Skip to main content

Current Chapter

Current chapter – Accountability report


Corporate governance report

This section explains the external framework and internal systems of monitoring and control that help us define our objectives and ensure we achieve them.

Our constitution is set out in Schedule 18 of the Health and Social Care Act 2012. An Accounting Officer Memorandum sent by the Department of Health and Social Care (DHSC) Principal Accounting Officer to our Chief Executive describes the formal arrangements that underpin our existence.


Our governance 

NHS Digital is a non-departmental public body led by a board and four board committees. All of these committees are chaired by non-executive directors.

The Board is supported operationally by the Core Executive Management Team (EMT). The Executive Management Team is responsible for communicating and delivering the strategy agreed by the Board. It is chaired by the Chief Executive and meets regularly. Action points and decisions are disseminated to all staff through the corporate intranet.

We are led by a board consisting, at 31 March 2020, of three executive, nine non-executive (including the Chair) and two ‘ex-officio’ members. These arrangements comply with the requirements of the Health and Social Care Act 2012, which stipulates that the Board should have at least six non-executive directors and not more than five executive members.

The Board

The Board supports the Chief Executive, who is the Accounting Officer and is accountable to both the Secretary of State for Health and Social Care and to Parliament for the performance of the organisation and for maintaining high standards of probity in the management of public funds.

Collectively, the Board has responsibility for ensuring that NHS Digital complies with all statutory and administrative requirements and for the appropriate use of public funds allocated to it. Details of the conduct of the Board and the roles and responsibilities of its members are set out in the Board Terms of Reference, which are derived from our Corporate Governance Manual. These include our Standing Orders, Standing Financial Instructions and Scheme of Delegation. All of these documents are reviewed annually and are available to the public.

The powers retained and exercised by the Board include:

  • agreeing our vision and values, culture and strategy within the policy and resources framework agreed with the Department of Health and Social Care
  • agreeing appropriate governance and internal assurance controls, especially in relation to financial and performance risks
  • approving business strategy, business plans, key financial and performance targets and the annual accounts
  • ensuring sound financial management and value for money
  • supporting the Executive Management Team (EMT) and holding it to account
  • ensuring that we comply with any duties imposed on public bodies by statute

A Register of Members’ Interests, drawing together declarations of interest made by all Board members, is open to public scrutiny and is published on the NHS Digital website as part of the Board papers that can be found on the ‘Our Leadership and Governance’ section of the NHS Digital website. Details of related-party transactions are set out in Note 17 of the Accounts and biographies of the Board are available in this report.

The Chair and non-executive directors are appointed by the Secretary of State for Health and Social Care. The Chief Executive is appointed by the Board and other executive officers are appointed by the Chief Executive. Executive membership is agreed by the Board.

Changes to the Board’s membership during the year were:

  • Robert Shaw, the Deputy Chief Executive, left on 31 December 2019
  • Dr Amir Mehrkar was appointed as acting Chief Medical Officer on 1 April 2019 and resigned on 30 September 2019
  • Professor Jonathan Benger was appointed as acting Chief Medical Officer on 18 November 2019. He is seconded from the University Hospitals Bristol for a period of 18 months

In addition, Pete Rose was appointed as Deputy Chief Executive and Managing Director of IT Operations on 4 May 2020. 

On 31 March 2020 the Board included two male executive directors and one female, with seven male non-executives and two females.

Each non-executive director supports a particular aspect of the organisation’s work. Their responsibilities and contract arrangements are as follows:

Name Start date End date Responsibilities
Noel Gordon†   1 June 2016  31 August 2020  Chair of the Board and the Talent, Remuneration and Management, Committee and Investment Committee 
Dr Marko Balabanovic*  1 January 2017  31 December 2020 

Leads on innovation, emerging technologies, partnerships and technology transfer

Daniel Benton  1 January 2017  31 December 2020 Leads on IT delivery excellence, operational transformation and technology strategy 
Professor Soraya Dhillion 1 January 2017 31 December 2020  Leads on clinical safety and governance, e-channels and diversity and inclusion 
Professor Sudhesh Kumar* 1 January 2017 31 December 2020  Leads on big data, the research sector, clinical informatics, medtech and life sciences 
John Noble 1 July 2018  30 June 2021 Leads on information and cyber security and chairs the Information and Cyber Security Committee
Deborah Oakley 1 July 2018 30 June 2021 Leads on assurance and risk and chairs the Audit and Risk Committee
Rob Tinlin* 1 January 2017 31 December 2020 Leads on integrated care, digitising social care, change management and organisational development
Balram Veliath 1 July 2018  30 June 2021 Leads on culture, values and stakeholder relations.

† Noel Gordon's original contract ended 31 May 2020 but was extended to 31 August 2020.

* The original contracts were for a period of three years ending on 31 December 2019 but have been extended during the year to 31 December 2020. 

During 2019-20, six statutory public meetings were held and there were a further two business meetings.

Members of the public may attend and observe. Papers and previous minutes are made available on the NHS Digital website in advance of the meetings. In addition, there are private meetings of the Board at which items of a commercial or confidential nature that cannot be discussed in public are tabled.

As well as standing agenda items on the governance and performance of our organisation, the statutory meetings discussed a range of topics including, exceptionally:

  • enabling world-class clinical trials using national NHS Data
  • the approach to updating NHS Pathways
  • the action plan for the coronavirus pandemic
  • progress on the social care agenda
  • the risks and potential impact of the internal transformation programme (Org2)
  • the impact of the creation of NHSX to oversee the strategy, policy and the commissioning of digital solutions
  • the potential impacts of Brexit

Members of the Board use the business meetings for board development and to consider strategic issues within the organisation and in the broader digital environment. These in-depth meetings include additional senior operational staff.

Some key issues discussed during 2019-20 included:

  • the development of corporate strategy
  • the development of the Board and its effectiveness
  • information governance 
  • strategic risk
  • the future vision for NHS Digital
  • GP data and IT

In accordance with the corporate governance code for central government departments issued by HM Treasury, an external review was undertaken during the year to assess the effectiveness of the Board. The facilitator collated responses from all board members, which were anonymised.

The report and recommendations were considered at the 13 March meeting of the Board. The main themes emerging from the review were:

  • board leadership: non-executive directors, with executive directors, to continue engaging actively with partners and providers to extend NHS Digital’s insight and influence on technical and data strategy across the system
  • the Board’s effectiveness as a team: Board to ensure that it optimises its value-add overall in the context of NHS Digital’s remit for 2020-21
  • ensuring a healthy culture: Board to continue its work to actively ensure a healthy culture and high levels of staff engagement to support the delivery of NHS Digital’s strategic objectives

The Board will review its progress against these recommendations toward the end of 2020-21. 

The Board committees

The Board has established four committees with responsibility for providing an independent view to the Chief Executive and the Board on:

  • audit and risk
  • information assurance and cyber security
  • talent, remuneration and management
  • investment assurance

Day-to-day operational matters are managed through the Executive Management Team.

A standing item on the Board’s agenda allows the chairs of committees to report on their deliberations. The minutes of the Board’s committees (other than those of the Talent, Remuneration and Management Committee) are circulated to board members after they are ratified.

The delegated responsibilities of each committee are described below.

The Audit and Risk Committee (ARC) – Chair: Deborah Oakley

Provides an independent view to the Chief Executive and the Board of the organisation’s internal controls, operational effectiveness, governance and risk management. This includes an overview of internal and external audit services, risk management and counter fraud activities.

The committee is authorised to investigate any activity within its terms of reference and to seek any information that it requires from any employee. It is able to seek legal or independent professional advice and secure the attendance of external specialists.

The key areas of activity in 2019-20 included, exceptionally:

  • regular review of the strategic risk register and risk appetite
  • review of preparations for EU exit
  • several strategic risk ‘deep dives’ including: organisational restructuring, clinical risk, technical architecture and supplier capacity and capability
  • clinical governance process and implementation
  • review of risks in respect to the coronavirus pandemic
  • treatment of IR35 taxation

The Information Assurance and Cyber Security Committee (IACSC) – Chair: John Noble

The committee has representation from across government, including the Department of Health and Social Care. It is responsible for ensuring that there is an effective cyber security information assurance function that meets recognised industry and government standards and provides appropriate independent assurance to the Chief Executive and the Board.

The IACSC reviews the work of the Data Security Centre and considers the implications of management responses to its work. It monitors other significant internal and external cyber assurance functions. It is authorised to investigate activities within its terms of reference and all employees are directed to co-operate with its requests for information. It can seek legal or independent professional advice at NHS Digital’s expense.

The main areas considered in 2019-20 included:

  • review of the Strategic Threat and Risk Assessment report to build a holistic understanding of the threat and risk landscape of the organisation
  • the development of key performance indicators to measure system-wide cyber security readiness
  • understanding and measuring the cyber readiness of NHS Digital corporate systems provided by third parties
  • developing the remit of IACSC to better incorporate information governance assurance and undertaking reviews of current data sharing arrangements
  • review of the effectiveness of the coronavirus cyber action plan

The Talent, Remuneration and Management Committee (TRaMCo) – Chair: Noel Gordon

The role of this committee, among a range of staff-related matters, is to:

  • make recommendations to the Department of Health and Social Care on the level of the remuneration packages of the Chief Executive and other executive directors within the provisions of the Pay Framework for Executive and Senior Managers (ESM) or successor arrangements
  • review and assure the annual performance objectives and targets of executive directors and pay arrangements for other senior managers
  • ensure that all matters relating to pay and conditions that require approval from the Department of Health and Social Care Remuneration Committee or other external authority are submitted for approval and that the decisions of those bodies are appropriately implemented
  • review and assure workforce and senior management restructuring proposals arising from annual productivity assessments, specific cost reduction plans or capability prioritisation proposals (including workforce risks associated with Org2 restructuring)
  • review and make recommendations on the size, composition and structure of the Board, including assessing and making recommendations to the Department of Health and Social Care about the skills, knowledge and experience required from Board appointees

Investment Committee (IC) - Chair: Daniel Benton

The committee assures investment and financial proposals whose value exceeds the delegated authority of the Chief Executive. It consists of two non-executive directors and the Chief Financial Officer. The Director of Assurance and Risk Management, Commercial Director and Product Delivery Director attend as required by the agenda.

The purpose of the committee is to review and assure investment and other financial proposals and to ensure that NHS Digital assumes an acceptable level of delivery risk.

Specifically, the committee ensures that programmes have shown that they:

  • have appropriate management and resourcing arrangements, including agreed commercial strategies and risk management
  • are technically robust and clinically safe
  • are affordable
  • have robust proposals for cyber and information security
  • have acceptable levels of compliance risk, particularly with respect to information governance and procurement

The Investment Committee has recently considered:

  • the reason for single tender applications to extend existing contracts, having challenged the justification in these cases
  • investment cases for programmes of work including the Clinical Triage Platform, pharmacy systems claim verification, GP IT Futures, NHS e-Referral Service, NHS.uk campaign and Access to Service Information

Following Investment Committee endorsement, business cases are submitted to the Technology and Data Investment Board hosted by NHS England.

Executive Management Team 

The Executive Management Team is responsible for communicating and delivering the strategy agreed by the Board. It is chaired by the Chief Executive and meets regularly. Action points and decisions are disseminated to all staff through the corporate intranet.

Members' attendance at the Board and its committees were as follows:

- Public Board  Board development ARC IASC TRaMco IC
Number of meetings 6 2 5 4 4 10
Executive directors  Public Board  Board development ARC IASC TRaMco IC
Sarah Wilkinson  5/6 2/2 5/5 - 4/4 -
Rob Shaw* 3/4 2/2 3/4 3/3 - 5/7
Carl Vincent 6/6 2/2 5/5 - - 8/10
Dr Amir Mehrkar* 1/2 1/1 - - - -
Professor Jonathan Benger 3/3 1/1 - - - -
Non-executive directors Public Board  Board development ARC IASC TRaMco IC
Noel Gordon 6/6 2/2 - - 4/4 8/10
Dr Marko Balabanovic 5/6 1/2 - 4/4 - 5/10
Daniel Benton 6/6 2/2 5/5 - - 10/10
Professor Soraya Dhillon 6/6 2/2 - - 4/4 -
Professor Sudhesh Kumar 6/6 2/2 4/5 - - -
Rob Tinlin  6/6 2/2 - - 3/4 -
John Noble 5/6 2/2 5/5 4/4 - -
Deborah Oakley  6/6 2/2 5/5 4/4 - -
Balram Veliath 4/6 1/2 5/5 - - -

*Robert Shaw and Dr Amir Mehkar left NHS Digital during the year. 


Remuneration and staff report

Staff numbers and costs  

The staff costs and the average number of whole-time equivalent persons are subject to audit:

Permanent staff

2019-20

£000

2018-19

£000

Salaries and wages 129,541 142,608
Social security costs 14,473 16,417
Apprenticeship levy 633 681
Employer superannuation contributions - NHS Pension Scheme 24,025 17,778
Employer superannuation contributions - other 545 439
Staff seconded to other organisations 684 1,159
Capitalised employed staff costs (11,951) (16,669)
Total permanent staff costs 157,950 162,413

Other staff

2019-20

£000

2018-19

£000

Temporary staff 7,688 5,049
Contractors 14,407 10,551
Staff seconded from other organisations 1,063 693
Capitalised other staff costs (1,267) (908)
Total other staff costs 21,891 15,385
Total staff costs 179,841 177,798
Termination benefits 8,359 11,165
Total staff costs including termination benefits 188,200 188,963

The average number of whole term equivalent persons employed during the year was: 

Staff category

2019-20

2018-19

Permanent staff and secondees 2,617 2,891
Temporary staff and contractors 271 192
Total 2,888 3,083
The average number of whole term equivalent persons employed during the year whose time was capitalised 191 284

There were no amounts spent on staff benefits during the year and there were two early retirements on the grounds of ill health. At the time of preparing the accounts, the accrued pension benefit information for the individuals retired on the grounds of ill health was not available. This will be disclosed in the accounts prepared for the next reporting period.

Exit packages 

Total staff termination packages are as follows and are subject to audit:

Staff termination packages

2019-20

Number of compulsory redundancies

2019-20

Cost of compulsory redundancies

£ 

2018-19

Number of compulsory redundancies

2018-19

Cost of compulsory redundancies 

£

£0-£10,000 3 16,893 10 58,857
£10,000-£25,000 31 523,046 44 742,080
£25,000- £50,000 52 1,940,159 36 1,305,738
£50,000- £100,000 42 3,128,859 66 4,841,434
£100,000- £150,000 21 2,380,502 22 2,613,090
£150,000- £200,000 6 985,081 2 313,333
>£200,000 3 677,788 - -
Total 158 9,652,328 180 9,874,532

There were no voluntary or other redundancies.

Exit packages relate to the first two waves of the organisation’s internal restructure and include payments actually made and accrued. The cost of redundancies in 2019-20 include employer’s National Insurance contributions amounting to £323,971 on those redundancies not yet paid at 5 April 2020.

Pension information

Most NHS Digital staff are covered by the NHS Pension Scheme (the 1995/2008 scheme and the 2015 scheme).

NHS Pension Scheme

Past and present employees are covered by the provisions of the two NHS pension schemes. Details of the benefits payable and rules of the schemes can be found on the NHS pension scheme website. Both are unfunded, defined-benefit schemes that cover NHS employers, GP practices and other bodies in England and Wales allowed under the direction of the Secretary of State. They are not designed to be run in a way that would enable NHS bodies to identify their share of the underlying scheme assets and liabilities. Therefore, each scheme is accounted for as if it were a defined contribution scheme, whereby the cost to NHS Digital of participating in the scheme is taken as equal to the contributions payable to that scheme for the accounting period.

In order that the defined benefit obligations recognised in the financial statements do not differ materially from those that would be determined at the reporting date by a formal actuarial valuation, the Financial Reporting Manual (FReM) requires that “the period between formal valuations shall be four years, with approximate assessments in intervening years”. An outline of these follows:

a) Accounting valuation

A valuation of scheme liability is carried out annually by the scheme actuary (currently the Government Actuary’s Department) as at the end of the reporting period. This utilises an actuarial assessment for the previous accounting period, in conjunction with updated membership and financial data for the current reporting period, and is accepted as providing suitably robust figures for financial reporting purposes. The valuation of the scheme liability as at 31 March 2020 is based on valuation data for 31 March 2019, updated to 31 March 2020, with summary global member and accounting data.

In undertaking this actuarial assessment, the methodology prescribed in IAS 19, relevant FReM interpretations, and the discount rate prescribed by HM Treasury have also been used.

The latest assessment of the liabilities of the scheme is contained in the scheme actuary report, which forms part of the annual NHS Pension Scheme (England and Wales) Pension Accounts. These accounts can be viewed on the NHS Pensions website and are published annually. Copies can also be obtained from The Stationery Office.

b) Full actuarial (funding) valuation

The purpose of this valuation is to assess the level of liability in respect of the benefits due under the schemes (taking into account recent demographic experience) and to recommend contribution rates payable by employees and employers.

The latest actuarial valuation undertaken for the NHS Pension Scheme was completed as at 31 March 2016. The results of this valuation set the employer contribution rate payable from April 2020 at 20.6%. 

The 2016 funding valuation was also expected to test the cost of the scheme relative to the employer cost cap set following the 2012 valuation. Following a judgment from the Court of Appeal in December 2018, the government announced a pause to that part of the valuation process pending conclusion of the continuing legal process.

Members can purchase additional service in the NHS Pension Scheme and contribute to Money Purchase Additional Voluntary Contributions run by the scheme’s approved providers or by other free standing additional voluntary contributions providers.

Employees who do not wish to join the NHS Pension Scheme can opt to join the National Employment Savings Trust (NEST) scheme. This is a stakeholder pension scheme based on defined contributions. The minimum combined contribution is currently 8% of qualifying earnings, of which the employer must pay 3%. Employees can choose to pay more into the fund, subject to a current cap of £4,700 per annum. Nine NHS Digital employees were members of the NEST Scheme during 2019-20.

The Principal Civil Service Pension Scheme

The Principal Civil Service Pension Scheme (PCSPS) and the Civil Servant and other Pension Scheme, known as ‘alpha’, are unfunded multi-employer defined benefit schemes. NHS Digital is unable to identify its share of the underlying assets and liabilities. The scheme actuary valued the scheme as at 31 March 2012.

Details can be found in the resource accounts of the Cabinet Office.

For 2019-20, employer’s contributions of £498,510 were payable to the PCSPS (2018-19: £431,697) at one of four rates in the range 26.6% to 30.3% of pensionable earnings, based on salary bands. The scheme actuary reviews employer contributions, usually every four years following a full scheme valuation. The contribution rates are set to meet the cost of the benefits accruing during 2019-20 to be paid when the member retires and not the benefits paid during this period to existing pensioners.

Employees can opt to open a Partnership Pension Account, which is a stakeholder pension with an employer contribution. Employer contributions are age-related and range from 8% to 14.75% of pensionable earnings. Employers also match employee contributions up to 3% of pensionable earnings. No employees have opted for the Partnership Pension Account.

Off-payroll engagements

As part of the Review of Tax Arrangements of Public Sector Appointees, published by the Chief Secretary to the Treasury on 23 May 2012, we are required to publish (via the Department of Health and Social Care) information about the number of off-payroll engagements that are in place and where individual costs exceed £245 per day.

Number of existing engagements as of 31 March 2020:

Total number 69

Of which, the number that have existed:

 - for less than one year at time of reporting

 

24

 - for between one and two years at the time of reporting 43
 - for between two and three years at the time of reporting 1
 - for between three and four years at the time of reporting 1
 - for four or more years at the time of reporting -

The table below shows all new off-payroll engagements between 1 April 2019 and 31 March 2020 that were for more than £245 per day and lasted more than six months.

Number of new engagements, or those that reached six months in duration between 1 April 2019 and 31 March 2020:

Total number 132

Of which:

 - The number assessed as caught by IR35

 

 

125

 - The number assessed as not caught by IR35 7
 - Number engaged directly (via a Personal Service Company contracted to NHS Digital) and are on the payroll -
 - Number of engagements reassessed for consistency or assurance purposes during the year 26
 - Number of engagements that saw a change to IR35 status following the consistency review 21

Off-payroll engagements of board members, and/or, senior officials with significant financial responsibility, between 1 April 2019 and 31 March 2020:

Number of off-payroll engagements of board members, and/or, senior officials with significant financial responsibility, during the financial year.

 

4

Total number of individuals on-payroll and off-payroll that have been deemed "board members, and/or, senior officials with significant financial responsibility", during the financial year. 15

We are committed to maintaining in-house capacity but it is recognised that, with a significant element of our activity being project based, with peaks and troughs in requirements, making the best use of the temporary labour market is necessary. Many of our programmes require specialist input on a temporary basis and it is not always cost-effective to permanently recruit such skills. 

The total cost of temporary labour increased in the year to £23.1 million, compared to £16.3 million in 2018-19, as we brought in specialist resources to assist in the development of our major programmes.

We continue to improve our assurance processes to ensure we categorise all engagements in line with best practice.

Diversity, equality and inclusion

Our three key strategic priorities for equality, diversity and inclusion guide our action plans and day-to-day interactions with our employees, and have executive director level accountability across the business.

We aim to create and maintain a diverse, representative workforce within NHS Digital. 

We are striving to create a working environment that values difference and fosters an inclusive workplace culture. We want to build a culture in which employees from all backgrounds can give their best, are treated fairly, are valued for their contributions, and can progress in their careers. We regularly review our people management policies to reflect changes and support all colleagues to develop. We make sure that policies are inclusive for people with different protected equality characteristics and we consult widely, including with the unions and the equality and diversity networks.

The gender distribution in NHS Digital for each Agenda for Change equivalent grade is provided below:

Job roles Agenda for Change equivalent grades

2019-20

Male

2019-20

Female

2018-19

Male

2018-19

Female

Directors - 6.5 3.8 7.6 2.1
Senior managers 9 47.0 15.6 45.2 15.7
Senior managers 8d 73.6 42.9 86.6 41.2
Managers 8c 184.7 103.0 205.4 111.6
Managers 8b 307.1 154.3 330.8 162.9
Managers 8a 381.1 248.0 410.7 274.2
Other staff 7 268.8 243.1 312.2 229.5
Other staff 6 132.2 159.2 150.9 200.9
Other staff 5 165.8 181.2 152.1 183.2
Other staff 4 69.4 82.2 63.6 91.9
Other staff 3 5.6 2.3 4.1 2.4
Other staff 2 2.7 0.8 5.3 1.3
Other staff Net secondees 6.3 1.0 1.6 (9.5)
Total (full-time equivalent) - 1650.8 1237.4 1,776.1 1,307.4

There has been no significant change in the gender or grade split of our workforce. 57% of employees are male (2018-19: 58%). 

Our most recent workforce report described the make-up of our organisation at 31 March 2019. It reported that 40.6% of people joining NHS Digital were women and that 46.5% of internal promotions were earned by women.

Our gender pay gap for the reporting period to March 2020 was:

Mean gender pay (hourly rate) 2020 2019
Women £23.62 £22.78
Men £26.49 £26.19
Gap between the mean salaries of women and men 10.8% 13.0%

 

Median gender pay (hourly rate) 2020 2019
Women £22.39 £21.69
Men £25.51 £24.79
Gap between the median salaries of women and men 12.3% 12.5%

NHS Digital has a significant gender pay gap among full-time staff. This is slightly below the public sector median of 10.7% and mean of 12.1%, which are based on Office for National Statistics provisional data for October 2019.

The main factor contributing to this pay gap is that men occupy more senior pay bands than women. Men are also more likely to receive the recruitment and retention premiums attached to certain roles and premiums for on-call work.

About 12.7% of our workforce in 2019-20 were from Black, Asian and Minority Ethnic (BAME) backgrounds, broadly the same as in 2018-19. About 38% of our job applicants were from BAME backgrounds, an increase from the previous year of 21%, and about 25% of appointments were made to BAME candidates. People from BAME backgrounds make up about 12.3% of the UK’s working population.

The percentage of staff declaring a disability was 4.8%, marginally higher than last year. About 18% of the UK’s working age population and 9.2% of people in employment have a disability.

About 2.7% of our workforce describe their sexual orientation as LGBT+ while 69.8% say they are heterosexual. 27.5% of staff chose not to share this information.

About 42.3% of our staff are aged between 46 and 65. This proportion has grown slightly since our first report in 2016 and there has been a decrease in the number of staff aged 26-35.

About 33% of our workforce have not shared details about their religious beliefs but, from the information available, there has been little change in the composition of our workforce on this measure in recent years. About 34% are Christian, 13% follow other religions, and 19% describe themselves as being atheist.

We publish an annual Diversity and Inclusion Workforce Report. The 2018-19 report is available and includes details of our gender pay gap for this period. Our 2019-20 report is scheduled for publication in autumn 2020.

During the year, our staff networks continued to grow and worked hard to ensure all our people’s voices were heard, implementing a programme of well-received events to celebrate and raise awareness of difference and diversity, including Purple Light Up, International Women’s Day and Interfaith Week. 

Trade union facility time

We work in partnership with trades union  representatives on all matters affecting our employees to ensure an effective and successful organisation. Regular Joint Negotiation and Consultation Committee meetings are held to allow discussion, consultation and negotiation on employment-related matters.

Staff members are permitted time to engage in appropriate trade union activities. Details are given below:

Relevant union officials Number
Employees who were relevant union officials during the period 25
Full time equivalent (FTE) employee number 2,617

Percentage of time spent on facility time 

Number of employees
0% -
1-50% 25
51%-99% -
100% -
Percentage of NHS Digital's pay bill spent on facility time: -
Total cost of facility time 147,106 
Total pay bill (excluding termination costs) 169,901,000
Percentage of the total pay bill spent on facility time 0.1%
Paid trade union activities -
Time spent on paid trades union activities as a percentage of total paid facility time hours 5.0%

Consultancy

The total spend on consultancy, as defined by HM Treasury guidance, was £1,394,000.

Sickness absence

During 2019, 13,512 (2018: 15,240) working days were lost due to sickness absence. This represented 5.0 (2018: 5.2) working days per employee. These figures are based on calendar years, not financial years, and were centrally produced from the Electronic Staff Record.

Average sickness absence for 2019 was 2.2% (2018: 2.4%).

Community and social responsibility

We have a special leave policy that allows staff to take paid leave for public duties (for example, magistrate, school governor and reserve forces roles). We have also developed work experience and placement programmes for schools, colleges and universities near our offices.

We support the government’s objective of eradicating modern slavery and human trafficking and our statement is published on our website. 

Health and safety

During the coronavirus outbreak, we protected our workforce and supported the effort to suppress infections in the communities in which we operate. We sought to ensure safe working environments at our offices from the early stages of the epidemic and supported working from home for the large majority of our workforce in line with government guidance. We introduced flexible working arrangements to allow our staff to fulfil their caring responsibilities and protect themselves and provided staff with information and equipment to protect their health and safety while working from home. 

We have legal responsibilities for the health, safety and welfare of our employees and for all people using our premises. We comply with the Health and Safety at Work Act (1974) and operate a Health and Safety Committee under the Safety Representatives and Safety Committee regulations (1977). Training on fire-related health and safety is mandatory and there are online learning packages available for other health and safety topics, including manual handling and working with visual display equipment.


Salaries and pensions of senior management

The remuneration and pension disclosures relating to senior staff in post during 2019-20 and 2018-19 are detailed in the tables below and are subject to audit. The figures provided consist of basic pay, performance  pay, pension benefits and benefits in kind. They do not include employee pension contributions or the cash equivalent transfer of pensions.

Board director's  name Role and area of responsibility Appointment date Resignation date

2019-20

Salary (bands of £5,000)  

2019-20

Performance pay

(bands of £5,000)

2019-20

*Pension benefits 

(bands of £2,500)

2019-20

Total (bands of £5,000)

2019-20

Full year equivalent salary (bands of £5,000)

2018-19

Salary (bands of £5,000) 

2018-19

Performance pay

(bands of £5,000)

2018-19

Benefits in kind (to nearest £100)

2018-19

*Pension benefits (bands of £2,500)

2018-19

Total (bands of £5,000)

2018-19

Full year equivalent salary (bands of £5,000)

Sarah Wilkinson Chief Executive - - 190-195 5-10 45-47.5 245-250 190-195 190-195

5-10

-

40-42.5

240-245

190-195

Robert Shaw Deputy Chief Executive and Senior Information Risk Owner - 31 Dec-19 135-140

5-10

25-27.5 170-175 165-170 170-175 5-10 - 0

180-185

170-175
Carl Vincent Chief Finance Officer - - 135-40 5-10 32.5-35 180-185 135-140 130-135 - - 30-32.5 165-170 130-135
Amir Mehrkar Senior Clinical Lead 1-Apr-19  30-Sep-19 45-50 - 10-12.5 55-60 90-95 - - - - - -
Jonathan Benger1 Chief Medical Officer 18-Nov-19   40-45 - 22.5-2.5 65-70 105-110 - - - - - -
Martin Severs Chief Medical Officer and Caldicott Guardian   28-Feb-19   -       95-100 - - - 95-100 140-145
Senior manager's name Role and area of responsibility Appointment date Resignation date

Salary (bands of £5,000)

(2019-20)

Performance pay (bands of £5,000)

(2019-20)

*Pension benefits (bands of £2,500)

(2019-20)

Total (bands of £5,000)

(2019-20)

Full year equivalent salary (bands of £5,000)

(2019-20)

Salary (bands of £5,000)

(2018-19)

Performance pay (bands of £5,000)

(2018-19)

Benefits in kind (to nearest £100)

(2018-19)

*Pension benefits (bands of £2,500)

(2018-19)

Total (bands of £5,000)

(2018-19)

Full year equivalent salary (bands of £5,000)

(2018-19)

Ben Davison2 Executive Director, Product Development  20 Jan 20 - 50-55 - - 50-55 215-220 - - - - - -
Thomas Denwood Executive Director, Data, Insights and Statistics - - 130-135 5-10 27.5-30 165-170 130-135 130-135 5-10 - 30-32.5 170-175  130-135
Nic Fox Chief Commercial Officer 15 Nov 19 - 45-50 - 22.5- 25 70-75 125-130     - - - -
Jackie Gray  Executive Director, Information Governance  14 Jan 19 - 145-150 - 32.5-35 180-185 145-150 30-35   - 5-7.5 35-40 145-150
James Hawkins  Head of the Audit and Risk Directorate 1 Dec 19 - 40-45 5-10 7.5-10 55-60 125-130 - - - - - -
Julie Pinder Chief People Officer 1 Apr 19 - 125-130 0-5 27.5-30 155-160 125-130 - - - - - -
Jeremy Rashbass Head of Disease Registers 1 Nov 19 - 75-80 - 57.5-60 130-135 180-185 - - - - - -
Wendy Clark Executive Director, Product Development 10-Sep-18 29 Nov 19 95-100 - 20-22.5 115-120 140-145 80-85 - - 17.5-20 95-100 140-145
Michael Kay3 Chief Commercial Officer 17 Apr 18 15 Nov 19 140-145 - - 140-145 215-220 210-215 - - - 210-215 215-220
Mark Stock4 Executive Director, Assurance and Risk Management 5-Mar-19 28 Nov 19 80-85 - - 80-85 105-110 5-10 - - - 5-10 105-110
Ken Baker Chief People Officer - 31 Dec 18 - - - - - 75-80 0 - 77.5-80 155-60 100-105
Sean Walsh  Head of Regions, Professions and Org2 - 5 Nov 18 - - - - - 70-75 - 4,400 7.5-10 85-90 120-125

1. Jonathan Benger is seconded from the University Hospitals Bristol NHS Foundation Trust. The costs relate to charges net of employer national insurance and pension charges.

2. Ben Davison is a workpackage contractor with his costs representing the day rate charged less non-recoverable VAT.

3. Michael Kay was a contractor and his salary was calculated based on the day rate he received from the recruitment agency less non-recoverable VAT.

4 .Mark Stock was seconded from PwC with the costs being that charged less non-recoverable VAT.

5. Amir Mehrkar left in December 2019 as part of the Org2 restructure and received a termination payment of £75,625.

There were no benefits in kind in 2019-20. The above remuneration for executive officers include those who are NHS Digital Board members and who attend the core Executive Management Team.

*All benefits in year from participating in pension schemes but excluding employee contributions. These are the aggregate amounts, calculated using the method set out in Section 229 of the Finance Act 2004 (i) and using the indices directed by the Department of Health

Non-executive director remuneration

Non-executive directors Position Appointment date Resignation date

 2019-20

Salary (bands of £5,000)

2019-20

Total emoluments (bands of £5,000)

2019-20

Full year equivalent (bands of £5,000)

2018-19

Salary (bands of £5,000)

 

2018-19

Total emoluments (bands of £5,000) 

2018-19

Full year equivalent (bands of £5,000) 

Noel Gordon Chair - - 60-65 60-65 60-65 60-65 60-65 60-65
Mark Balabanovic Non-executive director -   5-10 5-10 5-10 5-10 5-10 5-10
Daniel Benton  Non-executive director - - 5-10 5-10 5-10 5-10 5-10 5-10

Professor Soraya

Hillon 

Non-executive director - - 5-10 5-10 5-10 5-10 5-10 5-10
Professor Sudhesh Kumar  Non-executive director - - 5-10 5-10 5-10 5-10 5-10 5-10
John Noble  Non-executive director 1 Jul- 18 - 10-15 10-15 10-15 5-10 5-10 10-15
Deborah Oakley Non-executive director 1 Jul -18  - 10-15 10-15 10-15 5-10 5-10 10-15
Rob Tinlin Non-executive director - - 5-10 5-10 5-10 5-10 5-10 5-10
Balram Veliath Non-executive director 1 Jul 18 - 5-10 5-10 5-10 5-10 5-10 5-10
Sir Ian Andrews Non-executive director - 31 Dec 18  - - - 5-10  5-10 10-15
Sarah Blackburn  Non-executive director - 31 Aug 18  - - - 5-10 5-10 10-15

No performance pay, benefits in kind or pension-related benefits were paid. 

The emoulments of the Chair and the non-executive directors do not include employer national insurance contributions. The total included in note 5 of the accounts does include such contributions. 

Remuneration policy

The pay of the executive board directors is set by the Talent, Remuneration and Management Committee based on the recommendations of the Senior Salaries Review Board and is reviewed on an annual basis. NHS Digital operates the NHS Executive and Senior Manager (ESM) pay framework with the approval, where necessary, of the Department of Health and Social Care Remuneration Committee. This includes a job evaluation scheme, administered by the NHS Business Services Authority, and provision for a maximum 5% bonus for not more than the top 25% of performers within the ESM group. 

The standard remuneration arrangements for NHS Digital are those provided under the national NHS Agenda for Change (AfC) terms and conditions of employment. This includes a job-evaluation scheme that has been tested and demonstrated to be equality proofed. 

Executive directors were normally employed on permanent employment contracts with a six-month notice period and work for NHS Digital full-time. However Dr Amir Mehrkar was part time, and Professor Jonathan Benger is seconded from the University Hospitals Bristol NHS Foundation Trust on a part time basis. If contracts are terminated for reasons other than misconduct, they come under the terms of the NHS compensation schemes. 

Pension benefits

Pension benefits were provided through the NHS Pension Scheme.

Name Real increase in pension (bands of £2,500)  

Real increase in pension lump sum (bands of £2,500) 

Total accrued pension at 31 March 2020 (bands of £5,000) 

Lump sum related to accrued pension at 31 March 2020 (bands of £5,000)

Cash Equivalent Transfer Value at 31 March 2020

(£000)

Cash Equivalent Transfer Value at 31 March 2019

(£000)

Real increase in Cash Equivalent Transfer Value

(£000)

Sarah Wilkinson 2.5-5 01 5-10 01 117 70 18
Robert Shaw 0-2.5 (0-2.5) 75-80 185-190 1,569 1,470 44
Carl Vincent 2.5-5 01 10-15 01 164 122 19
Jonathan Benger 0-2.5 0-2.5 70-75 165-170 1,411 1,246 24
Thomas Denwood 0-2.5 (0-2.5) 25-30 45-50 415 374 13
Wendy Clark 0-2.5 01 0-5 01 51 18 8
Jackie Gray 2.5-5 01 0-5 01 39 7 10
Jeremy Bashbass 2.5-5 7.5-10 70-75 215-220 1,762 1,532 78
Amir Mehrkar  0-2.5 (0-2.5) 10-15 15-20 159 137 3
Nic Fox 0-2.5 0-2.5 25-30 55-60 436 371 15
Julie Pinder 0-2.5 01 0-5 01 38 10 10
James Hawkins  0-2.5 (0-2.5) 25-30 40-45 443 395 7

1 No lump sum is disclosed as there is no set minimum lump sum within the 2008 or 2015 sections of the NHS Pension Scheme.

A Cash Equivalent Transfer Value (CETV) is the actuarially assessed capitalised value of the pension scheme benefits accrued by a member at a particular point in time. The benefits valued are the member’s accrued benefits and any contingent spouse’s pension payable from the scheme. A CETV is a payment made by a pension scheme or arrangement to secure pension benefits in another pension scheme or arrangement when the member leaves a scheme and chooses to transfer the benefits accrued in their former pension scheme.

The pension figures shown relate to the benefits that the individual has accrued as a consequence of their total membership of the pension scheme, not just their service in a senior capacity to which disclosure applies.

The CETV figure and other pension details include the value of any pension benefit in another scheme or arrangement that the individual transferred to the NHS Pension scheme. They also include any additional pension benefit accrued to the member as a result of them purchasing additional years of pension service in the scheme at their own cost. CETVs are calculated within the guidelines and framework prescribed by the Institute and Faculty of Actuaries.

The real increase in CETV reflects the increase effectively funded by the employer. It excludes the increase in accrued pension due to inflation and contributions made by the employee (including the value of any benefits transferred from another pension scheme or arrangements) and uses common market valuation factors for the start and end of the period.

Remuneration of highest paid director compared to the workforce median

The relationship between the remuneration of the highest paid director and the median remuneration of the workforce is subject to audit as follows:

Highest paid director

£000

Range of staff remuneration

£

Median pay of the workforce

£

Ratio to the median of the workforce
2019-20 excluding pension contributions 190-195

15,800 to 196,521

44,606 4.3
2018-19 excluding pension contributions 190-195

15,404 to 197,396

43,469 4.4

The disclosures above are based on employees’ salaries and do not take into account any bonuses or other allowances.

Non-permanent staff remuneration is calculated using the day rate net of irrecoverable VAT, less a deemed employer pension contribution and annualised based on 230 working days.

The increases in staff remuneration and the median pay reflects the 2019-20 Agenda for Change pay award.  

Six members of staff received full-time equivalent remuneration in excess of the highest paid director. 


Annual governance statement

NHS Digital is an executive non-departmental public body. We are responsible for setting up and operating systems for the collection, analysis, dissemination and publication of information relating to health services and adult social care and for ensuring citizens’ health data is protected.

We develop and operate information and communications systems for health services and adult social care in England and are accountable directly to Parliament for the delivery of the statutory functions described within the Health and Social Care Act 2012 and the Care Act 2014.

The Senior Departmental Sponsor for the Department of Health and Social Care is responsible for ensuring our procedures operate effectively, efficiently and in the interest of the public and the health sector.

Governance framework

Details of our constitution, our operational accountability, our Board and its appointed committees are provided in the Corporate Governance Report. (ADD LINK) Information about the conduct of the Board and the roles and responsibilities of members are set out in our Corporate Governance Manual, which incorporates the Standing Orders, Standing Financial Instructions and the Scheme of Delegation. This is reviewed and updated annually.

We comply with the best practice described in the corporate governance code for central government departments issued by HM Treasury. Corporate policies are reviewed on a regular basis and are refined as appropriate.

Improving governance and assurance processes across the system 

We all have an interest in good governance, both within NHS Digital and with other bodies, including NHSX, as part of the system-wide oversight of national informatics expenditure.

Our role within the wider informatics arena and our relationships with our key partners are clear. We are the main informatics delivery organisation and contribute to, and are held operationally accountable by, the Digital Delivery Board (DDB). Our Chief Executive is a member of DDB and the Deputy Chief Executive and Chief Finance Officer attend. A significant number of our Executive Management Team and senior managers are involved in the development of future plans.

However, the governance arrangements remain under review by NHSX, now that responsibility for informatics strategy and policy, and the commissioning of services and programmes, has transferred to them.

Management assurance  

Risk and assurance framework 

We have reviewed our corporate risk management framework and methodology during 2019-20 to improve risk data quality and risk management behaviours. Key actions during the year were:

  • refreshing our risk management policy
  • redefining our strategic risks and risk appetite model
  • reviewing our short and long-term risk environment
  • refining our risk reporting and escalation framework to ensure that the most significant risks are escalated appropriately and in a timely manner that enables effective risk mitigation
  • updating our risk management training approach and supporting materials, including introducing risk master classes for senior leaders
  • implementing directorate level and other operational risk dashboards to improve the quality, reliability and accessibility of risk information

Risks and assurance items are reported regularly and escalated through our internal governance structure, with the top strategic and other significant operational risks and issues ultimately being considered by the Executive Management Team, Audit and Risk committee (ARC) and the Board.

The assurance framework operated as intended. In 2020-21, we will further develop our controls, review the linkage between controls and risk, introduce a more dynamic reporting cycle and develop and refine our risk management performance metrics.

The current NHS Digital assurance arrangements are based on two key assurance products (control and assurance statements and assurance maps) created by each directorate annually on a self-assessment basis and reviewed by the Assurance  team.

The assurance model will be further developed during 2020-21 to focus on our key controls and how these link to risk and assurance mechanisms. This will ensure a more dynamic approach and will allow for ongoing assurances to be received throughout the year.

Performance management

Our performance management framework links closely to risk management. It includes periodic reporting at differing levels of granularity in performance packs to the Digital Delivery Board, NHS Digital’s Board, our Executive Management Team and other internal business units.

This performance reporting covers:

  • financial and non-financial information, key risks and issues, and an assessment of delivery against strategic commitments
  • business plan delivery at corporate and directorate levels
  • other key work, such as delivery of specific programmes and organisational development and transformation

Our performance framework and individual performance indicators are kept under regular review to ensure they remain meaningful and effective and support open and transparent governance. With the exception of a limited number of confidential indicators, all elements of the performance framework are reported to public meetings of the Board and most of the information is available on our website.

Internal audit and other third-party assurance

NHS Digital’s internal audit service is provided by the Government Internal Audit Agency. Acting independently, it focuses audit activity on key risk areas and chooses additional areas based on interviews with the Executive Management Team and its knowledge and experience of our business. The internal audit service operates in accordance with the Public Sector Internal Audit Standards  and to an annual internal audit plan approved by the Audit and Risk Committee.

Regular reports are submitted to the Audit and Risk Committee on the effectiveness of our systems of internal control and the management of key business risks, with recommendations for improvement by management.

During 2019-20, NHS Digital’s internal audit plan included 14 internal audits and one advisory review for the clinical governance framework. The scope was limited due to the timing of some audits coinciding with the coronavirus (COVID-19).

Whilst we otherwise had a positive year and do not consider our controls have weakened as a whole, the following audits received limited or equivalent assurance:

  1. The use of consultants: Recommendations to improve the reporting and evaluation of lessons learned. We will ensure the maintenance of a consistent approach to documentation and approvals and scrutinise contract extensions more closely.
  2. Enterprise Architecture: Recommendations to ensure consistency of architectural solutions, diagrams principles, policies, strategies and standards and of papers presented to our governance bodies. We will focus on the longer-term strategic perspective and ensure the Enterprise Architecture Portal is fully utilised.
  3. Digital Transformation Portfolio: Delivery could be strengthened by focusing on governance and assurance outcomes. The oversight provided by the Enterprise Architecture Board is important in ensuring that proposed solutions support the broader strategic direction. We will work with NHSX to develop a robust ‘three lines of defence’ model in this area.
  4. National Back Office controls: Selected for audit to ensure that the data in the Personal Demographics Service (PDS) is fit for purpose and that releases of data to NHS and non-NHS bodies are appropriate. Actions arising from the review include formalising a strategy for work prioritisation and triaging requests, establishing a process to ensure consistency in quality assurance checks and ensuring data sharing agreements are in place for each user of the tracing service.

In addition to our internal audit service, we receive other third-party assurances including:

  • instructing another provider to undertake a review of our payroll function. The report identified significant issues around approval processes, oversight and reporting and highlighted a risk that some variable pay payments had been made incorrectly. We are in the process of investigating these outcomes and have already recruited additional resources to strengthen processes and improve our relationship with our third-party payroll supplier
  • ISAE3402 assurance reports covering our external payroll and financial services provided by NHS Shared Business Services (SBS). The reports provided unqualified assurance
  • ISAE3402 assurance reports for the GP Payment Systems we provide to the wider  NHS. This received a qualified assurance due to two minor instances where approval was not sought from the Technical Architect when gaining approval for a system change. We  have reviewed these instances. Compensating controls were in place and they worked as intended 

External audit

We have worked closely with the National Audit Office, who attend and contribute to all Audit and Risk Committee meetings. The external audit work sits outside of our normal governance arrangements but informs the development of our governance and risk processes together with our financial and other controls. The work of external audit is monitored by the Audit and Risk Committee through regular progress reports.

Stopping fraud and corruption

We are a publicly funded organisation and have an anti-fraud, bribery and corruption policy in place together with robust controls. We always seek the appropriate disciplinary, regulatory, civil and criminal sanctions against fraudsters and, where possible, we recover our losses. We also expect our suppliers and those working on their behalf to adhere to our standards and may seek to terminate contracts with any suppliers found by a court of law to have been guilty of corruption.

Our internal counter-fraud function investigates any evidence of corruption. The internal policy and strategy on tackling fraud, bribery and corruption is communicated to all staff and the policy and our management statement on corruption are available on our website.  

We work closely with several bodies including the Department of Health and Social Care Anti-Fraud Unit and the NHS Counter Fraud Authority to establish efficient counter fraud measures and to ensure we comply with standards set by the Cabinet Office.

We also hold a quarterly fraud working group,  chaired by the Finance Director and participate in the biennial National Fraud Initiative, an exercise that matches electronic data within and between public and private sector bodies to prevent and detect fraud.

Whistleblowing

NHS Digital was one of the first 100 organisations to sign up to Protect’s Whistleblowing Commission  Code of Practice. We will continue to improve our policy and practice through engagement with Protect.

We have a nominated officer at board level to protect and develop whistleblowing arrangements and to encourage staff to openly raise concerns. 

There were four whistleblowing cases in the year, which were fully investigated internally or by an external body. All cases are now closed.

Impact of COVID-19

NHS Digital has had to operate with agility and at pace in order to effectively support the system response to the coronavirus pandemic. This has allowed the organisation to make important contributions to the response but the operating environment has generated some risks for NHS Digital and its suppliers, which we are managing in a proportionate manner, including in the area of data collection. The coronavirus has also directly affected some members of staff. Appropriate actions will be taken to ensure colleagues are protected and supported throughout the transition back to office-based working. We are working to fully define and stratify the continuing risks and review our control environment to ensure mitigation actions are effective and being fully progressed.

Org2

During 2018-19, NHS Digital began a transformation programme aimed at developing into a modern, agile organisation capable of meeting future delivery commitments. This programme, known as Org2, is responsible for delivering a range of initiatives including restructuring the workforce. The programme is split into three waves, with the first two largely complete by March 2020. The third wave has been delayed until the consequences for deliverables of the coronavirus are known. This programme introduces significant risks and a separate risk register has been created to manage these. This is reviewed regularly at board level.

Data and cyber security 

We worked with NHSX, NHS England, NHS Improvement, the Department of Health and Social Care, the National Cyber Security Centre and other partners to strengthen cyber resilience in 2019-20. Alongside our system-wide responsibility, we provide consultancy and assurance on systems and services delivered by NHS Digital.

We are delivering a multi-tiered approach to reduce systemic cyber security risk in the health and social care system while also providing local organisations with the means to manage cyber risk as ‘business as usual.’ This involves central interventions, such as the Cyber Security Operations Centre (CSOC), the Secure Boundary Service, and the Advanced Threat Protection capability, as well as local interventions with NHS providers, including the five National Cyber Security Centre questions for Boards, to increase preparedness and reduce vulnerability.

The risks to the health and social care system from cyber-attacks are growing and will increase significantly with the adoption of new technologies and services. We will continue to provide guidance, assessments and support to help organisations manage risk effectively and be properly prepared.

Data governance  

A wide-ranging legal, regulatory and compliance framework governs our receipt, processing and dissemination of data and information and our production of statistics.

We are responsible for ensuring that all our data and information is collected, stored and disseminated appropriately and continue to improve controls and protocols through the Data Access Request Service (DARS) in consultation with the Independent Group Advising on the Release of Data (IGARD), an independent group who assess applications for data.

By centralising all data requests and disseminations through DARS and through the introduction of new tools and services, we continue to increase efficiency and improve the quality of service for external users. We also provide system-wide advice on operational information governance to the health and social care sectors in England.

DARS handles all requests for personal data that is identifiable or potentially identifiable. Before any data is shared, we ensure that:

  • a legal basis for accessing the data exists
  • the customer has an appropriate level of security to safeguard the data
  • the customer passes our assessment process
  • dissemination is covered by a signed data sharing agreement and a data sharing framework contract

Particularly sensitive releases follow a full governance and approval process and we seek independent advice from IGARD when appropriate.

We ensure that the governance around the dissemination of such data is of the highest priority and this includes undertaking data-sharing audits to ensure that organisations meet the terms of their data-sharing agreement and framework contract. During 2019-20, we conducted audits of 19 organisations and recorded observations about their processes, procedures and non-conformities with NHS Digital contractual documentation. The outcome of audits and post-audit reviews are published on our website

Information governance

We continue to lead on a range of areas as they affect information governance, including:

  • improvements to the service and efficiency of our information governance function
  • building capacity to address new and emerging technologies such as AI
  • supporting increasingly complex data sharing arrangements
  • improving transparency and assurance across NHS Digital
  • increasing access to guidance and best practice in collaboration with other NHS organisations and the National Information Governance Board for the health and care system

There were 38 incidents during 2019-20 that were classified as personal data breaches under the General Data Protection Regulations and the Information Commissioner’s Office (ICO) guidance. 17 of these related to employee data and 21 related to patient data. During this period, four of the personal data breach incidents were reported to the ICO. These have been investigated and all have now been closed by the ICO.

1,647 freedom of information (FOI) requests were received. Nine responses were outside of the statutory deadline, resulting in a compliance rate of 99%. 15 internal reviews were carried out. No complaints were made to the ICO or were the subject of an appeal to the Information Tribunal. 50% of FOI requests relate to requests to access historic records, including the 1939 register, held by the National Back Office Team in Southport. We are transferring a number of historic records to the National Archive and, once delivered, this is expected to lead to a significant reduction in FOI requests.

In the same period, we received 1,037 data  subject access requests. Compliance within statutory deadlines was nearly 100%. Two internal reviews were carried out. No complaints were made to the ICO and there were no appeals to  the Information Tribunal.

Business continuity

NHS Digital manages a range of essential IT systems on behalf of the NHS. It is critical that these systems operate in an efficient manner and that we can support the NHS in the event of threats to these systems. We maintain a business continuity management system (BCMS) that is aligned to the requirements of ISO 22301 and related standards. This provides:

  • a corporate incident management framework and supporting processes
  • business continuity plans covering all NHS Digital activities
  • a range of IT service continuity and disaster recovery plans for services managed in-house or by external suppliers
  • arrangements to support the management of NHS Digital facility-related health and safety incidents
  • supply chain continuity management. We confirm that critical suppliers and other delivery partners have suitable business continuity arrangements in place to protect delivery of service to NHS Digital and its customers

Our professional and qualified staff provide subject matter expertise in line with relevant industry standards and best practice across government.

Clinical governance

Our digital programmes and services are integral to the health and care of patients and citizens. It is therefore essential that we have an effective clinical governance framework in place across all  of the organisation. We conducted a complete review of the clinical function within NHS Digital during 2019-20 and developed an enhanced clinical governance framework with a particular emphasis on the identification and management of risk. We will introduce and refine this during 2020-21, with additional work to develop an improved system of learning, professional development and continuous quality  improvement.

We maintain careful oversight of the clinical impact and relevance of NHS Digital’s portfolio and have reviewed our approach to patient safety to ensure this is embedded throughout the organisation and have enhanced our safety processes for services that are transitioning from testing to live service.


Chief Executive's review of effectiveness

As Accounting Officer, I have responsibility for the system of internal controls supporting and enabling the achievement of NHS Digital’s aims and objectives, while safeguarding the public funds and assets for which I am personally responsible in accordance with ‘Managing Public Money’ and as set out in my Accounting Officer appointment letter. In particular, I am responsible for ensuring that expenditure does not exceed the annual budget allocated. I have undertaken this responsibility by seeking a range of assurances.

In 2019-20, I was primarily informed by:

  • my attendance at NHS Digital’s Audit and Risk Committee and by reviewing its minutes, papers and annual report to the Board
  • work undertaken by the National Audit Office
  • the work of internal audit, who have completed an agreed, comprehensive range of assessments. The head of internal audit provided an opinion on the overall arrangements for assurance and on the controls reviewed and concluded on a ‘Moderate’ rating
  • monitoring of regularly reviewed audit and gateway actions
  • the assurance framework itself, which provided evidence on the effectiveness and maintenance of internal controls that manage the risks to the organisation - to support this assessment, each directorate produced a self-assessment control and assurance statement and assurance maps highlighting areas for improvement
  • clear performance management arrangements for executive directors and senior managers
  • the effectiveness of the system of internal control provided by the Board, Information Assurance and Cyber Security Committee and Audit and Risk Committee 

I am accordingly aware of any significant issues that have been raised.

Significant challenges 

The past year has been challenging, with a continuation of the technology transformation programme, increasing external risks to our technology services and continued internal transformation activities. I am confident that the level of governance, assurance and control of NHS Digital has improved and that we are now well advanced towards achieving the standards of control I expect from the organisation.

Significant challenges we have dealt with in the year include:

1. Providing  support  for  the  health  and  care system: Responsibilities in this area have included supporting the NHS response to coronavirus and providing support, expertise and services for external healthcare providers in managing information security risks to prevent data or service loss. Mitigation actions taken during the year have included:

  • focusing resources to support the NHS response to the coronavirus outbreak, including changes to NHS 111 Pathways, NHS.UK, provision of data services, technical IT and product support and the development of digital solutions to enhance the system response
  • rolling out Windows 10 and Advanced Threat Protection to NHS organisations to improve information security

2. Undertaking major organisational transformation to ensure that we have the capacity, capability and flexibility required to meet the future digitisation and associated needs of the health and care system. Specific mitigation actions taken during the year have included:

  • continuing delivery of the Org2 transformation programme
  • publication of a new People Plan
  • reviewing our brand proposition
  • critical role assessment and succession planning

3. Ensuring the continuity of critical systems and services. Risk mitigation is focused on ensuring that we have effective controls, including business continuity plans, in place to ensure resilience of critical systems and services and to maintain high levels of availability, integrity and confidentiality that will achieve defined service levels.

4. Successful delivery of critical change programmes that we are commissioned to deliver for the health and care system. During the year, we have mitigated this risk by further strengthening our programme resourcing and governance controls. We have prioritised the resourcing of our critical programmes.

5. Delivering data services that fulfil our duty to safely, securely and appropriately collect, analyse and disseminate high quality and timely data. We mitigate the risks of data sharing and to personal data security by ensuring that we have effective, appropriate and proportionate controls in place, taking account of the type of data concerned and the use to which it will be put. We only process personal identifiable data when all legal and information governance compliance requirements have been fully met. In the 2020-21 financial year, we will introduce a series of audits reviewing areas nominated by our Data Protection Officer to assure our compliance with Data Protection Act 2018 and the General Data Protection Regulations.  

6. Enhancing organisational and system governance. We have worked closely with NHSX as changes are being introduced to our governance, approvals and assurance processes. We have agreed changes to remits, roles, responsibilities, accountabilities, governance structures and ways of working between our two organisations. We have also further enhanced our clinical governance framework to ensure adequate clinical safety, quality and patient experience in the products and services we deliver.

7. Ensuring that NHS Digital is adequately prepared to manage the impacts of EU exit. Mitigation actions taken during the year included:

  • establishing an executive level lead and supporting working group
  • scenario planning, check-and-challenge sessions and a refresh of our business continuity plans
  • close liaison with the Department of Health and Social Care and its other arm’s length bodies

All the above will remain key areas of focus for 2020-21 and we continue to support the health and social care sector, patients and the public to meet the current unprecedented challenges.

Significant control issues. Late in the financial year, a payroll audit was undertaken which identified concerns with respect to our relationship with the outsourced payroll supplier and internal checking and reporting, especially with respect to variable pay. A management action plan was agreed, with immediate steps taken to close control gaps, and further actions planned to establish a robust and sustainable process.

I accept the observations by both the internal auditors and the National Audit Office and I believe them to be a fair and accurate view of the organisation. We will continue to embed rigorous and sound assurance as a priority for NHS Digital in 2020-21.


Statement of Accounting Officer's responsibilities

Under the Health and Social Care Act 2012 and directions made thereunder by the Secretary of State with the approval of HM Treasury, we are required to prepare a Statement of Accounts for each financial year in the form and on the basis determined by the Secretary of State. The Accounts are prepared on an accruals basis and must give a true and fair view of our state of affairs and of our net resource outturn, application of resources, changes in taxpayers’ equity and cashflows for the financial year.

In preparing the Accounts, the Accounting Officer are required to comply with the requirements of the Government Financial Reporting Manual and, in particular, to:

  • observe the accounts direction issued by the Secretary of State for Health and Social Care, including the relevant accounting and disclosure requirements, and apply suitable accounting policies on a consistent basis
  • make judgements and estimates on a reasonable basis
  • state whether applicable accounting standards, as set out in the Government Financial Reporting Manual, have been followed and disclosed and explain any material departures in the financial statements
  • prepare the financial statements on a going concern basis, unless it is inappropriate to presume that NHS Digital will continue in operation

The Accounting Officer for the Department of Health and Social Care has appointed our Chief Executive as the Accounting Officer who has responsibility for preparing our accounts and transmitting them to the Comptroller and Auditor General. Specific responsibilities include the propriety and regularity of the public finances for which the Accounting Officer is answerable, for keeping proper records and for safeguarding our assets, as set out in ‘Managing Public Money’ published by the HM Treasury. As Accounting Officer I am able to confirm that:

  • as far as I am aware, there is no relevant audit information of which the auditors are unaware
  • I have made myself aware of any relevant audit information and established that the entity’s auditors are aware of that information
  • the Annual Report and Accounts as a whole are fair, balanced and understandable
  • I take personal responsibility for the Annual Report and Accounts and the judgement required for determining that they are fair, balanced and understandable

Parliamentary accountability and audit report

The purpose of the Parliamentary Accountability and Audit Report is to summarise the key parliamentary accountability documents within the Annual Report and Accounts including the Certificate and Report of the Auditor General to the House of Parliament. All elements of this report are subject to audit.

Losses and special payments

Losses and special payments are items that Parliament would not have contemplated when it agreed funds for the health service or passed legislation. By their nature, they are items that ideally should not arise. They are, therefore, subject to special control procedures.

During 2019-20, there were 92 losses and special payments (2018-19: 207), amounting to £367,832 (2018-19: £4,292,450).

Losses and special payments include bad debts written off, losses of minor IT equipment and mobile phones, settlement of employment related claims and payment of home to office tax liabilities, tax penalties and interest. Interest paid under the Late Payment of Commercial Debt (Interest) Act 1998 amounted to nil (2018-19: £39).

Gifts

No political donations were made in the year. During the year, 100 Surface tablets that were nearing the end of their normal useful life were donated to a school. The assets had a net book value of £3,647.

Remote contingent liabilities

We have not identified any significant remote contingent liabilities. These are liabilities for which the likelihood of a transfer of economic benefit in settlement is too remote to meet the definition of contingent liability within the meaning of IAS 3.

Fees and charges 

Fees and charges are for ‘data-related services’. This is the provision of health-related data to customer requirements, data-linkage services and data extracts for research purposes. No charges are made for the actual data, only for the cost of providing the data to the customer in the format and to the specification required, including a fee for ensuring information governance requirements are complied with.

The fees and charges note below is subject to audit:

2019-20

£000

2018-19

£000

Income 2,385 2,229
Expenditure (2,479) (2,218)
(Deficit)/surplus (94) 11

Sarah Wilkinson

Chief Executive

7 July 2020


The certificate and report of the Comptroller and Auditor General to the Houses of Parliament

Opinion on financial statements

I certify that I have audited the financial statements of the Health and Social Care Information Centre for the year ended 31 March 2020 under the Health and Social Care Act 2012. The financial statements comprise: the Statement of Comprehensive Net Expenditure, Financial Position, Cash Flows, Changes in Taxpayers’ Equity; and the related notes, including the significant accounting policies. These financial statements have been prepared under the accounting policies set out within them. I have also audited the information in the accountability report that is described in that report as having been audited.

In my opinion:

  • the financial statements give a true and fair view of the state of the Health and Social Care Information Centre’s affairs as at 31 March 2020 and of net expenditure for the year then ended; and
  • the financial statements have been properly prepared in accordance with the Health and Social Care Act 2012 and Secretary of State directions issued thereunder

Opinion on regularity

In my opinion, in all material respects the income and expenditure recorded in the financial statements have been applied to the purposes intended by Parliament and the financial transactions recorded in the financial statements conform to the authorities which govern them.

Basis of opinions

I conducted my audit in accordance with International Standards on Auditing (ISAs) (UK) and Practice Note 10 ‘Audit of Financial Statements of Public Sector Entities in the United Kingdom’. My responsibilities under those standards are further described in the Auditor’s responsibilities for the audit of the financial statements section of my certificate.

Those standards require me and my staff to comply with the Financial Reporting Council’s Revised Ethical Standard 2016. I am independent of the Health and Social Care Information Centre in accordance with the ethical requirements that are relevant to my audit and the financial statements in the UK. My staff and I have fulfilled our other ethical responsibilities in accordance with these requirements. I believe that the audit evidence I have obtained is sufficient and appropriate to provide a basis for my opinion.

Conclusions relating to going concern

I have nothing to report in respect of the following matters in relation to which the ISAs (UK) require me to report to you where:

  • the Health and Social Care Information Centre’s use of the going concern basis of accounting in the preparation of the financial statements is not appropriate; or
  • the Health and Social Care Information Centre have not disclosed in the financial statements any identified material uncertainties that may cast significant doubt about the Health and Social Care Information Centre’s ability to continue to adopt the going concern basis of accounting for a period of at least twelve months from the date when the financial statements are authorised for issue.

Responsibilities of the Accounting Officer for the financial statements

As explained more fully in the statement of Accounting Officer’s responsibilities, the Accounting Officer is responsible for the preparation of the financial statements and for being satisfied that they give a true and fair view.

Auditor’s responsibilities for the audit of the financial statements

My responsibility is to audit, certify and report on the financial statements in accordance with the Health and Social Care Act 2012.

An audit involves obtaining evidence about the amounts and disclosures in the financial statements sufficient to give reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements.

As part of an audit in accordance with ISAs (UK), I exercise professional judgement and maintain professional scepticism throughout the audit.

I also:

  • identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, design and perform audit procedures responsive to those risks, and obtain audit evidence that is sufficient and appropriate to provide a basis for my opinion - the risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control
  • obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Health and Social Care Information Centre’s internal control
  • evaluate the appropriateness of accounting policies used and the reasonableness of accounting estimates and related disclosures made by management
  • evaluate the overall presentation, structure and content of the financial statements, including the disclosures, and whether the financial statements represent the underlying transactions and events in a manner that achieves fair presentation
  • conclude on the appropriateness of the Health and Social Care Information Centre’s use of  the going concern basis of accounting and, based on the audit evidence obtained,  whether a material uncertainty exists related to events or conditions that may cast significant doubt on the Health and Social Care Information Centre’s ability to continue as a going concern. If I conclude that a material uncertainty exists, I am required to draw attention in my report to the related  disclosures in the financial statements or, if such disclosures are inadequate, to modify my opinion. My conclusions are based on the  audit evidence obtained up to the date of my report. However, future events or conditions may cause the Health and Social Care Information Centre to cease to continue as a going concern.

I communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit and significant audit findings, including any significant deficiencies in internal control that I identify during my audit.

In addition, I am required to obtain evidence sufficient to give reasonable assurance that the income and expenditure reported in the financial statements have been applied to the purposes intended by Parliament and the financial transactions conform to the authorities which govern them.

Other information

The Accounting Officer is responsible for the other information. The other information comprises information included in the annual report, but does not include the parts of the Accountability Report described in that report as having been audited, the financial statements and my auditor’s report thereon. My opinion on the financial statements does not cover the other information and I do not express any form of assurance conclusion thereon. In connection with my audit  of the financial statements, my responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements or my knowledge obtained in the  audit or otherwise appears to be materially misstated. If, based on the work I have performed, I conclude that there is a material misstatement of this other information, I am required to report that fact. I have nothing to report in this regard.

Opinion on other matters

In my opinion:

  • the parts of the accountability report to be audited have been properly prepared in accordance with Secretary of State directions made under the Health and Social Care Act 2012:
  • in the light of the knowledge and understanding of the Health and Social Care Information Centre and its environment obtained in the course of the audit, I have not identified any material misstatements in the Performance Report or the Accountability Report; and
  • the information given in the Performance Report and Accountability Report for the financial year for which the financial statements are prepared is consistent with the financial statements

Matters on which I report by exception

I have nothing to report in respect of the following matters which I report to you if, in my opinion:

  • adequate accounting records have not been kept or returns adequate for my audit have not been received from branches not visited by my staff; or
  • the financial statements and the parts of the Accountability Report to be audited are not in agreement with the accounting records and returns; or
  • I have not received all of the information and explanations I require for my audit; or
  • the Governance Statement does not reflect compliance with HM Treasury’s guidance.

Report

I have no observations to make on these financial statements.

Gareth Davies
Comptroller and Auditor General 

10 July 2020

National Audit Office
157-197 Buckingham Palace Road
Victoria
London
SW1W 9SP

Last edited: 27 August 2020 2:33 pm