Data Sharing Audits

Data is only shared by NHS Digital with organisations to improve health and care, for example to enable medical research or plan NHS services. It is only shared with those organisations that have a legal basis and legitimate need to use it. 

Before they can access data, an organisation must sign a data sharing framework contract and a data sharing agreement. These documents set out the contractual terms, including how the data can be used, the benefits to be gained from its use, where it may be stored, the security requirements that will be met and who can access and process it, including any third parties. 

Find out how NHS Digital makes decisions about data access.

The audit team carries out data sharing audits to check that organisations meet the obligations in their contract and agreement. The team also confirm that organisations adhere to their own policies and procedures relating to data sharing and security.

Audits help assure us, and the public, that organisations are handling the data securely and are using it for the purposes for which it was provided. Audits also help organisations to improve and achieve good practice in how they operate. 

Final audit reports are published here to aid transparency.

For further information on the audit process, please refer to our current Audit Guide.

An audit report identifies findings where an organisation has not met specific elements of its contract or agreement, or where the audit team believes improvements can be made. 

Each finding is given one of the following classifications: 

Just because an agreement nonconformity is identified (an organisation is not complying with the contract or agreement), it does not mean there has been a breach of data protection law or that privacy or security of any data has been put at risk.

An overall risk score is also calculated, based on the findings, their classification and the type of data being shared. A report is then produced and provided to the organisation, these are also published on our website.

When findings are identified, the audit team works with the organisation to produce an action plan to show how the organisation will address the findings. Post audit reviews are then carried out to ensure the findings have been addressed satisfactorily. Each final post audit report is published here.

The data we collect and provide access to is only used to benefit health and social care in a legal, ethical and transparent manner. Where serious findings are identified, NHS Digital works with the organisation to rectify the problem and ensure that patient data is protected while also ensuring that the organisation can continue its work to achieve the benefits for health and care services. 

NHS Digital takes its responsibility to safeguard data very seriously and where necessary can suspend access to data, but it is important that any action taken is proportionate.

Therefore any potential penalties, such as removal of access to data, are balanced with safeguarding against a potential negative impact to patient care. For example, if a CCG has to return all the data it holds, it would be unable to commission vital services for patients. Equally, ceasing access to data for a clinical trial would mean that the potential benefits of that trial for patient care and treatment would not be achieved since it could not be concluded.

However, if there is a significant breach of the data sharing agreement then NHS Digital may require that the data provided is destroyed. If appropriate, in relation to personal data breaches, we may report the organisation to the Information Commissioner’s Office (ICO).

See our archive of independent audits and post audit reviews from January 2015 to December 2020.

All our audits are conducted in line with the latest version of our audit guide. We update the guide periodically.

This table shows which version of the audit guide we followed when conducting previous data sharing audits.

To assist the data recipient with the audit process NHS Digital has also produced an Action Plan template.