Accountability report

NHS Digital is led by a board and 4 board committees. All of these committees are chaired by non-executive directors.

The Board is supported operationally by the Executive Management Team (EMT). The EMT is responsible for communicating and delivering the strategy agreed by the Board.

The Board consisted, at 31 March 2022, of 3 executives, 9 non-executives, including the Chair and 1 ex-officio member who is the department sponsor. These arrangements comply with the requirements of the Health and Social Care Act 2012, which stipulates that the Board should have at least 6 non-executive directors and not more than 5 executive members.

The Board supports the Chief Executive, who is the Accounting Officer and is accountable to both the Secretary of State for Health and Social Care and to Parliament for the performance of the organisation. The Chief Executive is also responsible for maintaining high standards of probity in the management of public funds. Collectively, the Board is responsible for ensuring that NHS Digital complies with all statutory and administrative requirements, and for the appropriate use of public funds allocated to it.

Details of the conduct of the Board, and the roles and responsibilities of its members, are set out in the Board Terms of Reference, which are derived from our Corporate Governance Manual. These include our standing orders, standing financial instructions and scheme of delegation. All of these documents are reviewed annually and are available to the public.

A register of interests, drawing together declarations of interest made by all members of the Board, is open to public scrutiny and is published with every set of board papers, copies of which can be found on the ‘Our organisation’ section of the NHS Digital website. Details of related-party transactions are set out in Note 18 of the Accounts on page 147 of this report. Biographies of the Board are in Appendix B: Board members' biographies and register of interests.

The Chair and non-executive directors are appointed by the Secretary of State for Health and Social Care. The Chief Executive is appointed by the Board, and other executive officers are appointed by the Chief Executive. Executive membership is agreed by the Board.

Changes to the Board’s membership during the year were:

• Ben Goldacre, Steven Woodford and Patrick Eldridge were appointed on 1 April 2021
• Sarah Wilkinson left her post as Chief Executive Officer and was replaced by Simon Bolton as Interim Chief Executive Officer, with the handover of Accounting Officer responsibilities effective from 4 June 2021
• Pete Rose died in service in August 2021
• Soraya Dhillon and Marko Balabanovic completed their terms of office as non-executive directors on 31 December 2021
• Daniel Benton and Sudesh Kumar’s terms of office were extended for another year
• Daniel Benton was also appointed as Senior Independent Director

On 31 March 2022, the Board included 3 executive directors who were men and no executive directors who were women. 7 of our non-executives were men and 2 were women.

The charts below show the composition of our Board members by gender and ethnicity.

Each non-executive director's term of office is as follows:

During 2021-22, the planned programme of board meetings continued to be impacted by the pandemic, resulting in board meetings being held virtually. Over the year, 5 formal meetings of the Board were convened, and these sessions were open to members of the public to attend and observe. The sessions held in private considered items of a commercial or confidential nature that could not be discussed in public.

Papers and previous minutes are made available on the ‘Our organisation’ section of the NHS Digital website in advance of the meetings.

As well as standing agenda items on the governance and performance of our organisation, the statutory meetings discussed a range of topics including, exceptionally:

• COVID-19 – NHS Digital’s support for the national response to the pandemic
• employee welfare and support arrangements
• equality, diversity, and inclusion, including ambitions and targets
• health and safety
• sustainability
• in-depth reviews of live services, infrastructure and collaboration technologies
• NHSmail and Health and Social Care Network deployment
• GP Data for Planning and Research
• NHS App and COVID-19 vaccination certifications

Members of the Board also allocate time alongside the formal meetings for board development and to consider strategic issues within the organisation and in the broader digital environment. These in-depth meetings include additional senior operational staff.

In the 2019-20 Annual Report, the former Chair confirmed that an independent external review of the Board’s effectiveness had been undertaken and that the main themes emerging from the review were:

1. Board leadership: non-executive directors, with executive directors, should continue engaging actively with partners and providers to extend NHS Digital’s insight and influence on technical and data strategy across the system.
2. The Board’s effectiveness as a team: the Board should optimise its value-add overall in the context of NHS Digital’s remit for 2021-22.
3. Ensuring a healthy culture: the Board should continue its work to ensure a healthy culture and high levels of staff engagement to support the delivery of NHS Digital’s strategic objectives.

The COVID-19 pandemic and subsequent national lockdowns had an impact on the progress of all aspects of the review; however, the Board has used multiple opportunities to progress with these themes. For example, the move to video communications and webinars for ‘All Hands’ staff meetings has enabled non-executive directors to operate in fuller knowledge of team morale, while the introduction of wellness pulse check-ins for all staff has strengthened organisation engagement.

At the beginning of 2021-22 the Board appointed 3 new non-executive directors which, coupled with the new interim CEO, strengthened the Board and allowed it to refocus on NHS Digital’s role within the health system and how best to leverage its expertise to drive wider system transformation for the future. Our new non-executive directors bring highly relevant backgrounds to our role in the provision of data and technology solutions to the health and care system and have added to the Board’s value.

In 2021-22, the Board committed to reviewing its progress against the 2019-20 recommendations and its overall effectiveness using an internal review process. This internal review was completed in the final quarter of 2021-22 and will formally report its findings to the Board in early 2022-23. However, the key observations are:

• good progress has been made and continues to be made against the 3 key 2019-20 board effectiveness themes, with the review noting improvements in the Board’s level of engagement with key stakeholders, its support for the development of NHS Digital’s culture, and having increased its support for and engagement with the Executive Management Team

The 2021-22 review also sought views on what the future Board (after the merger of NHS Digital with NHS England) might need to know. The key observation being:

• respondents identified that there has been significant added value from establishing non-executive led assurance committees such as those for cyber, information and data

The Board has established 4 committees with responsibility for providing an independent view to the Chief Executive and the Board on:

• audit and risk
• information assurance and cyber security
• people and transition
• investment assurance

Day-to-day operational matters are managed through the Executive Management Team.

A standing item on the Board’s agenda allows the chairs of committees to report on their deliberations. The minutes of the Board’s committees (other than those of the People and Transition Committee) are circulated to board members after they are ratified.

The delegated responsibilities of each committee are described as follows.

Audit and Risk Committee (ARC) – Chair: Deborah Oakley

The committee provides an independent view to the Chief Executive and the Board of the organisation’s internal controls, operational effectiveness, governance and risk management. This includes an overview of internal and external audit services, risk management and counter-fraud activities.

The committee is authorised to investigate any activity within its terms of reference and to seek any information that it requires from any employee. It is able to seek legal or independent professional advice and secure the attendance of external specialists.

The key areas of activity in 2021-22 included:

• continued review of the Risk Radar and progress towards the agreement of key risk indicators
• several strategic risk ‘deep dives’ including clinical risk and vaccinations, medical devices, National Disease Registration Service transfer, transition governance and an overview of key risks outside NHS Digital’s risk appetite
• several directorate assurance ‘deep dives’ including HR, Data Services and Platforms
• continued review of risks with respect to the COVID-19 pandemic and the impact on NHS Digital’s overall risk profile
• received assurance of NHS Digital’s internal controls through a robust internal audit plan and regular reporting on whistleblowing and counter fraud
• careful consideration of the valuation methodology and approach for NHS Digital’s intangible assets
• beginning to consider NHS Digital’s transitional risk into the new organisation

Information Assurance and Cyber Security Committee (IACSC) – Chair: John Noble

The committee has representation from across government and beyond, including the Cabinet Office, the National Cyber Security Centre (NCSC), and UK Health Security Agency. It is responsible for ensuring that there is an effective cyber security and information assurance function that meets recognised government standards and provides appropriate independent assurance to the Chief Executive and the Board.

The IACSC reviews the cyber security work of the Data Security Centre (DSC), the IT Operations directorate, and the Privacy, Transparency, Ethics and Legal (PTEL) directorate and considers the implications of management responses to its work. It monitors other significant internal and external cyber assurance functions. It is authorised to investigate activities within its terms of reference, and all employees are directed to co-operate with its requests for information. It can seek legal or independent professional advice at NHS Digital’s expense.

The main areas considered in 2021-22 included:

• assuring cyber security work undertaken by NHS Digital with the NCSC and NHSX to provide enhanced protection for health and social care organisations during the COVID-19 pandemic
• considering the wider cyber security threat context on a global scale that the NHS operates within, thanks to regular advice and guidance from the NCSC
• assurance that NHS Digital has been working towards achieving Cyber Essentials Plus (CE+) certification
• regular updates from the DSC with regards to the challenges in recruiting to the required staffing levels, and the work of the Cyber Security Operations Centre to support NHS Test and Trace and the vaccines and booster roll-out
• reviewing the decisions made by the DSC’s Specialist Security Services team during the pandemic and the impact of those decisions on security and technical debt
• development of improved key performance indicators to measure organisational and system-wide cyber security readiness
• understanding and measuring third-party risk, including looking at the cyber readiness of NHS Digital corporate systems provided by third parties
• a ‘deep dive’ examination of the security of NHS Digital’s own systems using the NCSC’s ‘Questions for Boards to Ask about Cyber Security’
• developing the remit of IACSC to better incorporate information governance assurance from the PTEL directorate, and undertaking reviews of current data sharing arrangements

People and Transition Committee (PTC) – Chair: Laura Wade-Gery

Previously called the Talent, Remuneration and Management Committee, the People and Transition Committee’s role, among a range of staff-related matters, is to:

• make recommendations to the Department of Health and Social Care on the level of the remuneration packages of the Chief Executive and other executive directors within the provisions of the pay framework for executive and senior managers or successor arrangements
• review and assure the annual performance objectives and targets of executive directors and pay arrangements for other senior managers
• ensure that all matters relating to pay and conditions that require approval from the Department of Health and Social Care Remuneration Committee, or other external authority, are submitted for approval and that the decisions of those bodies are appropriately implemented
• review and assure workforce and senior management restructuring proposals arising from annual productivity assessments, specific cost reduction plans or capability prioritisation proposals
• review and make recommendations on the size, composition and structure of the Board, including assessing and making recommendations to the Department of Health and Social Care about the skills, knowledge and experience required from board appointees

Investment Committee (IC) – Chair: Daniel Benton

The committee assures delivery commitments made by NHS Digital in response to commissions and approves financial commitments whose value exceeds the delegated authority of the Chief Executive, to ensure that NHS Digital assumes an acceptable level of delivery risk. It consists of 3 non-executive directors and the Chief Financial Officer, the Chief Commercial Officer, and Executive Director of Product Delivery. Other members of the Executive Management Team attend as required by the agenda.

Specifically, the committee ensures that programmes have shown that they:

• provide solutions that meet the requirements of the Delivery Oversight and Assurance Board (DOAB) and the senior responsible owner which do not exceed the required scope, and which provide value for money
• have appropriate management and resourcing arrangements, including agreed commercial strategies and risk management
• are technically robust and clinically safe
• are affordable
• have robust proposals for cyber and information security
• have acceptable levels of compliance risk, particularly with respect to information governance and procurement

The IC has recently considered:

• how to regularise commercial commitments that were put in place rapidly to enable us to respond to the urgent needs of the pandemic, developing transition plans that balance the need to manage operational risk and the need to move to more sustainable commercial arrangements
• investment cases for programmes of work, including an interim cervical call/recall solution, Interoperable Medicines, GP IT Futures, e-Referral Service transformation and optimisation, national digital channels and Digital Transformation of Screening

Following IC endorsement, business cases are submitted to the DOAB hosted by NHS England Transformation Directorate.

Executive Management Team (EMT)

The EMT is responsible for communicating and delivering the strategy agreed by the Board. It is chaired by the Chief Executive and meets regularly. Action points and decisions are disseminated to all staff through the corporate intranet.

Directors’ attendance at the Board and its committees was as follows: 

The staff costs and the average number of whole-time equivalent persons are subject to audit:

The average number of whole-term equivalent persons employed during the year:

Exit packages 

Total staff termination packages are as follows and are subject to audit:

Most NHS Digital staff are covered by the NHS Pension Scheme (the 1995/2008 scheme and the 2015 scheme).

NHS Pension Scheme

Past and present employees are covered by the provisions of the 2 NHS pension schemes. Details of the benefits payable and rules of the schemes can be found on the NHS Pension Scheme website. Both are unfunded, defined benefit schemes that cover NHS employers, GP practices and other bodies in England and Wales allowed under the direction of the Secretary of State for Health and Social Care. They are not designed to be run in a way that would enable NHS bodies to identify their share of the underlying scheme assets and liabilities. Therefore, each scheme is accounted for as if it were a defined contribution scheme whereby the cost to the NHS body of participating in each scheme is taken as equal to the contributions payable to that scheme for the accounting period.

So that the defined benefit obligations recognised in the financial statements do not differ materially from those that would be determined at the reporting date by a formal actuarial valuation, the Financial Reporting Manual (FReM) requires that “the period between formal valuations shall be 4 years, with approximate assessments in intervening years.” An outline of these follows:

a) Accounting valuation

A valuation of scheme liability is carried out annually by the scheme actuary (currently the Government Actuary’s Department) as at the end of the reporting period. This utilises an actuarial assessment for the previous accounting period in conjunction with updated membership and financial data for the current reporting period and is accepted as providing suitably robust figures for financial reporting purposes. The valuation of the scheme liability, as at 31 March 2022, is based on valuation data for 31 March 2021, updated to 31 March 2022, with summary global member and accounting data. In undertaking this actuarial assessment, the methodology prescribed in IAS 19, relevant FReM interpretations, and the discount rate prescribed by HM Treasury have also been used.

The latest assessment of the liabilities of the scheme is contained in the scheme’s actuary report, which forms part of the annual NHS Pension Scheme pension accounts. These accounts can be viewed on the NHS Pension Scheme website and are published annually. Copies can also be obtained from The Stationery Office.

b) Full actuarial (funding) valuation

The purpose of this valuation is to assess the level of liability in respect of the benefits due under the schemes (taking into account recent demographic experience) and to recommend contribution rates payable by employees and employers.

The latest actuarial valuation undertaken for the NHS Pension Scheme was completed as at 31 March 2016. The results of this valuation set the employer contribution rate payable from April 2019 to 20.6% of pensionable pay.

The 2016 funding valuation also tested the cost of the scheme relative to the employer cost cap that was set following the 2012 valuation. There was initially a pause in 2019 to the cost control element of the 2016 valuations, due to the uncertainty around member benefits caused by the discrimination ruling relating to the McCloud case. In July 2020, the government announced that the pause had been lifted, and so the cost control element of the 2016 valuations could be completed.

HM Treasury published valuation directions dated 7 October 2021 that set out the technical detail of how the costs of remedy are included in the 2016 valuation process. Following these directions, the scheme actuary has completed the cost control element of the 2016 valuation for the NHS Pension Scheme, which concludes no changes to benefits or member contributions are required. The 2016 valuation reports can be found on the NHS pension scheme website - NHS Pension Scheme Accounts and Valuation Reports.

National Employment Savings Trust

Employees who do not wish to join the NHS Pension Scheme can opt to join the National Employment Savings Trust (NEST) scheme. This is a stakeholder pension scheme based on defined contributions. The minimum combined contribution is currently 8% of qualifying earnings, of which the employer must pay 3%. Employees can choose to pay more into the fund, subject to a current cap of £4,700 per annum. 10 NHS Digital employees were members of the NEST Scheme during 2021-22.

The Principal Civil Service Pension Scheme

The Principal Civil Service Pension Scheme (PCSPS) and the Civil Servant and other Pension Scheme, known as ‘alpha’, are unfunded multi-employer defined benefit schemes. NHS Digital is unable to identify its share of the underlying assets and liabilities. The scheme actuary valued the scheme as at 31 March 2016.

Details can be found in the resource accounts of the Cabinet Office.

For 2021-22, employer’s contributions of £487,372 were payable to the PCSPS (2020-21: £409,319) at 1 of 4 rates in the range 26.6% to 30.3% of pensionable earnings, based on salary bands. The scheme actuary reviews employer contributions, usually every 4 years following a full scheme valuation. The contribution rates are set to meet the cost of the benefits accruing during 2021-22 to be paid when the member retires and not the benefits paid during this period to existing pensioners.

Employees can opt to open a Partnership Pension Account, which is a stakeholder pension with an employer contribution. Employer contributions are age-related and range from 8% to 14.75% of pensionable earnings. Employers also match employee contributions up to 3% of pensionable earnings. No employees have opted for the Partnership Pension Account.

As part of the ‘Review of tax arrangements of public sector appointees’, published by the Chief Secretary to the Treasury on 23 May 2012, we are required to publish information about the number of off-payroll engagements that are in place where individual costs exceed £245 per day.

We are committed to maintaining in-house capacity, but it is recognised that, with a significant element of our activity being project-based and with peaks and troughs in requirements, making the best use of the temporary labour market is essential. Many of our programmes require specialist input on a temporary basis and it is not always cost-effective to permanently recruit such skills.

The total cost of temporary labour increased in the year to £96.5 million, compared to £46.7 million in 2020-21, as we brought in significant additional specialist resources to address the continued development and delivery of critical programmes relating to COVID-19, while still progressing with key projects as part of our digital transformation programme.

Our 3 key strategic priorities for equality, diversity and inclusion guide our action plans and day-to-day interactions with our employees and have executive director-level accountability across the business.

These are to:

1. Deliver appropriate learning and development to ensure that all NHS Digital staff develop a good level of equality and diversity awareness.
2. Work towards having no difference in the employment outcomes for NHS Digital staff or potential recruits because of protected characteristics.
3. Develop best practice in workforce equality and diversity by creating internal and external networks and supporting positive action initiatives.

We are striving to create a working environment that values difference and fosters an inclusive workplace culture. We want to build a culture in which employees from all backgrounds can give their best, are treated fairly, are valued for their contributions, and can progress in their careers. We regularly review our people management policies to reflect changes and support all colleagues to develop. We make sure that policies are inclusive for people with different protected equality characteristics, and we consult widely, including with the unions and the equality and diversity networks. Our recruitment policies can be found at Recruitment: your journey to a career with us.

The gender distribution in NHS Digital for each Agenda for Change (AfC) equivalent grade is provided below¹:

There has been no significant change in the gender or grade split of our workforce in the year. 55% of staff are male (2020-21: 57%). The figures in the table above include both directly employed staff and contingent labour.

Fair pay

The fair pay tables are subject to audit.

Percentage change in total salary and bonuses for the highest paid director and the staff average as at 31 March 2022:

During 2020-21, we settled 2 years’ bonuses for staff employed under TUPE terms and conditions, and additionally we paid a bonus to staff supporting the frontline COVID-19 response in respect of their significant contribution above and beyond normal responsibilities. In 2021-22, there were no bonuses paid for COVID-19-related work, and the bonus for staff employed under TUPE terms and conditions reduced considerably as many had moved on to Agenda for Change terms and conditions or had left the organisation.

The highest paid director was a work package contractor, with his costs representing the day rate charged less non-recoverable VAT. During 2021-22, he worked fewer days than the previous year, which resulted in a fall in the equivalent annualised salary.

Ratio between the highest paid directors’ total remuneration and the lower, median and upper quartile for staff pay as at 31 March 2022:

The table shows the relationship between the remuneration of the highest paid director, and the lower, median and upper quartiles of the organisation’s workforce.

The banded remuneration of the highest paid director in 2021-22 was £242,500 (2020-21: £262,500). This was 5.1 times (2020-21: 5.7) the median remuneration of the workforce, which was £47,439 (2020-21: £46,351). The highest paid director was a work package contractor, with their costs representing the day rate charged less non-recoverable VAT; during 2021-22 they worked fewer days than the previous year, which resulted in a fall in the equivalent annualised salary. As a result of this decrease, and the 3% pay award for all Agenda for Change staff during 2021-22, the pay ratios between the highest paid director and the lower quartile, median and upper quartile for staff pay have all decreased in 2021-22.

Lower quartile, median and upper quartile for staff pay for salaries and total pay and benefits as at 31 March 2022:

In 2021-22, 1 (2020-21: 0) employee received remuneration in excess of the highest paid director. Remuneration for the workforce ranged from £15,000-£20,000 (2020-21: £10,000-£15,000) to £245,000-£250,000 (2020-21: £260,000-£265,000).

Total remuneration includes salary and non-consolidated performance-related pay; there were no benefits-in-kind. It does not include severance payments, employer pension contributions and the cash equivalent transfer value of pensions.

Our gender pay gap for the reporting period to March 2022 was:

The data in the table above includes staff employed directly by NHS Digital on its payroll, as well as temporary staff and contractors. We continue to have a significant gender pay gap, slightly above the public sector median of 18.0% (based on Office for National Statistics provisional data for November 2021). The main factor contributing to this pay gap is men occupying more senior pay bands than women.

Workforce data

Our latest detailed workforce data for staff directly employed by NHS Digital as at 31 March 2021 was published in our 2021-22 Annual Inclusion Report earlier this year. The report also shows how our workforce demographics have changed over time. Our 2022-23 report is scheduled for publication in spring 2023.

We understand that diversity and inclusion are vital to the continued success and growth of the capabilities and outcomes that NHS Digital delivers. Valuing diversity and creating an inclusive environment allows us to build a workforce that better represents health and care staff and the communities we serve, which will enable us to develop and deliver better products and services, and ultimately enable improved healthcare outcomes.

As at 31 March 2022, we had a directly employed workforce of 3,026 people. Below are graphs showing the split of declared characteristics.

The graphs reflect the continued improvement in the diversity of the organisation, with 5.4% of our workforce identifying as having a disability (2021: 4.8%), 13.7% identifying as BAME (2021: 13.3%), and that gender composition was 51.6% male and 48.4% female (2021: male 55.3%; female 44.7%). Colleagues identifying as LGB+ represented 4.4% (2021: 3.9%) of our directly employed staff, and our colleagues have a wide range of religious beliefs.

Where ‘not shared’ appears in the above graphs, this includes unspecified, undecided and prefer not to answer.

Our networks

NHS Digital has 7 networks for our colleagues to join. We continue to listen, learn and understand perspectives from all of our colleagues, with the help of our staff networks, to ensure that we are improving equality, diversity and inclusion across the organisation and that colleagues feel supported and able to thrive.

2 years on from the peak of the Black Lives Matter movement, which brought race inequality into sharp focus across the globe, our EMBRACE (Ethnic Minorities Broadening Racial Awareness and Cultural Exchange) network continued to play an important role in our inclusion journey by raising the agenda of race and equality at NHS Digital. Working closely with HR and inclusion partners Pearn Kandola, the network showed colleagues how to be active bystanders and constructively challenge racist and non-inclusive behaviours. The network also supported colleagues from Black, Asian and minority ethnic backgrounds to progress their careers, fostering a relationship with Fujitsu to run peer-coaching sessions and launching their own Exchange Mentoring Scheme.

The Women’s Network has highlighted some key issues during the year. From sharing stories during Baby Loss Awareness Week, to introducing a ‘Menopause Café’ for people wanting to know more about the symptoms of peri-menopause, the network is encouraging an increased awareness among allies, men and leaders of the issues that can disproportionately impact women.

The LGBTQ+ and Allies Network also led a range of initiatives during the year. These included sharing the LGB Health Report from the Health Survey for England through NHS Virtual Pride; hosting a series of guest speaker events, including the National Advisor for LGBT Health at NHS England for Zero Discrimination Day; successfully supporting user research activities in the Cancer Screening Programme; and providing trans awareness training for colleagues, which led to working with the NHS Login delivery team to inform initial improvements to the user journey for trans people.

The Ability Network regularly provides advice on adjustments in the workplace. Simple yet effective measures they have encouraged during the year include the use of cameras being on during meetings for those hard of hearing to lip read, or to follow up meetings with a written summary.

Our merger with NHS England presents an exciting opportunity to share best practice, innovate together and push boundaries further to reach our shared inclusion goals. We know that, moving forward, our aims and actions will need to align and complement those of our new NHS England family, and we very much look forward to that collaboration. In doing so, we will not lose sight of the commitments we have made to make our organisation more inclusive and diverse. 

Trade union facility time

We work in partnership with trade union representatives on all matters affecting our employees to ensure an effective and successful organisation. Joint Negotiation and Consultation Committee meetings are held regularly to allow discussion, consultation and negotiation on employment-related matters.

Staff members are permitted time to engage in appropriate trade union activities.

Details are below:

Consultancy

The total spend on consultancy, as defined by HM Treasury guidance, was £311,427.

Staff turnover

Our staff turnover rate for 2021-22 was 10.29%, an increase from 8.2% the previous year. As we work towards the merger of NHS Digital with NHS England in early January, there continues to be significant management focus on regular and open communication with staff, maintaining morale and ensuring staff retention during the transition period.

Sickness absence

During 2021, 10,980 (2020: 10,843) working days were lost due to sickness absence. This represented 4.3 (2020: 4.3) working days per employee. These figures are based on calendar years, not financial years, and were centrally produced from the Electronic Staff Record. Average sickness absence for 2021 was 1.9% (2020: 1.9%).

Sickness absence data can be found on our website.

Community and social responsibility

We have a special leave policy that allows staff to take paid leave for public duties (for example, magistrate, school governor and reserve forces roles). We have also developed work experience and placement programmes for schools, colleges and universities near our offices.

We support the government’s objective of eradicating modern slavery and human trafficking. Our slavery and human trafficking statement is published on our website.

Health, safety and wellbeing

2021-22 has been another outstanding year in our health and safety journey, as we have continued to focus on our colleagues’ needs. While we continued to respond effectively to COVID-19, we also delivered an ambitious work plan, building upon the foundations delivered in the previous year.

The remuneration and pension disclosures relating to board members and the Executive Management Team in post during 2021-22 and 2020-21 are detailed in the tables below and are subject to audit. The figures provided consist of basic pay, performance pay and pension benefits; there were no benefits in kind. They do not include employer pension contributions or the cash equivalent transfer value of pensions. 

Board directors

Senior managers

The pay of the executive board directors is set by the People and Transition Committee based on the recommendations of the Senior Salaries Review Board and is reviewed annually. NHS Digital operates the NHS Executive and Senior Manager (ESM) pay framework with the approval, where necessary, of the Department of Health and Social Care Remuneration Committee. This includes a job evaluation scheme, administered by the NHS Business Services Authority, and provision for a maximum 5% bonus for the top performers within the ESM group. The scheme also provides an annual pay award as a flat-rate payment based on 1% of the average ESM salary and an additional discretionary ring-fenced 1% pot to address any significant pay progression issues or anomalies.

The standard remuneration arrangements for NHS Digital are those provided under the national NHS Agenda for Change (AfC) terms and conditions of employment. This includes a job-evaluation scheme that has been tested and demonstrated to be equality-proofed.

Executive directors were normally employed on permanent employment contracts with a 6-month notice period and work for NHS Digital full-time. However, Leila Shepherd was part-time, and Professor Jonathan Benger is seconded from University Hospitals Bristol NHS Foundation Trust on a part-time basis. If contracts are terminated for reasons other than misconduct, they come under the terms of the NHS compensation schemes.

Pension benefits were provided through the NHS Pension Scheme.

A CETV is the actuarially assessed capitalised value of the pension scheme benefits accrued by a member at a particular point in time. The benefits valued are the member’s accrued benefits and any contingent spouse’s pension payable from the scheme. A CETV is a payment made by a pension scheme or arrangement to secure pension benefits in another pension scheme or arrangement when the member leaves a scheme and chooses to transfer the benefits accrued in their former pension scheme.

The pension figures shown relate to the benefits that the individual has accrued as a consequence of their total membership of the pension scheme, not just their service in a senior capacity to which disclosure applies.

The CETV figure and other pension details include the value of any pension benefit in another scheme or arrangement that the individual transferred to the NHS Pension scheme. They also include any additional pension benefit accrued to the member as a result of them purchasing additional years of pension service in the scheme at their own cost. CETVs are calculated within the guidelines and framework prescribed by the Institute and Faculty of Actuaries.

The real increase in CETV reflects the increase effectively funded by the employer. It excludes the increase in accrued pension due to inflation and contributions made by the employee (including the value of any benefits transferred from another pension scheme or arrangements), and uses common market valuation factors for the start and end of the period.

The Senior Departmental Sponsor for the Department of Health and Social Care is responsible for ensuring our procedures operate effectively, efficiently and in the interest of the public and the health sector.

Governance framework

Details of our constitution, our operational accountability, our Board and its appointed committees are provided in the Corporate Governance Report. Information about the conduct of the Board and the roles and responsibilities of members are set out in our Corporate Governance Manual, which incorporates the Standing Orders, Standing Financial Instructions, Scheme of Delegation, and Committee Terms of Reference. The Corporate Governance Manual is reviewed and updated annually. We comply with the best practice described in the corporate governance code for central government departments issued by HM Treasury. Corporate policies are regularly reviewed and, where it is appropriate to do so, compliance and awareness levels are monitored.

Governance and assurance across the health and social care sector

We all have an interest in good governance, both within NHS Digital and with other bodies, including NHS England, as part of the system-wide oversight of national informatics expenditure.

We are the main informatics delivery organisation for the national informatics portfolio and contribute to, and are held operationally accountable by, the Delivery Oversight and Assurance Board (DOAB). Our Chief Financial Officer is a member of the DOAB and our Director of Assurance and Risk Management attends regularly, along with other members of our Executive Management Team (EMT) where required to discuss specific areas of delivery. A significant number of our EMT and senior managers work closely with colleagues from NHS England and other bodies to develop future plans.

In 2020-21, additional governance arrangements were put in place to oversee delivery as part of the government’s response to the COVID-19 pandemic, both within NHS Digital and across the wider system. These arrangements continued in 2021-22 to manage the ongoing uncertainty and changing requirements, as well as the need to mobilise and co-ordinate delivery at pace.

Merger with NHS England

On 22 November 2021, the Wade-Gery review entitled ‘Putting data, digital and tech at the heart of transforming the NHS’ was published, and recommended the merger of NHS Digital and NHS England. Since the announcement, while progressing work to deliver the merger of our organisation, we have been working on risk management, as well as assurance and governance, to ensure that the merger does not impact on the services that we provide to patients and the NHS.

Risk and assurance framework

We have reviewed our corporate risk management framework and methodology during 2021-22 to improve risk data quality and risk management behaviours. Key actions during the year were:

• refreshing our risk management policy
• redefining the significant operational risks and issues
• reviewing our short- and long-term risk environment, and evaluating our overall level of risk relative to our risk appetite
• updating our risk-management training approach and supporting materials
• implementing directorate level and other operational risk dashboards to improve the quality, reliability and accessibility of risk information
• developing the integration between risk management and our assurance frameworks

Risks and assurance items are reported regularly and escalated through our internal governance structure. The significant operational risks and issues, and details of mitigation plans, are reviewed monthly by the EMT, reported to the Audit and Risk Committee (ARC), as well as to the Board at each meeting. Following the announcement of the merger of NHS Digital, Health Education England and NHSE to create a new NHS England, we have begun to evaluate the risks associated with the transition to the new organisation. We are tracking both the risks associated with the delivery of our objectives and the risks associated with the merger.

As part of the COVID-19 ongoing response, we accepted that our overall risk position increased during 2020-21 as a result of the operational necessities of the crisis. The management of COVID-19 response is now regularised as part of our wider risk management approach, and overall, during 2021-22 our risk position has improved, as we have seen a reduction in the level of risk we are carrying.

During 2021-22, we further embedded the directorate assurance frameworks across NHS Digital and put in place a 6-monthly review process. All directorates completed a 2021-22 year-end review and an assurance statement. Actions to raise levels of assurance were captured and monitored with progress reports shared with the EMT and the ARC.

In 2021-2022, we also developed a Corporate Assurance Framework (CAF). This document maps the assurance in place for 11 of NHS Digital’s highest scoring, long-term risks. All risks on the CAF have been assessed to have high levels of overall assurance and therefore sufficient assurance is in place.

Our assurance work has allowed us to strengthen the view of our key controls and existing sources of assurance on key processes, programmes and risks. The directorate assurance frameworks and the CAF are updated and refreshed at least every 6 months.

Performance management

Our performance management framework links closely to risk management. It includes periodic reporting at differing levels of granularity in performance packs to the DOAB, the Board, the EMT and other internal business units.

This performance reporting covers:

• financial and non-financial information, key risks and issues, and an assessment of delivery against strategic commitments
• business plan delivery at corporate level
• other work, such as delivery of specific programmes and organisational development and transformation

Our performance framework and individual performance indicators are kept under regular review to ensure they remain meaningful and effective and support open and transparent governance. With the exception of a limited number of confidential indicators, all elements of the performance framework are reported to public meetings of the Board and most of the information is available on our Board meeting minutes and papers webpage. Our performance measures are consistently reviewed to ensure they remain relevant and clearly illustrate how we are performing against our goals and objectives.

Internal audit and other third-party assurance

Our internal audit service is provided by the Government Internal Audit Agency (GIAA). Acting independently, it focuses audit activity on key risk areas and chooses additional areas based on interviews with the EMT and its knowledge and experience of our business. The internal audit service operates in accordance with the Public Sector Internal Audit Standards and to an annual internal audit plan approved by the ARC.

Regular reports are submitted to the ARC on the effectiveness of our systems of internal control and the management of key business risks, with recommendations
for improvement.

During 2021-22, our internal audit plan originally included 16 internal audits. This was reduced to 15 due to the deferment of the Temporary Staff Controls audit which is due to be undertaken later in 2022-23.

2 internal audits produced a ‘substantial’ assurance rating, 7 produced a ‘moderate’ assurance rating, and 3 produced a ‘limited’ rating. The remaining 3 are at draft report stage. The ‘limited’ audits are outlined below:

1. Whistleblowing arrangements

NHS Digital’s whistleblowing policy was reviewed and assessed against the National Audit Office criteria and it was discovered that the policy was poor for addressing concerns and providing feedback. Although there was no definitive evidence that concerns were not being reported, the lack of detail within the current policy and the absence of supporting guidance could adversely affect employees’ understanding of the whistleblowing processes. The policy was overhauled during the year to address these concerns and ensure a more robust process.

2. Commissioning process

A lack of compliance was identified with the centralised process that governs how commissions are managed, along with the lack of a single ‘front door’. This meant that there was inadequate visibility of the new works and commissions received by NHS Digital, leading to a potential misunderstanding of the availability and capacity of resources. There was no regular review of the whole book of work by a clearly defined governance committee with the responsibility of making decisions on the sequencing or decommissioning of programmes. This raised the risk that the lack of capacity and/or capability and insufficient detail in the commission was not identified in a timely manner.

3. Legacy systems (technical debt)

The review identified that, despite the progress the current actions had led to, there was still no defined approach to how the framework should be operating and consistently delivered. This left the framework vulnerable to priority changes in the future should business objectives and risk appetite change. An action plan was agreed and all 3 recommendations were completed by March 2022. 

The Head of Internal Audit gave an overall assurance rating of moderate and noted that this reflected the fact that, despite the inevitable impact of the pandemic on NHS Digital’s staff working arrangements and key deliverables, alongside the merger announcement in November 2021, the organisation had continued to operate in a relatively stable and controlled environment.

In addition to our internal audit service, we receive other third-party assurances, including:

• ISAE 3402 assurance reports covering our out-sourced payroll and financial services provided by NHS Shared Business Services (SBS)

The report for financial services was qualified due to the control on the annual inspection of fire alert and water detection systems and the testing of the generator. SBS advised the fire and water detection system was properly booked and scheduled but cancelled due to the engineer contracting COVID-19, with a re-scheduled date outside of the control window. The generator was scheduled for testing in quarter 4, having been tested on a quarterly basis. However, due to the pandemic and resourcing issues, the test was postponed until a date outside of the control window. Both areas were deemed to be low risk to client data and systems. The report for payroll services was qualified due to several incidents. Reasons for areas receiving a qualified rating included failing to provide evidence of checks, them being made after the event, or not undertaken in a timely manner. This includes where additional reviews were required on differences or tolerances being breached. Some of the issues arose following a recent recruitment drive and during the busy time of applying the national pay award to all staff across their client base. No financial losses were incurred. SBS is improving its education processes and looking to increase the automation of some additional checks for improved assurance.

• We provide annual assurance on our GP Payments system to our stakeholders. The ISAE 3000 report gave a qualified assurance due to an instance where 2 leavers did not have their access removed in a timely manner from the GP Data Collection (GPDC) application. This has since been actioned and access has been removed. It was also considered there was not appropriate segregation of duties between the production and the development environments of the GPDC application. Subsequently, a control to monitor the audit log is being established.

External audit

We have worked closely with the National Audit Office, which attends and contributes to all the ARC meetings. The external audit work sits outside of our normal governance arrangements but informs the development of our governance and risk processes as well as our financial and other controls. The work of external audit is monitored by the ARC through regular progress reports. During 2021-22, we engaged early with the National Audit Office on key issues, particularly in relation to the accounting treatment of the major systems delivered in response to COVID-19 and their continued improvements during the reporting year.

Preventing fraud, bribery and corruption

Public bodies and the NHS continue to be major targets for fraud. The pandemic has accelerated the digitisation of data and technology services, which have been key targets for fraudsters using traditional and cyber-enabled methods as well as exploiting business logic to commit cyber crimes.

In 2021-22, there was a rise in NHS branded scams and spoof websites to steal user credentials. We are working with the Data Security Centre and public sector partners, such as the NHS Counter Fraud Authority and the National Cyber Security Centre, to identify and mitigate cyber-enabled fraud risks for NHS Digital and the wider health and care system.

There were also increased instances of ‘dual-working’, where staff and contractors may have held full-time contracts with 2 employers at the same time. This was exacerbated by the pandemic and the move to homeworking, as there was reduced direct management oversight, which could be exploited by opportunistic fraudsters. To mitigate this, we reviewed and strengthened controls with key stakeholders and suppliers. In addition, we shared the mitigation steps taken at NHS Digital with government partners and worked collaboratively to implement controls and raise awareness across the public sector.

In order to mitigate the risk of fraud, bribery and corruption to NHS Digital we have the following control measures in place:

• a counter fraud, bribery and corruption strategy aligned to the government functional standard for counter fraud to continuously improve our approach in identifying and preventing the risk of fraud
• a counter fraud, bribery and corruption policy that is required to be read and accepted by all staff. The policy and our management statement on fraud, bribery and corruption are available on our website
• a fraud risk framework, and working with internal and external stakeholders to mitigate risks and implement robust controls
• a quarterly working group, chaired by the Finance Director, with both internal and external stakeholders
• proactive exercises using data analytics to detect and prevent fraud, including participation in national exercises, such as the biennial National Fraud Initiative
• an internal counter fraud team to investigate allegations of fraud and to always seek the appropriate disciplinary, regulatory, civil and criminal sanctions against fraudsters and, where possible, recover our losses
• collaborative working with external stakeholders including the Department of Health and Social Care Anti-Fraud Unit, the NHS Counter Fraud Authority, and the Cabinet Office to share intelligence, insight and best practice

Whistleblowing

We continue to work with Protect, the UK’s leading whistleblowing charity, to enhance our ability to support staff through improved guidance, policy and awareness training. We encourage staff to openly raise concerns through a number of channels. Following the limited assurance received from the internal audit, our policy was overhauled and made more robust.

There were 8 whistleblowing cases during 2021-22 which were all subsequently resolved.

Freedom to Speak Up

In 2021-22 we appointed 5 Freedom to Speak Up guardians and established an independent and confidential reporting service as part of our ‘Safe to Challenge’ initiative. The guardian role is one of independence, impartiality and objectivity, contributing to the Freedom to Speak Up network to comply with National Guardian’s Office guidance, and providing peer-to-peer support and learning. 

Whistleblowing and Freedom to Speak Up both have nominated board-level officers to assure these arrangements.

Impact of COVID-19

We continued to deliver on all commitments, including those developed to respond to the COVID-19 pandemic which changed rapidly during the year – with national lockdown restrictions still in place at the start of the reporting year alongside the national COVID-19 vaccination programme, lockdown easing over the summer, the surge of the Omicron variant in winter, and the ‘Living with COVID-19’ strategy announced in February 2022.

The risks in ensuring capacity within the National Coronavirus Testing System during the Omicron surge were managed with the dedication of our colleagues. They worked diligently to mitigate the risks of the high volume of lateral flow test results that needed processing, enabling many people to safely spend time with their families over the Christmas period.

Wellbeing check-ins with colleagues continued during the year, and our offices continued to be ‘COVID-19 secure’ and available for those that needed them. We also worked to ensure that colleagues received help with working safely and effectively during the pandemic, including support on working safely and effectively from home. These initiatives were delivered through the Organisational Wellbeing workstream, which was jointly led by the Chief Commercial Officer and Chief People Officer.

Data and cyber security

Cyber security is a significant and ongoing risk to operations, patient care and patient safety. With increasing use and reliance on digital data and technology, our Data Security Centre continued to work rapidly to support organisations to reduce their risk and increase their protection against cyber risks in close partnership with the National Chief Information Security Officer, NHS England Transformation Directorate and the National Cyber Security Centre. As a result, health and care organisations are better protected, including through effective use of threat intelligence, continuous scanning and monitoring of the NHS estate in England, and additional cyber support across the health sector.

We continued to deliver technical remediation for the most vulnerable trusts, and were able to offer a range of security services, such as vulnerability scanning, immediate fixes for major cyber security flaws and additional integration of data and threat feeds into the National Cyber Security Centre to counter increased ransomware and COVID-19 phishing efforts.

Alongside our health and care system-wide responsibility and growing range of managed cyber security services, we provided consultancy and assurance for a number of Department of Health and Social Care Group Critical National Infrastructure (CNI) systems, and protective monitoring for NHS Digital CNI systems. We have also strengthened our internal security approach and culture to support this.

The risks to the health and care system from cyber attacks continue to grow and evolve. We will continue to respond to these risks by providing guidance, assessments and support to help organisations understand and manage their cyber risks. We are also currently scoping new programmes of work, aligned to the National Government Cyber Strategy, which are expected to deliver further enhancements to cyber defences across NHS Digital and the wider health and care sector in the future.

Data governance

A wide-ranging legal, regulatory and compliance framework governs our receipt, processing and dissemination of data and information and our production of statistics. We are responsible for ensuring that health and social care data and information is collected, stored and disseminated appropriately.

We continued to improve controls and protocols for secondary uses of NHS data through the Data Access Request Service (DARS) in consultation with the Independent Group Advising on the Release of Data (IGARD). For General Practice Extraction Service (GPES) data requests for pandemic planning and research, we ensured an additional layer of clinical scrutiny by representatives of the British Medical Association and the Royal College of General Practitioners through the Profession Advisory Group.

On 1 October 2021, responsibility for the National Disease Registration Service (NDRS) transferred from Public Health England (PHE) to NHS Digital. Following the transfer, requests for access to data held by the NDRS continued to be assessed on a case-by-case basis by the Office for Data Release (ODR), which until 30 September 2021 had been part of PHE, and from 1 October 2021 became part of the UK Health Security Agency.

Before any data is shared, we ensure that:

• a legal basis for accessing the data exists
• the customer has an appropriate level of security to safeguard the data
• the customer passes our assessment process
• dissemination is covered by a signed data-sharing agreement and a data-sharing framework contract

Particularly sensitive releases follow a full governance and approval process, and we seek independent advice from IGARD when appropriate.

We publish details of our data sharing agreements through our Data Uses Register. We improved this in 2021-22 by providing a new interactive tool that makes it easier to see which organisations access data, the purposes for which they are permitted to use it, and the expected benefits.

To ensure that organisations meet the terms of their data sharing agreement and framework contract, we undertake data sharing audits. During 2021-22, we conducted audits of 19 organisations and recorded observations about their processes, procedures and nonconformities with NHS Digital requirements. The outcome of audits and post-audit reviews are published on our website.

Privacy, transparency, ethics and legal

The Privacy, Transparency, Ethics and Legal directorate is comprised of the Data Protection Officer team, the Information Governance Delivery team, the Information Law team, the Commercial Legal team and the COVID-19 Public Inquiry Response team.

Personal data breaches and audits

The Data Protection Officer (DPO) and their team provide oversight of NHS Digital’s compliance with data protection law, advise on data protection matters and personal data breaches, and have a central role in setting the overall strategy for data protection compliance.

There were 52 personal data breaches, as defined in the UK General Data Protection Regulation (UK GDPR), reported to the DPO in 2021-22. There were 8 personal data breaches reported to the Information Commissioner’s Office.

The DPO audit function carried out 9 audits in the year as part of the DPO’s statutory role in monitoring compliance with UK GDPR, the Data Protection Act 2018, and our own data protection policies. Where improvements were needed, they were captured as audit actions, with progress and completion monitored and reported on through corporate risk and assurance processes.

NHS Digital’s Data Security and Protection Toolkit (DSPT) 2020-21 assessment was successfully submitted as ‘standard met’ by the end of June 2021 deadline, achieving 88 mandatory and 20 non-mandatory requirements. The Government Internal Audit Agency assessed NHS Digital against a mandatory assessment framework and tested the approach used to ensure a robust self-assessment is undertaken. The outcome was a ‘substantial’ (green) rating, finding the framework of governance, risk management and control adequate and effective.

The GIAA also undertook an audit of the NHS Digital DPO function in 2021-22 which also received a ‘substantial’ (green) rating, indicating that the framework of governance, risk management and control around the DPO function was adequate and effective.

The records management function undertook an ISO 9001:2015 Quality Management System routine external audit in August 2021 and was successful in maintaining certification for this period.

Freedom of information requests

The Information Governance Delivery team provides information governance services across NHS Digital, including information governance advice and support on the operation of national data and IT products, services and programmes, strategic records management advice, secretariat support for the Independent Group Advising on Release of Data (IGARD), an internal information governance helpline service and a freedom of information (FOI) and data subject access request (DSAR) response team.

1,867 FOI requests were received in 2021-22 – a 0.8% increase on the previous financial year. In recent years, we have started to receive an increasing volume of FOI requests for information held on the 1939 register from commercial genealogists. The 1939 register holds a snapshot of information on the population of England and Wales from just before the Second World War. A digital version of the register is available through National Archive partner  organisations, but the original manual register records are still held by NHS Digital.

In 2021, the number of requests from some of these organisations for information held in these manual records became exceptionally high, creating a disproportionate and excessive burden on the National Back Office and FOI teams. A number of these requests were therefore refused under the terms of the Freedom of Information Act 2000. We provided advice and assistance to the relevant requesters about how to reduce the breadth and volume of their requests to reduce the burden on resources, and have seen a significant drop in the number of such requests since. We continue to assess the need for NHS Digital to retain the 1939 register manual records.

The average annual rate of compliance with the statutory timescales for responding to FOI requests remains high at 99.2%. 22 internal reviews were carried out and 4 complaints were made to the Information Commissioner’s Office (ICO), 2 of which remain open. The closed cases were resolved informally with no action required by NHS Digital.

Data subject access requests under UK GDPR

804 data subject access requests (DSARs) for access to personal data under UK GDPR were received. 99.6% of DSARs were responded to within the statutory timescales for compliance. 1 internal review was carried out during the year and no complaints were made to the ICO.

10 audits were commissioned internally by the Data Protection Officer as part of their statutory role in monitoring our compliance with GDPR.

COVID-19 Public Inquiry preparations

NHS Digital has been taking steps to prepare for the COVID-19 Public Inquiry through the establishment of a COVID-19 Public Inquiry Response team. The team is responsible for ensuring NHS Digital prepares appropriately, identifies and retains relevant records, and manages and responds to requests from the inquiry for information and evidence to support its work.

The Government Internal Audit Agency (GIAA) undertook an advisory review of our preparations in February 2022 as part of high-level assurance for the Department of Health and Social Care of initial preparations for the inquiry by all its arm’s-length bodies. GIAA concluded that we had made reasonable progress in preparing for the commencement of the inquiry. The review made a number of suggestions to help further shape our preparations. To address these suggestions, our COVID-19 Public Inquiry Response team formulated an action plan which will be subject to a progress review and further recommendations by an internal team of auditors.

Business continuity

NHS Digital manages a range of essential IT systems on behalf of the NHS. It is critical that these systems operate in an efficient manner and that we can support the NHS in the event of threats to them. We maintain a business continuity management system that is aligned to the requirements of ISO 22301 and related standards. This provides:

• a corporate incident management framework and supporting processes
• business continuity plans covering all NHS Digital activities
• a range of IT service continuity and disaster recovery plans for services managed inhouse or by external suppliers
• arrangements to support the management of NHS Digital facility-related health and safety incidents
• supply chain continuity management - we confirm that critical suppliers and other delivery partners have suitable business continuity arrangements in place to protect delivery of services to NHS Digital and its customers

Our staff provide subject matter expertise in line with relevant industry standards and best practice across government. During 2021-22, NHS Digital showed its organisational resilience and its ability to continue to deliver, despite the challenges of the pandemic.

Clinical governance

Our digital programmes, services and data are central to the health and care of patients and citizens. Our clinicians remain absolutely integral to the development and delivery of the digital services that have supported the country’s ongoing response to COVID-19, ensuring they are clinically safe, and that all associated clinical risks are understood and managed appropriately. We have also contributed clinical informatics expertise to the development and delivery of a wide range of products and services that underpin the day-to-day work of the health and care system, alongside new programmes of recovery and transformation.

Having an effective clinical governance framework is key to this assurance, since it provides clear oversight and accountability alongside a system of learning, professional development and continuous quality improvement in our programmes and services. This was independently assessed by the Government Internal Audit Agency this year, receiving a rarely awarded ‘substantial’ (green) rating. We have also expanded and developed the clinical team to enhance its profile, effectiveness and impact across the organisation.

As Accounting Officer, I have responsibility for the system of internal controls supporting and enabling the achievement of NHS Digital’s aims and objectives, while safeguarding the public funds and assets for which I am personally responsible in accordance with ‘Managing Public Money’ and as set out in my Accounting Officer appointment letter. In particular, I am responsible for ensuring that expenditure does not exceed the annual budget allocated. I have undertaken this responsibility by seeking a range of assurances.

In 2021-22, I was primarily informed by:

• a full Governance review briefing document from my predecessor, with the handover being effective from 4 June 2021
• my attendance at NHS Digital’s Audit and Risk Committee, its minutes, papers and annual report to the Board
• the work of the National Audit Office
• the work of internal audit, which has completed an agreed, comprehensive range of assessments - the head of internal audit gave ‘moderate’ ratings to the overall arrangements for assurance and to the controls reviewed
• monitoring regularly reviewed audit actions
• the assurance framework, which outlines key processes, risks and programmes and the controls and assurance mechanisms administered by the organisation - this is mapped to the three-line model and has been used to drive management action
• clear performance management arrangements for executive directors and senior managers
• the system of internal control provided by the Board, Information Assurance and Cyber Security Committee and Audit and Risk Committee

I am accordingly aware of any significant issues that have been raised.

Significant challenges

As with the previous year, 2021-22 has been dominated by COVID-19. The scale and volume of delivery and the amount of change required to support the health and social care sector during this period continued to be unprecedented. In February 2022, the Prime Minister announced to Parliament the ‘Living with COVID-19’ strategy, which has led to its own set of challenges. Additionally, on 22 November 2021, it was announced that NHS Digital would merge with NHS England as part of the Wade-Gery review. We met these challenges, and I am confident that we maintained good standards of governance, assurance and control.

Significant challenges we have dealt with in the year include:

1. Merger with NHS England

In November 2021, the Secretary of State for Health and Social Care announced plans to merge NHS Digital (and NHSX and Health Education England) with NHS England, following the recommendations of Laura Wade-Gery, non-executive director at NHS England and Chair of NHS Digital, in the independent report ‘Putting data, digital and tech at the heart of transforming the NHS’.

Since the announcement, NHS Digital has been planning for the merger, working closely with the NHS England Transformation Directorate on both in-year delivery priorities and designing the future operating model for digital, data and technology. Significant management focus has been on staff morale and retention during the transition period.

Following the passage of the Health and Care Bill into law in April 2022, secondary legislation can now be developed to enable the legal merger of NHS Digital with NHS England, planned for early January 2023. This will need to consider how all of the functions performed by NHS Digital will transfer to NHS England, including those in relation to data safe haven provisions.

2. Turnover in senior leadership

The last year has been challenging for NHS Digital as there has been a disproportionately high number of changes in the Executive Management Team (EMT), including changes in post, retirement and death in service.

In order to address these challenges, we considered the make-up and experience across the team, invited existing colleagues to the EMT for their wisdom and counsel where knowledge gaps were identified, promoted internally to replace a retiree, and back-filled until permanent on-payroll replacements could be found in order to maintain leadership and stability.

Further information relating to changes in the EMT can be located in the Remuneration Report on pages.

3. Ongoing COVID-19 response

3.a Scaling up COVID-19 testing and vaccination services

As new variants of COVID-19 emerged, our teams and resources were reprioritised to deal with new demands, while maintaining existing essential services.

By March 2022, over 68.9 million bookings had been made on the National Booking Service for COVID-19 vaccinations and over 150 million vaccination events were processed. The service has adapted continuously to evolving policy throughout the year, allowing different cohorts to access vaccinations in line with government advice. Notably, it supported the accelerated COVID-19 booster vaccinations programme in December 2021 to deal with the impact of the Omicron variant.

NHS Digital continued to be the technology delivery lead for the UK Health Security Agency for COVID-19 testing services for the public. The demands of the Omicron variant meant that we needed to scale the National Coronavirus Testing System throughout the year, with more than 350 million test results processed on the platform during the year.

Our Corporate Services such as Commercial, Finance and Human Resources also worked hard to support our COVID-19 response. The Gold-Silver-Bronze command structure established in March 2020 remained in place throughout the year. Risk identification and reporting continued to remain strengthened.

3.b Preparations to respond to the COVID-19 Public Inquiry

In May 2021, the Prime Minister announced a Public Inquiry into the UK’s response to the COVID-19 pandemic. As a key provider of national health technology and data services used throughout the pandemic, NHS Digital started preparations to respond to the Public Inquiry. Colleagues were informed that all COVID-19-related records and information had to be retained. As of July 2021, a legal hold notice was applied to corporate record-holding systems, including email, so that any records would be secured and accessible. All relevant services, programmes and teams identified and recorded their information repositories, staff and suppliers. The COVID-19 Public Inquiry Response team was set up to ensure adequate preparation, governance and controls. The team has established protocols and procedures, and defined a request management tool. We are recruiting in the Public Inquiry Response team and engaging with our legal and counsel representation as part of the preparations.

4. Managing the financial position and preventing fraud

During the year we worked closely with finance colleagues at the Department of Health and Social Care, NHS England, UK Health Security Agency and NHSX (now the NHS England Transformation Directorate) to ensure funding was provided for our expenditure for ongoing COVID-19 delivery commissions, and to adjust to changing requirements following the government’s ‘Living with Covid’ announcement in February 2022.

The demands of the COVID-19 response continued to impact our non-COVID-19 delivery, constraining our ability to secure sufficient capacity and capability to deliver the full scope of the Technology Transformation Portfolio work that had been originally planned for the year. We worked closely with delivery teams across NHS Digital, the Department of Health and Social Care, and NHS England to identify potential underspends in non-COVID-19 activities and enable the early return of funding to the portfolio to be utilised for other health pressures.

The persistent very unusual circumstances of the pandemic continued to create a highly challenging delivery environment, including for the ongoing development of the National Coronavirus Testing System. The requirements had to be met extremely urgently, with more than 1,000 software releases during the year in response to changing policy. Despite the fact that the system has continued to be effective and reliable, the exceptional circumstances under which the system was built meant that accounting standards required us to produce a valuation for the balance sheet based on the cost of replacing the asset in an artificial optimal environment as at 31 March 2022. As with the valuation at the end of the previous financial year, the assumptions used to produce the replacement valuation include perfect hindsight in terms of lessons learned in initially building the asset. The value on 31 March 2022 is also reduced to reflect the fact that it has been used over the previous 2 years. To ensure independence we were again required to commission an external expert valuation, and using this valuation of a hypothetical replacement, adjusted for the use of the asset up to 31 March 2022, we have impaired the asset by £40.2 million.

Due to its exceptionally rapid development, the National Coronavirus Testing System was originally built as a single system, which grew exponentially as use cases, testing volumes and requirements for data increased in line with the requirements for responding to the pandemic. During 2021-22, work was undertaken to separate the system into modules that reflected individual parts of the overall service. Breaking the system down into modules enabled a phased reprocurement to be undertaken, whilst ensuring service continuity throughout the process.

During the year we received 15 referrals to our counter fraud service relating to contractors potentially working full-time for NHS Digital and also having full-time temporary contracts with other organisations. This was due to the recruitment agency allowing individuals multiple contracts to cater for part-time working, and was exacerbated by remote working arrangements. The recruitment agency identified the issue through their own internal audit, and brought this to our attention. We worked with the agency to establish additional controls to prevent reoccurrence. Although the individuals involved were working more than one job, our investigations did not find evidence of fraud, and therefore there was no loss to the organisation. The individuals are no longer engaged by NHS Digital.

5. Public Health England and the National Disease Registration Service transition

Public Health England (PHE) closed on 30 September 2021, with its functions being transferred into 4 receiving organisations as part of plans to reform the public health system in England. PHE’s National Disease Registration Service (NDRS) transferred into NHS Digital’s Data Services directorate on 1 October 2021.

NHS Digital was confirmed as a receiving organisation for NDRS on 1 April 2021, leaving 6 months to plan, resource, implement and deliver the work, which involved the novation of over 700 contracts and data sharing agreements and transferring 329 staff records and payroll details.

Work on the transition project was undertaken alongside the normal duties of staff, who were already handling increased workloads from supporting the response to the pandemic, adding further pressure to an already challenging timeline of 6 months.

Despite the pressure and challenges, strong leadership and project  management, combined with regular and ongoing communication throughout the transition process, meant that the service delivery was maintained and that data flows were uninterrupted.

6. Pause on the GPDPR programme to 'listen'

When the GP Data for Planning and Research (GPDPR) programme launched in May 2021, it was met with concern from professionals, and the public about the potential uses, and controls on access to data. As a result, the programme was paused to listen to feedback, which then prompted a programme redesign to address the issues raised and to meet a series of ministerial commitments.

It has taken some time for us to work through the practicalities of meeting these commitments. Reflecting on the feedback and strengthening our governance and decision-making processes, we have organised our work around 3 key areas:

• communications: to ensure that we learn from feedback and continue to have focused and ongoing conversations with stakeholders and the public about patient data
• data management, access and governance: to work on the trusted research environment and other aspects of the programme that focus on how data is processed, accessed and kept secure
• opt-outs: the programme must meet the commitment to reduce the burden of opt-outs on GPs and practice staff, while providing a positive experience for anyone who chooses to opt out of their GP practice sharing their data

We published further information about this work on NHS Digital’s Data Points blog - Your NHS data makes a difference

7. Russia-Ukraine conflict

In line with government policy and the Cabinet Office Procurement Note 01/22, we have identified a means of assessing Russian ownership of organisations using credit referencing organisations, and proposed this to the Department of Health and Social Care as a centrally led solution. This allowed us to review all of our contracts and confirm that we have no direct contracts with Russian (or Belarusian) suppliers. While we do not have an obligation to monitor sub-contractors of prime suppliers providing goods or services to us, we will however take the appropriate action when we become aware of any such instances.

Given our nature as a technology solutions organisation, we have verified that specific Russian-linked cloud software solution providers are not promoted as strategic products.

We have reviewed our financial risks profile to determine the impact of the conflict. While there is no immediate direct impact on our financial position, there is an impact on the UK and world economy, with the conflict being only one factor impacting the economic environment. We are tracking our prices, including labour costs, and closely monitoring the impact of inflation on the cost of delivery.

The National Cyber Security Centre has assessed that we are in a heightened period of cyber threat, but with no specific new threats to the UK. The situation does not change the likely impact of a successful cyber-attack against NHS Digital, nor the improvements we recommend. Their advice during such periods aligns with our own cyber improvement priorities, which we continue to monitor.

Significant control issues

There was 1 significant control issue during the year.

1. As we reported in last year’s annual report, we received retrospective approval from HM Treasury for the retention of 3 members of the Executive Management Team (EMT) on an off-payroll basis beyond the usual 6-month limit. We are reporting this again this year because the excess period for 2 of the individuals was in the 2021-22 financial year.

All 3 individuals played a pivotal role in leading the delivery of new critical services in response to the pandemic, and their appointment was extended beyond the usual 6 months to ensure delivery, continuity and stability at a senior level. During the course of the reporting year, the longest serving of the 3 members ceased to be a member of the EMT and was replaced in post by an on-payroll post holder in summer 2021. HM Treasury approval was granted on the proviso that: there was a lessons learned exercise, the remaining 2 post holders were on payroll by February 2022, and the funding provided to NHS Digital was reduced by £645,000 for 2021-22 as a penalty for not seeking approval from HM Treasury in advance. All HM Treasury requirements have been complied with.

There have been no other control issues.

I accept the observations by both the internal auditors and the National Audit Office, and I believe them to be a fair and accurate view of the organisation. We will continue to ensure rigorous and sound assurance is a priority for NHS Digital in 2022-23.

Under the Health and Social Care Act 2012 and directions made thereunder by the Secretary of State with the approval of HM Treasury, we are required to prepare a statement of accounts for each financial year in the form and on the basis determined by the Secretary of State. The accounts are prepared on an accruals basis and must give a true and fair view of our state of affairs and of our net resource outturn, application of resources, changes in taxpayers’ equity and cash flows for the financial year.

In preparing the accounts, the Accounting Officer is required to comply with the requirements of the Government Financial Reporting Manual and, in particular, to:

• observe the accounts direction issued by the Secretary of State for Health and Social Care, including the relevant accounting and disclosure requirements, and apply suitable accounting policies on a consistent basis
• make judgements and estimates on a reasonable basis
• state whether applicable accounting standards, as set out in the Government Financial Reporting Manual, have been followed and disclosed and explain any material departures in the financial statements
• prepare the financial statements on a going concern basis, unless it is inappropriate to presume that NHS Digital will continue in operation

The Accounting Officer for the Department of Health and Social Care has appointed me as the Accounting Officer who has responsibility for preparing our accounts and transmitting them to the Comptroller and Auditor General. Specific responsibilities include the propriety and regularity of the public finances for which the Accounting Officer is answerable, for keeping proper records and for safeguarding our assets, as set out in ‘Managing Public Money’ published by HM Treasury. As Accounting Officer, I am able to confirm that:

• as far as I am aware, there is no relevant audit information of which the auditors are unaware
• I have made myself aware of any relevant audit information and established that the entity’s auditors are aware of that information
• the Annual Report and Accounts as a whole are fair, balanced, and understandable
• I take personal responsibility for the Annual Report and Accounts and the judgement required for determining that they are fair, balanced, and understandable

The purpose of the Parliamentary Accountability and Audit Report is to summarise the key parliamentary accountability documents within the Annual Report and Accounts, including the certificate and report of the Comptroller and Auditor General to the Houses of Parliament. All elements of this report are subject to audit.

Losses and Special Payments

Losses and special payments are items that Parliament would not have contemplated when it agreed funds for the health service or passed legislation. By their nature, they are items that ideally should not arise. They are, therefore, subject to special control procedures.

During 2021-22, there were 124 (2020-21: 1,266) losses and special payments amounting to £181,321 (2020-21: £1,221,422). There were no individual losses over £300,000 requiring separate disclosure.

No interest was paid under the Late Payments of Commercial Debts (Interest) Act 1998 (2020-21: nil).

Remote contingent liabilities

We have not identified any significant remote contingent liabilities. These are liabilities for which the likelihood of a transfer of economic benefit in settlement is too remote to meet the definition of contingent liability within the meaning of IAS 3.

Fees and charges

Fees and charges are for ‘data-related services’. These are the provision of health-related data to customer requirements, data linkage services and data extracts for research purposes. No charges are made for the actual data, only for the cost of providing the data to the customer in the format and to the specification required, including a fee for compliance with information governance requirements.

No charges are made for data supplied to the NHS or local authorities when the data is required to support the planning and commissioning of healthcare. A charge is made if the data is required for other purposes. The following table shows the income received, less the costs for the full service, including the costs of providing data for the planning and commissioning of healthcare.

During 2021-22 we began a full review of our charging policy, which we expect to conclude during 2022-23. The review is being carried out in consultation with NHS England’s Centre for Improving Data Collaboration, and will also consider the outcome and recommendations of the Goldacre Review and the Health and Social Care Data Strategy.

The fees and charges note below is subject to audit:

Simon Bolton

Interim Chief Executive

2 November 2022

Opinion on financial statements

I certify that I have audited the financial statements of the Health and Social Care Information Centre for the year ended 31 March 2022 under the Health and Social Care Act 2012.

The financial statements comprise the Health and Social Care Information Centre’s:

• Statement of Financial Position as at 31 March 2022;
• Statement of Comprehensive Net Expenditure, Statement of Cash Flows and Statement of Changes in Taxpayers’ Equity for the year then ended; and 
• the related notes including the significant accounting policies

The financial reporting framework that has been applied in the preparation of the financial statements is applicable law and UK adopted International Accounting Standards.

In my opinion, the financial statements:

• give a true and fair view of the state of the Health and Social Care Information Centre’s affairs as at 31 March 2022 and its net expenditure for the year then ended; and
• have been properly prepared in accordance with the Health and Social Care Act 2012 and Secretary of State directions issued thereunder

Opinion on regularity

In my opinion, in all material respects, the income and expenditure recorded in the financial statements have been applied to the purposes intended by Parliament and the financial transactions recorded in the financial statements conform to the authorities which govern them.

Basis for opinions

I conducted my audit in accordance with International Standards on Auditing (UK) (ISAs UK), applicable law and Practice Note 10 ‘Audit of Financial Statements of Public Sector Entities in the United Kingdom’. My responsibilities under those standards are further described in the Auditor’s responsibilities for the audit of the financial statements section of my certificate.

Those standards require me and my staff to comply with the Financial Reporting Council’s 'Revised Ethical Standard 2019'. I have also elected to apply the ethical standards relevant to listed entities. I am independent of the Health and Social Care Information Centre in accordance with the ethical requirements that are relevant to my audit of the financial statements in the UK. My staff and I have fulfilled our other ethical responsibilities in accordance with these requirements.

I believe that the audit evidence I have obtained is sufficient and appropriate to provide a basis for my opinion.

Conclusions relating to going concern

In auditing the financial statements, I have concluded that the Health and Social Care Information Centre’s use of the going concern basis of accounting in the preparation of the financial statements is appropriate.

Based on the work I have performed, I have not identified any material uncertainties relating to events or conditions that, individually or collectively, may cast significant doubt on the Health and Social Care Information Centre’s ability to continue as a going concern for a period of at least twelve months from when the financial statements are authorised for issue.

My responsibilities and the responsibilities of the Accounting Officer with respect to going concern are described in the relevant sections of this certificate.

The going concern basis of accounting for the Health and Social Care Information Centre is adopted in consideration of the requirements set out in HM Treasury's Government Financial Reporting Manual, which require entities to adopt the going concern basis of accounting in the preparation of the financial statements where it anticipated that the services which they provide will continue into the future.

Other Information

The other information comprises information included in the Annual Report, but does not include the financial statements nor my auditor’s certificate. The Accounting Officer is responsible for the other information.

My opinion on the financial statements does not cover the other information and, except to the extent otherwise explicitly stated in my certificate, I do not express any form of assurance conclusion thereon. I have nothing to report in this regard.

In connection with my audit of the financial statements, my responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements or my knowledge obtained in the audit or otherwise appears to be materially misstated.

If I identify such material inconsistencies or apparent material misstatements, I am required to determine whether this gives rise to a material misstatement in the financial statements themselves. If, based on the work I have performed, I conclude that there is a material misstatement of this other information, I am required to report that fact.

I have nothing to report in this regard.

Opinion on other matters

In my opinion, the part of the Remuneration and Staff Report to be audited has been properly prepared in accordance with Secretary of State directions issued under the Health and Social Care Act 2012. 

In my opinion, based on the work undertaken in the course of the audit:

• the parts of the Accountability Report subject to audit have been properly prepared in accordance with Secretary of State directions made under the Health and Social Care Act 2012; and
• the information given in the Performance and Accountability Reports for the financial year for which the financial statements are prepared is consistent with the financial statements and is in accordance with the applicable legal requirements

Matters on which I report by exception

In the light of the knowledge and understanding of the Health and Social Care Information Centre and its environment obtained in the course of the audit, I have not identified material misstatements in the Performance and Accountability Report.

I have nothing to report in respect of the following matters which I report to you if, in my opinion:

• I have not received all of the information and explanations I require for my audit; or
• adequate accounting records have not been kept by the Health and Social Care Information Centre or returns adequate for my audit have not been received from branches not visited by my staff; or
•  the financial statements and the parts of the Accountability Report subject to audit are not in agreement with the accounting records and returns; or 
• certain disclosures of remuneration specified by HM Treasury’s Government Financial Reporting Manual have not been made or parts of the Remuneration and Staff Report to be audited is not in agreement with the accounting records and returns; or 
• the Governance Statement does not reflect compliance with HM Treasury’s guidance

Responsibilities of the Accounting Officer for the financial statements

As explained more fully in the statement of Accounting Officer’s responsibilities, the Accounting Officer is responsible for:

• maintaining proper accounting records;
• the preparation of the financial statements and Annual Report in accordance with the applicable financial reporting framework and for being satisfied that they give a true and fair view;
• ensuring that the Annual Report and accounts as a whole is fair, balanced and understandable;
• internal controls as the Accounting Officer determines is necessary to enable the preparation of financial statement to be free from material misstatement, whether due to fraud or error; and
• assessing the Health and Social Care Information Centre’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis of accounting unless the Accounting Officer anticipates that the services provided by the Health and Social Care Information Centre will not continue to be provided in the future

Auditor’s responsibilities for the audit of the financial statements

My responsibility is to audit, certify and report on the financial statements in accordance with the Health and Social Care Act 2012.

My objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue a certificate that includes my opinion. Reasonable assurance is a high level of assurance but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements.

Extent to which the audit was considered capable of detecting non-compliance with laws and regulations including fraud

I design procedures in line with my responsibilities, outlined above, to detect material misstatements in respect of non-compliance with laws and regulations, including fraud. The extent to which my procedures are capable of detecting non-compliance with laws and regulations, including fraud, is detailed below.

Identifying and assessing potential risks related to non-compliance with laws and regulations, including fraud

In identifying and assessing risks of material misstatement in respect of non-compliance with laws and regulations, including fraud, we considered the following:

• the nature of the sector, control environment and operational performance including the design of the Health and Social Care Information Centre’s accounting policies, and key performance indicators
• inquiring of management, the Health and Social Care Information Centre’s head of internal audit and those charged with governance, including obtaining and reviewing supporting documentation relating to the Health and Social Care Information Centre’s policies and procedures relating to 
  • identifying, evaluating and complying with laws and regulations and whether they were aware of any instances of non-compliance;
  • detecting and responding to the risks of fraud and whether they have knowledge of any actual, suspected or alleged fraud; and
  • the internal controls established to mitigate risks related to fraud or non-compliance with laws and regulations including the Health and Social Care Information Centre’s controls relating to the Health and Social Care Information Centre’s compliance with the Health and Social Care Act 2012, and Managing Public Money.
• discussing among the engagement team and involving relevant internal and external specialists, including valuation expertise regarding how and where fraud might occur in the financial statements and any potential indicators of fraud.

As a result of these procedures, I considered the opportunities and incentives that may exist within the Health and Social Care Information Centre for fraud and identified the greatest potential for fraud in the following areas: revenue recognition, posting of unusual journals, complex transactions, and bias in management estimates. In common with all audits under ISAs (UK), I am also required to perform specific procedures to respond to the risk of management override of controls.

I also obtained an understanding of the Health and Social Care Information Centre’s framework of authority as well as other legal and regulatory frameworks in which the Health and Social Care Information Centre operates, focusing on those laws and regulations that had a direct effect on material amounts and disclosures in the financial statements or that had a fundamental effect on the operations of the Health and Social Care Information Centre. The key laws and regulations I considered in this context included the Health and Social Care Act 2012, Managing Public Money,
employment law and tax legislation.

Audit response to identified risk 

As a result of performing the above, the procedures I implemented to respond to identified risks included the following:

• reviewing the financial statement disclosures and testing to supporting documentation to assess compliance with provisions of relevant laws and regulations described above as having direct effect on the financial statements;
• inquiring of management, the Audit and Risk Committee and in-house legal counsel concerning actual and potential litigation and claims;
• reading and reviewing minutes of meetings of those charged with governance and the Board and internal audit reports; and
• in addressing the risk of fraud through management override of controls, testing the appropriateness of journal entries and other adjustments; assessing whether the judgements made in making accounting estimates are indicative of a potential bias; and evaluating the business rationale of any significant transactions that are unusual or outside the normal course of business

I also communicated relevant identified laws and regulations and potential fraud risks to all engagement team members including internal specialists and remained alert to any indications of fraud or non-compliance with laws and regulations throughout the audit.

A further description of my responsibilities for the audit of the financial statements is located on the Financial Reporting Council’s website. This description forms part of my certificate.

Other auditor’s responsibilities

I am required to obtain evidence sufficient to give reasonable assurance that the income and expenditure reported in the financial statements have been applied to the purposes intended by Parliament and the financial transactions conform to the authorities which govern them.

I communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit and significant audit findings, including any significant deficiencies in internal control that I identify during my audit.

Report

I have no observations to make on these financial statements.

Gareth Davies

Comptroller and Auditor General

4 November 2022

National Audit Office
157-197 Buckingham Palace Road
Victoria
London
SW1W 9SP