior Independent Director manage conflicts of interest if and when these arise.

The powers retained by and the responsibilities of the Board include:

• agreeing our vision and values, culture and strategy within the policy and resources framework agreed with the Department of Health and Social Care
• agreeing appropriate governance and internal assurance controls, especially in relation to financial and performance risks
• approving business strategy, business plans, key financial and performance targets and the annual accounts
• ensuring sound financial management and value for money supporting the Executive Management Team (EMT) and holding it to account

Two non-executive directors retired and three non-executive directors were appointed during the year. Professor Martin Severs retired from the Board on 28 February 2019. In April 2019, he was replaced as Chief Medical Officer by Dr Amir Mehrkar on an acting basis.

On 31 March 2019, seven of the non-executive directors were male and two were female. Two of the executive directors were male and one was female.

Professor Soraya Dhillon MBE was appointed as the Senior Independent Director in the year and carried out an informal review of Board effectiveness and reported her findings to the Chair. She continues to regularly monitor the Board’s effectiveness and performance. Looking towards 2019-20, the Chair anticipates commissioning a more comprehensive and independent Board effectiveness review.

NHS Digital Board and committees

During 2018-19, six statutory public meetings were held and there were a further five business meetings.

Statutory meetings consist of:

• meetings of the Board held in public that other members of the senior management team may attend. Members of the public may attend and observe. Papers and previous minutes are made available on the NHS Digital website in advance of the meetings
• meetings of the Board held in private at which items of a commercial or confidential nature are tabled that cannot be discussed in public 

In addition to standing agenda items on the governance and performance of our organisation, the statutory meetings discussed a range of topics including:

• the resolution of the TPP data opt-out issue and subsequent system changes to avoid a recurrence
• arrangements for the provision of data to the Home Office and suspension of the memorandum of understanding
• the impacts of the NHS Long Term Plan
• the risks and potential impact of the internal transformation programme, Org2
• implementation of General Data Protection Regulations (GDPR)
• the impact of the creation of NHSX to oversee the strategy, policy and the commissioning of digital solutions
• the potential impacts of the UK not being an EU member state, especially in relation to the hosting of data

Members of the Board use the business days to consider strategic issues within the organisation and in the broader digital environment. These in-depth meetings include additional senior operational staff. Some key issues discussed during 2018-19 included:

• development of corporate strategy
• development of the Board

Board committees 

The Board has appointed four committees whose delegated responsibilities are described below. Attendance during 2018-19 is described in Appendix C. A standing item on the Board’s agenda allows the chairs of committees to report on their deliberations. The minutes of the Board’s subcommittees (other than those of the Talent, Remuneration and Management Committee) are circulated to board members after they are ratified.

The Audit and Risk Committee (ARC)

Provides an independent view to the Chief Executive and the Board of the organisation’s internal controls, operational effectiveness, governance and risk management. This includes an overview of internal and external audit services, risk management and counter fraud activities. The Committee is authorised to investigate any activity within its terms of reference and to seek any information that it requires from any employee. It is able to seek legal or independent professional advice and secure the attendance of external specialists.

The key areas reviewed in 2018-19 included:

• oversight of the preparation of the Annual Report and Accounts, including the annual governance statement on behalf of the Board
• strategic input into the internal audit plan
• review of internal audit reports and actions arising, together with the Head of Internal Audit’s annual opinion which was Moderate for the organisation as a whole during the year
• review of the external audit plan and regular updates on progress of the audit including actions taken in response to recommendations made during the previous year
• received from the National Audit Office (the organisations external auditors) the ‘Letter to
• those charged with Governance’ which resulted in an unqualified opinion on the financial statements
• review of the internal counter-fraud specialist work plan and receive regular updates on fraud investigations and an annual report covering fraud and whistleblowing
• review of whistleblowing arrangements - there was one reported case of whistleblowing during the year
• an annual report on year end assurance processes and progress on developing assurance maps
• regular review of the strategic risk register and several strategic risk deep dives including organisational restructuring, clinical risk, business continuity and data quality

The Information Assurance and Cyber Security Committee (IACSC)

Provides an independent view to the Chief Executive and the Board. The IACSC has representation from across government, including the Department of Health and Social Care. It is responsible for ensuring that there is an effective information assurance function that meets recognised industry and government standards and provides appropriate independent assurance to the Chief Executive and the Board.

The IACSC reviews the work of the Data Security Centre and considers the implications of management responses to its work. It monitors other significant cyber assurance functions, both internal and external to the organisation. It is authorised to investigate activities within its terms of reference and all employees are directed to co-operate with its requests for information. It can seek legal or independent professional advice at NHS Digital’s expense.

The main areas considered in 2018-19 included:

• the funding and implementation of the NHS Digital Cyber Security programme
• the National Cyber Security Centre assessment of threats to health and care and operational relationships with other government departments
• implementation of actions from the Department of Health and Social Care response to the National Data Guardian’s report on data security, consent and opt-outs and from the departmental Data Security Leadership Board
• the implications for NHS Digital of the WannaCry incident and the subsequent development of the joint operational handbook for incident response
• the development of the Information Security and Protection Toolkit
• the risk profile and security of the Citizen Identity programme and the implementation of ‘internet of things’ technologies across health and care
• the information assurance implications for NHS Digital of GDPR
• cyber security awareness training for NHS Digital’s and other boards

The Talent, Remuneration and Management Committee (TRaMCo)

Provides an independent view to the Chief Executive and the Board.

The role of TRaMCo is to:

• make recommendations to the Department of Health and Social Care on the level of
• the remuneration on packages of the Chief Executive and other executive directors within the provisions of the PayFramework for Executive and Senior Managers (ESM) or successor arrangements
• monitor and evaluate the performance of ESMs and make recommendations on annual performance pay awards
• determine pay arrangements for medical and other staff groups who are not subject to Agenda for Change, ESM or Transfer of Undertakings (Protection of Employment) terms and conditions
• maintain an overview of senior non-medical staff pay to ensure that it remains consistent with public pay policy
• approve the level of any annual performance related pay awards to NHS Digital staff on ex-Civil Service terms and conditions
• approve the annual performance objectives and targets of executive directors
• ensure that pay arrangements meet equal pay requirements
• consider and approve redundancy payments and other exceptional arrangements
• ensure that all matters relating to pay and conditions that require approval from the Department of Health and Social Care Talent, Remuneration and Management Committee or other external authorities, are sent to those bodies and that the decisions are implemented
• review and make recommendations on the size, composition and structure of the Board, including advising the Department of Health and Social Care of the skills, knowledge and experience required of new Board appointments
• oversee pay-related diversity and inclusion matters relating to protected characteristics within the workforce
• review the expenses and subsistence claims of executive and non-executive directors
• provide advice to the Executive Management Team on talent, remuneration and employment matters

Investment Committee (IC)

Provides an independent view to the Chief Executive and the Board. The Committee considers investment and/or financial proposals whose value exceeds the delegated authority of the Chief Executive. The Committee consists of two non-executive directors, the Chief Executive and the Chief Finance Officer. The Chief Commercial Officer and the Executive Director of Product Development also attend. One of the non-executive directors acts as chair.

The purpose of the Committee is to review and assure investment and other financial proposals and to ensure that NHS Digital assumes an acceptable level of delivery risk.

Specifically, the Committee ensures that programmes have demonstrated that they:

• have appropriate management and resourcing arrangements, including agreed commercial strategies and risk management
• are technically robust and clinically safe
• are affordable
• have robust proposals for cyber security and information security
• have acceptable levels of compliance risk, particularly with respect to information governance and procurement

Following IC endorsement, business cases are submitted to the Technology and Data Investment Board hosted by NHS England

Executive Management Team (EMT)

EMT is responsible for communicating and delivering the strategy agreed by the Board. It is chaired by the Chief Executive and meets regularly. Action points and decisions are disseminated to all staff through the corporate intranet.

Data and information governance

A wide-ranging legal, regulatory and compliance framework governs our receipt, processing and dissemination of data and information, and our production of statistics. A schedule covering the key areas is included in Appendix D.

A key element of our responsibilities is to ensure that all data and information is collected, stored and disseminated appropriately. Information and statistical governance are taken extremely seriously. We have improved controls and protocols through the Data Access Request Service (DARS). DARS enables data applicants to submit and manage data access requests and sign data sharing agreements through a single, intuitive online portal. This has delivered far greater transparency and a significant reduction in administrative burden.

The service is being continuously improved and there has been a programme of engagement across the health and care community. We have also developed our Data Collections Service, which continues to make significant progress in consolidating data collections and transitioning them to a unified suite of collection tools. Improvements made in recent years mean the service has now consolidated collections into the Strategic Data Collection System, which has increased efficiency and public benefit.

By centralising all data requests and disseminations through DARS and through the introduction of new tools and services, we continue to increase efficiency and improve the quality of service for external users. We also provide system-wide advice on operational information governance to the health and social care sectors in England. This is separate from our principal role as the guardian of data, set out in the Health and Social Care Act 2012.

Improving governance and assurance processes across the system

We all have an interest in getting the right decision, made by the right people, at the right time and for the right reasons. This is particularly important for the Department of Health and Social Care and NHS England, who fulfil a number of roles including paymaster, budget holder, sponsor, service user, Senior Responsible Owners for programmes and the bodies holding the system to account.

Our role within the wider informatics arena and our relationships with our key partners is clear. We are the main informatics delivery organisation and both contribute to, and are held operationally accountable by, the Digital Delivery Board (DDB). Our Chief Executive is a member of DDB and the deputy Chief Executive and Chief Finance Officer attend whilst a significant number of our EMT and senior managers are involved in the development of future plans.

However, the governance arrangements are in the process of changing as responsibility for informatics strategy and delivery transfers to NHSX. The exact arrangements and how they impact on our delivery role are still to be finalised.

NHS Digital is an executive non-departmental public body. It is responsible for setting up and operating systems for the collection, analysis, dissemination and publication of information relating to health services and adult social care and for ensuring citizens’ health data is protected.

We develop and operate information and communications systems for health services and adult social care in England and act as the authority for determining and publishing information standards. We are accountable directly to Parliament for the delivery of the statutory functions described within the Health and Social Care Act 2012.

The Senior Departmental Sponsor for the Department of Health and Social Care is responsible for ensuring our procedures operate effectively, efficiently and in the interest of the public and the health sector.

Governance framework

Details of our constitution, our operational accountability, our Board and its appointed committees are provided on pages 110 to 115. Information about the conduct of the Board and the roles and responsibilities of members are set out in our Corporate Governance Manual, which incorporates the Standing Orders, Standing Financial Instructions and the Scheme of Delegation. This is reviewed and updated annually. We comply with the best practice described in the corporate governance code for central government departments issued by HM Treasury.

Corporate policies are reviewed on a regular basis and are refined as appropriate.

Risk and assurance framework

We have reviewed our corporate risk and assurance framework methodology during 2018-19 and made further improvements, which included creating directorate assurance maps and enhancing control and assurance statements. Each directorate completed an annual self-assessment statement that included:

• an acknowledgement of their responsibilities and objectives over the financial year, including new responsibilities and objectives
• a statement that a sound system of internal controls was in place and that these controls had operated as intended
• confirmation of compliance with statutory obligations and organisational policies
• a description of the directorate’s action plans and improvement activity
• a quality assessment of the level of information supplied to allow for effective decision-making

We continue to carry out regular quality assurance checks to ensure that the risk information held is current, accurate and of good quality. We have refined strategic risk reporting to focus on the outcomes of our risk management effort and this work has been reported to the Audit and Risk Committee (ARC), Executive Management Team (EMT) and the Board. The use of risk management performance metrics is starting to drive an overall improvement in risk data quality and risk management behaviours, although further improvements are planned for 2019-20.

Risks are reported regularly and escalated through our internal governance structure, with the top strategic risks and issues ultimately being considered by the Delivery Assurance Board (DAB), EMT, ARC and our Board. During 2018-19, we:

• reviewed our strategic and other key risks, so that they continued to reflect the most significant risks to the delivery of our strategic objectives
• began work to refine the control and assurance framework for our strategic risks
• continued delivery of our targeted risk management improvement plan - this focused on risk maturity, capability and awareness, including improved tools, metrics, reporting and collection methods
• started work to strengthen our governance and accountabilities for managing and reporting risks, to ensure that the most significant risks are escalated appropriately and in a timely manner, to enable effective risk mitigation
• continued to refine the reporting of risks that cross organisational boundaries
• continued development of a set of key risk indicators to provide early warning and triggers for risk interventions
• sought opportunities to leverage the use of risk information in decision-making

We will continue this work in 2019-20, including a review of our strategic risk-appetite model.

Internal audit and other third-party assurance

NHS Digital’s internal audit service is provided by the Government Internal Audit Agency (GIAA). It plays a crucial role in reviewing the effectiveness of management controls, risk management and governance. It focuses audit activity on the key risk areas. This service uses a blend of internal GIAA staff and resources from professional firms. The internal audit service operates in accordance with the Public Sector Internal Audit Standards and to an annual internal audit plan approved by ARC.

Regular reports are submitted on the effectiveness of our systems of internal control and the management of key business risks, with recommendations for improvement by management. The status of audit recommendations is reported to each meeting of ARC, and ARC noted significant progress in implementing these. There were no overdue actions outstanding at the end of the year.

During 2018-19, there were 19 separate audits undertaken across a range of business areas which confirmed our controls were largely operating as intended. GIAA target areas of high risk to ensure they remain controlled and assured.

The following areas were identified for improvement:

• procurement and contract management arrangements for one particular programme of work. This has led to the development of a plan to drive forward improvements to the commercial arrangements across the organisation in 2019-20
• review of Workforce Planning and Transformation: the initial scope of the programme, communications, resource levels, financial oversight and governance required some immediate rectification, which has since been implemented
• internal decision-making arrangements required some refinement. Work during 2019-20 will review our internal governance structure, ensuring all internal boards and committees are aligned

In addition to our internal audit service, we receive other third-party assurances including:

• ISAE3402 assurance reports covering our external payroll and financial services provided by NHS Shared Business Services (SBS) - the financial services report was unqualified - the payroll services report received a qualified opinion - SBS was unable to evidence independent approvals for all checks to manual payroll and recurring calculations, consequently, the report was unable to confirm that all controls as set out by SBS were fully operational - controls within the payroll and e-expenses systems, together with internal NHS Digital processes, contribute to reducing risks arising from the areas of concern
• ISAE3402 assurance reports for the GP Payment Systems we provide to the wider NHS - this received an unqualified assurance
• an external review of our Supplier Audit Management processes - this including two of the biggest suppliers of GP Systems of Choice (GPSoC)

The GPSoC review presented an opportunity to improve our existing processes and practices. It highlighted a number of areas for improvement, including understanding the governance and roles and responsibilities in supplier management and ensuring thorough exit plans are created and adhered to. The actions will be implemented during 2019-20.

External audit

We have worked constructively with the National Audit Office. They attend and contribute to all ARC meetings during the year. The work of external audit sits outside our normal governance arrangements but independently informs the suitability and appropriateness of relevant financial and other controls and our governance and risk processes. The work of external audit is monitored by ARC through regular progress reports.

Counter fraud

We are responsible for investigating allegations of fraud related to our functions and work.

We have an internally appointed counter-fraud manager who ensures that appropriate anti-fraud arrangements are in place and who undertakes reactive and proactive counter-fraud work. The internal policy on tackling fraud, bribery and corruption is communicated to all staff. The policy and our management statement on corruption is available on our website.

We work closely with a number of bodies including the Department of Health and Social Care Anti-Fraud Unit to establish appropriate and efficient anti-fraud arrangements, and to ensure we comply with the counter fraud functional standard set out by the Cabinet Office. We 119 continue to work jointly with the biennial National Fraud Initiative. Fraud referrals have increased in the year and one investigation resulted in action against an individual. This included seeking an appropriate sanction and redress.

We also hold a quarterly fraud working group chaired by the Chief Finance Officer, which includes key senior internal and external stakeholders. We undertake an annual review of the fraud risk assessment and risk register and hold internal fraud risk workshops with key stakeholders. We continuously review our processes, sample check employee subsistence and travel claims and recover overpayments. We have introduced a data analytics tool to improve compliance checking, detect fraud more effectively, and reduce errors and losses.

Public interest disclosure

NHS Digital was one of the first 100 organisations to sign up to the Protect (formerly Public Concern at Work (PCAW)) Whistleblowing Commission code of practice. We attend an annual networking event to discuss progress in implementing whistleblowing procedures and will continue to improve our policy and practice through engagement with Protect. We have well-established reporting routes and mechanisms to allow staff to raise concerns.

The organisation has appointed one nominated officer at board level to protect and develop whistleblowing arrangements and encourage staff to openly raise concerns. There was one whistleblowing case in the year which was fully investigated and no further action was deemed necessary.

Performance management

Corporate performance management, including the use of key performance indicators, is linked with business planning and risk management to provide a joined-up view of what we intend to deliver (business planning), what factors could prevent successful delivery and how they can be mitigated (risk management), and how well we are delivering (performance management). The development of our business plan commitments includes assessment of constraints, dependencies and risks, and we track delivery using relevant measures.

Our organisation-wide performance management framework includes periodic reporting at differing levels of granularity in performance packs to the Digital Delivery Board, our Board, the Executive Management Team and other internal business units.

This performance reporting covers:

• financial and non-financial information, key risks and issues, and an assessment of delivery against strategic commitments
• business plan delivery at corporate and directorate levels
• other key work, such as delivery of specific programmes and organisational development and transformation

Our performance framework and individual performance indicators are kept under regular review to ensure they remain meaningful and effective. With the exception of a limited number of confidential indicators, all elements of the performance framework are reported to public meetings of the Board and most of the information is available on our website.

Our performance reporting supports open and transparent governance and helps ensure public accountability. Performance packs and business plan monitoring reports also inform quarterly accountability meetings between the Department of Health and Social Care and ourselves.

Data and cyber security

Our Data Security Centre continues to lead the provision of support to health and care organisations to manage cyber security risk, enabling the safe and secure use of data and technology to deliver improved patient care. We worked with NHS England, NHS Improvement, the Department of Health and Social Care, the National Cyber Security Centre and other partners to strengthen cyber resilience in 2018-19.

We are leading a multi-tiered approach to reduce systemic cyber security risk in the health and social care system. This involves central interventions, such as the Cyber Security Operations Centre (CSOC) as well as local interventions with NHS providers to increase preparedness and reduce vulnerability.

Alongside our system-wide responsibility, we provide consultancy and assurance to systems and services delivered by NHS Digital.

In 2018-19, the Data Security Centre triaged, created and distributed 63% more threat intelligence content than in the previous financial year. There was a 34% decrease in notifications of active infections sent to health and social care organisations.

Our CSOC capability is being developed in collaboration with our strategic partner, IBM. We have significantly improved its service, including onboarding the Incident Response and Intelligence Service, implementing the Vulnerability Management Service (which provides healthcare organisations with access to vulnerability scanning for their external-facing services) and integrating the Bitsight platform (which provides the CSOC with organisational ‘league tables’ based on vulnerability risk profiles).

Supporting local organisations with cyber security

To address critical weaknesses identified at a local level through on-site assessments, the Data Security Centre developed a Cyber Security Support Model. This helps organisations identify issues and provide bespoke advice and support to address vulnerabilities and increase cyber security preparedness in line with national standards. The model is underpinned by a GCHQ-accredited, board-level training offer to ensure leadership buy-in. We also provided a toolkit of communications materials to help organisations raise cyber and data security awareness among their staff.

We have supported the migration to a more resilient and secure operating system and published tailored Windows 10 build toolkits and online training to support NHS trusts in managing their transition. We also enrolled 750,000 devices onto the national end-point detection, threat and vulnerability management tool, which helps identify and monitor emerging threats at a local and national level.

The risks to the health and social care system from cyber attacks are growing and will increase significantly with the adoption of new technologies and services. We will continue to provide guidance, assessments and support to help organisations manage risk effectively, be prepared and be ready to respond.

Data Security and Protection Toolkit (DSPT)

During 2018-19 we developed and launched the DSPT, a replacement for the Information Governance Toolkit. The new resource combines data security and data protection principles. Additional functionality includes:

• the ability to report data security incidents to the Information Commissioner’s Office or the Department of Health and Social Care
• the ability for pharmacy, opticians and social care providers to submit assessments for their sites in bulk
• additional reporting and exporting functionality (including the ability to export an action plan based on an organisation’s assessment)

Over 30,000 health and social care organisations have registered with the toolkit and 26,800 organisations have published an assessment against the National Data Guardian’s standards. This is 18% more than with the previous toolkit.

The DSPT is also used to assess third-party suppliers to the NHS and organisations applying for data through our data dissemination services.

We are required to submit an annual return against the DSPT. Our result was “standards met”, which means that all mandatory assertions were evidenced.

Data sharing arrangements

DARS handles all requests for personal data that is identifiable or potentially identifiable. Before any data is shared, we ensure that:

• a legal basis for accessing the data exists
• the customer has an appropriate level of security to safeguard the data
• the customer passes our assessment process
• dissemination is covered by a signed data sharing agreement and a data sharing framework contract

Particularly sensitive releases follow a full governance and approval process and we seek independent advice from the Independent Group Advising on the Release of Data (IGARD) when appropriate.

We will continue to ensure that the governance around the dissemination of such data is of the highest priority. This includes close collaborations with IGARD, which reviews applications for sensitive NHS Digital data and has expert members and an enhanced transparency remit.

We conduct data-sharing audits to ensure that organisations meet the terms of their data-sharing agreement and framework contract. The organisations audited are selected by the DARS Team, based on a risk assessment that considers the overall level of assurance required for a specific agreement. The audit team may also carry out some random or sampling audits as a check on the overall assurance process.

During 2018-19, we conducted audits of 20 separate organisations and recorded observations about their processes, procedures and non-conformities with NHS Digital contractual documentation.

The non-conformities are subsequently followed up with a post-audit review to ensure they have been addressed. During 2018-19, 17 post-audit reviews were conducted. The outcome of audits and post-audit reviews are published on our website. 

Changes to cross-government data sharing

The memorandum of understanding between the Home Office, the Department of Health and Social Care and NHS Digital in relation to information sharing was terminated in October 2018 by NHS Digital following the government’s announcement that it would no longer request tracing information in respect of individuals suspected of immigration offences. Urgent tracing requests from the Home Office and other government departments or agencies where there is a need to trace an individual for welfare and safeguarding purposes are assessed on a case by case basis by NHS Digital’s welfare and safeguarding request panel.

Data quality assurance

We understand the importance of good quality data and our role in ensuring that the data we collect, process and share is subject to the most rigorous levels of quality assurance.

Given our unique position as a processor, user and sharer of health and social care data, we also have a duty to promote understanding of the importance of data quality across the health and social care sector.

We continue to seek ways to improve our data quality assurance. During 2018-19, we:

• monitored the implementation of our secondary uses data quality assurance policy
• worked collaboratively with our partners to develop requirements-based data quality assurance products, processes and tools
• ensured new and existing data collections and extractions went through the appropriate data quality assurance assessment processes

Information governance

We have appointed a new executive director to lead this area and establish a revised operating model to support a more efficient and resilient service, and embed good information governance compliance across the organisation.

The information governance work plan for 2019-20 includes: 

• designing the future operating model and implementing interim changes in structure
• implementing tracking and reporting mechanisms to support resource management and to monitor and report on performance
• developing and implementing further staff training
• developing and starting the delivery of an information governance programme to review, improve and streamline existing processes, and to establish new processes, policy, guidance, tools and training
• reviewing and updating the NHS Digital Code of Practice on Confidential Information in line with work being undertaken separately by the Department of Health and Social Care to update the NHS Code of Practice on Confidentiality

General Data Protection Regulation (GDPR)

In May 2018, the GDPR and the Data Protection Act 2018 replaced the Data Protection Act 1998, providing a comprehensive legal framework for data protection in the UK. NHS Digital has a responsibility to ensure that its policies, procedures and working practices reflect current EU and UK legislation. Our GDPR implementation programme and work plan began in 2017 and culminated in quarter two of 2018.

We have restructured our internal teams, developed our internal policies and processes and raised awareness through communications and training.

We supported good information governance across NHS Digital by:

• appointing a Data Protection Officer and a supporting team to help respond to the tasks and responsibilities required under GDPR
• putting in place a comprehensive Unified Register which holds the records of over 700 information assets with built-in controls, filters and guidance to help ensure accurate details are recorded and we are able to comply with its record keeping requirements under GDPR Article 30
• ensuring a process is in place for creating and maintaining Data Protection Impact Assessments
• updating our Data Subject Access Request procedure to support staff, patients and citizens to apply and receive the personal data NHS Digital holds about them
• updating our transparency notices, which advise on how we collect, analyse and store personal data and information

Incident management

In 2018-19, 20 incidents were classified as a personal data breach under GDPR and the Information Commissioner’s Office (ICO) guidance. Two personal data breach incidents were reported to the ICO. The ICO has confirmed it is not taking action on either incident.

Freedom of Information (FOI) requests and Data Subject Access Requests (DSARs)

During 2018-19, 1,368 FOI requests were received. Nine responses were outside of the statutory deadline, a compliance rate of 99.3%.

We received 266 DSARs. DSAR compliance within statutory deadlines was 98.8%. In the three cases where statutory deadlines were breached, reasons for the delay were investigated and steps taken to address issues where necessary.

Three complaints were made to the ICO by applicants dissatisfied with our responses to FOI requests or DSARs. Two are now closed and we are waiting for further correspondence regarding the third. The outcomes of ICO investigations can be found on their website. 

Business continuity

NHS Digital manages a range of essential IT systems on behalf of the NHS. It is critical that these systems operate in an efficient manner and that we can support the NHS in event of an outage. We conduct stress testing, provide a fully manned service bridge and maintain a Business Continuity Management System (BCMS) that is aligned to the requirements of ISO 22301 and related standards. The capability of the BCMS includes:

• a corporate incident management framework and supporting processes
• business continuity plans covering all NHS Digital activities
• a range of IT service continuity and disaster recovery plans for services managed in-house or by external suppliers
• arrangements to support the management of NHS Digital facility-related health and safety incidents
• supply chain continuity management. We confirm that critical suppliers and other delivery partners have suitable business continuity arrangements in place to protect delivery of service to NHS Digital and its customers

Our professional and qualified staff provide subject matter expertise in line with best practice across government and relevant industry standards.

An ongoing work programme is focused on corporate incident management capability, exercising business continuity plans, facility/site emergency plans, supply chain continuity management and people aspects of business continuity planning.

Clinical governance

As we move toward providing digital programmes and services that impact more closely on the lives of patients and citizens, there is a requirement to raise the profile of clinical governance at all levels of the organisation. This year, we worked towards developing a clinical governance framework and have appointed two very senior clinicians to non-executive positions and allocated one with special responsibility for this area. We also appointed nine senior clinicians with strong informatics competencies to lead on our major areas of activity.

We have invigorated our patient safety approach to ensure it keeps pace with new digital technologies. This work is ongoing but includes consideration of decision-support algorithms, apps and machine learning. Clinician time will be allocated according to clinical risk in each programme.

Org2

During 2018-19, NHS Digital began a transformation programme aimed at transforming itself into a modern, agile organisation capable of meeting future delivery commitments. This programme, known as Org2, is responsible for delivering a range of initiatives including restructuring the workforce. All 3,000 permanent staff will be affected, as a net reduction of around 500 full-time equivalent staff is expected. This programme introduces significant risks and a separate risk register has been created to manage these. This is reviewed regularly at board level. The first wave of this change started in 2018-19 and the programme is expected to be completed during 2020-21.

Service issues

Breast cancer screening service

In May 2018, an issue was identified with the Breast Cancer Screening Service in England that resulted in thousands of women aged between 68 and 71 not being invited to their final breast screening between 2009 and 2018. NHS Digital has provided extensive support to Public Health England and other system partners on the response to, and resolution of, this critical issue

Patient Objections Management extract

On 20 June 2018, NHS Digital discovered an issue with the Patient Objection Management data extracts from one of the system providers, TPP. It was established this was due to a coding error in TPP SystmOne where new objections between 31st March 2015 and the 8th May 2018 had not been collected and sent to NHS Digital. Following investigation, it was identified that this affected submissions from 148,873 patients.

NHS Digital worked swiftly to report the error and on 27 June 2018 stopped all data flows from NHS Digital where type 2 opt-outs should have been upheld. By the evening of 28 June 2018, the opt-out data had been corrected and data flows were restarted. Affected patients were contacted to make them aware of the issue. We also worked with organisations that received data to ensure data files were replaced and incorrect data was destroyed where possible. No patient’s personal care and treatment was reported to be affected by this issue and NHS Digital informed GPs, the Information Commissioner’s Office and the National Data Guardian. All objections are now being honoured.

TPP apologised for its role and committed to work with NHS Digital so that errors of this = nature do not occur again. Subsequently, Type 2 opt-outs are now collected and converted to National Data Opt-outs. These are held on a central service managed by NHS Digital. There is no further need for TPP, or other system providers, to collect the opt-out information.

System outages

Multiple users were unable to access Microsoft Portal, Outlook Web Access, Skype or send email via Outlook on the 1st of December 2018 due to a server storage issue. A full service stability plan was initiated by Accenture and ourselves to rectify the issue (which was completed by 3rd December) and seek mitigations for the future. Following extensive clinical assessments, no patient harm or impact on the security or integrity of patient data was identified.

Under the Health and Social Care Act 2012 and directions made thereunder by the Secretary of State with the approval of HM Treasury, we are required to prepare a Statement of Accounts for each financial year in the form and on the basis determined by the Secretary of State. The Accounts are prepared on an accruals basis and must give a true and fair view of our state of affairs and of our net resource outturn, application of resources, changes in taxpayers’ equity and cashflows for the financial year.

In preparing the Accounts, the Board and Accounting Officer are required to comply with the requirements of the Government Financial Reporting Manual and, in particular, to:

• observe the accounts direction issued by the Secretary of State for Health and Social Care, including the relevant accounting and disclosure requirements, and apply suitable accounting policies on a consistent basis
• make judgements and estimates on a reasonable basis
• state whether applicable accounting standards, as set out in the Government Financial Reporting Manual, have been followed and disclosed and explain any material departures in the financial statements
• prepare the financial statements on a going concern basis, unless it is inappropriate to presume that NHS Digital will continue in operation

The Accounting Officer for the Department of Health and Social Care has appointed our Chief Executive as the Accounting Officer who has responsibility for preparing our accounts and transmitting them to the Comptroller and Auditor General. Specific responsibilities include the propriety and regularity of the public finances for which the Accounting Officer is answerable, for keeping proper records and for safeguarding our assets, as set out in ‘Managing Public Money’ published by the HM Treasury. As Accounting Officer I am able to confirm that:

• as far as I am aware, there is no relevant audit information of which the auditors are unaware
• I have made myself aware of any relevant audit information and established that the entity’s auditors are aware of that information
• the Annual Report and Accounts as a whole are fair, balanced and understandable
• I take personal responsibility for the Annual Report and Accounts and the judgment required for determining that they are fair, balanced and understandable

Sarah Wilkinson
Chief Executive
26 June 2019

Opinion on financial statements

I certify that I have audited the financial statements of the Health and Social Care Information Centre for the year ended 31 March 2019 under the Health and Social Care Act 2012. The financial statements comprise: the statements of comprehensive net expenditure, financial position, cash flows, changes in taxpayers’ equity; and the related notes, including the significant accounting policies. These financial statements have been prepared under the accounting policies set out within them. I have also audited the information in the accountability report that is described in that report as having been audited.

In my opinion:

• the financial statements give a true and fair view of the state of the Health and Social Care Information Centre’s affairs as at 31 March 2019 and of net expenditure for the year then ended; and
• the financial statements have been properly prepared in accordance with the Health and Social Care Act 2012 and Secretary of State directions issued thereunder

Opinion on regularity

In my opinion, in all material respects the income and expenditure recorded in the financial statements have been applied to the purposes intended by Parliament and the financial transactions recorded in the financial statements conform to the authorities which govern them.

Basis of opinions

I conducted my audit in accordance with International Standards on Auditing (ISAs) (UK) and Practice Note 10 ‘Audit of Financial Statements of Public Sector Entities in the United Kingdom’. My responsibilities under those standards are further described in the Auditor’s responsibilities for the audit of the financial statements section of my certificate.

Those standards require me and my staff to comply with the Financial Reporting Council’s Revised Ethical Standard 2016. I am independent of the Health and Social Care Information Centre in accordance with the ethical requirements that are relevant to my audit and the financial statements in the UK. My staff and I have fulfilled our other ethical responsibilities in accordance with these requirements. I believe that the audit evidence I have obtained is sufficient and appropriate to provide a basis for my opinion.

Conclusions relating to going concern

I am required to conclude on the appropriateness of management’s use of the going concern basis of accounting and, based on the audit evidence obtained, whether a material uncertainty exists related to events or conditions that may cast significant doubt on the Health and Social Care Information Centre’s ability to continue as a going concern for a period of at least twelve months from the date of approval of the financial statements If I conclude that a material uncertainty exists, I am required to draw attention in my auditor’s report to the related disclosures in the financial statements or, if such disclosures are inadequate, to modify my opinion. My conclusions are based on the audit evidence obtained up to the date of my auditor’s report. However, future events or conditions may cause the entity to cease to continue as a going concern. I have nothing to report in these respects.

Responsibilities of the Board and Accounting Officer for the financial statements

As explained more fully in the statement of Accounting Officer’s responsibilities, the Board and the Accounting Officer are responsible for the preparation of the financial statements and for being satisfied that they give a true and fair view.

Auditor’s responsibilities for the audit of the financial statements

My responsibility is to audit, certify and report on the financial statements in accordance with the Health and Social Care Act 2012.

An audit involves obtaining evidence about the amounts and disclosures in the financial statements sufficient to give reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements.

As part of an audit in accordance with ISAs (UK), I exercise professional judgment and maintain professional scepticism throughout the audit.

I also:

• identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, design and perform audit procedures responsive to those risks, and obtain audit evidence that is sufficient and appropriate to provide a basis for my opinion - the risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control
• obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Health and Social Care Information Centre’s internal control
• evaluate the appropriateness of accounting policies used and the reasonableness of accounting estimates and related disclosures made by management
• evaluate the overall presentation, structure and content of the financial statements, including the disclosures, and whether the consolidated financial statements represent the underlying transactions and events in a manner that achieves fair presentation

I communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit and significant audit findings, including any significant deficiencies in internal control that I identify during my audit.

In addition, I am required to obtain evidence sufficient to give reasonable assurance that the income and expenditure reported in the financial statements have been applied to the purposes intended by Parliament and the financial transactions conform to the authorities which govern them.

Other information

The Board and the Accounting Officer are responsible for the other information. The other information comprises information included in the annual report, other than the parts of the accountability report described in that report as having been audited, the financial statements and my auditor’s report thereon. My opinion on the financial statements does not cover the other information and I do not express any form of assurance conclusion thereon. In connection with my audit of the financial statements, my responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements or my knowledge obtained in the audit or otherwise appears to be materially misstated. If, based on the work I have performed, I conclude that there is a material misstatement of this other information, I am required to report that fact. I have nothing to report in this regard.

Opinion on other matters

In my opinion:

• the parts of the accountability report to be audited have been properly prepared in accordance with Secretary of State directions made under the Health and Social Care Act 2012
• in the light of the knowledge and understanding of the Health and Social Care Information Centre and its environment obtained in the course of the audit, I have not identified any material misstatements in the Performance report or the Accountability report; and
• the information given in e.g. Performance report and Accountability report for the financial year for which the financial statements are prepared is consistent with the financial statements

Matters on which I report by exception

I have nothing to report in respect of the following matters which I report to you if, in my opinion:

• adequate accounting records have not been kept or returns adequate for my audit have not been received from branches not visited by my staff; or
• the financial statements and the parts of the Accountability report to be audited are not in agreement with the accounting records and returns; or
• I have not received all of the information and explanations I require for my audit; or
• the governance statement does not reflect compliance with HM Treasury’s guidance

Report

I have no observations to make on these financial statements.

Gareth Davies
Comptroller and Auditor General 

1 July

National Audit Office
157-197 Buckingham Palace Road
Victoria London
SW1W 9SP