Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. More about the merger.

Data Sharing Audits

We carry out independent audits and where necessary post audit reviews to check that our customers are meeting the obligations in their Data Sharing Framework Contracts and Data Sharing Agreements. This helps to ensure that organisations abide by the terms and conditions set by NHS Digital and data is kept safe and secure.

Page contents

Why we share data

Data is only shared by NHS Digital with organisations to improve health and care, for example to enable medical research or plan NHS services. It is only shared with those organisations that have a legal basis and legitimate need to use it. 

Before they can access data, an organisation must sign a data sharing framework contract and a data sharing agreement. These documents set out the contractual terms, including how the data can be used, the benefits to be gained from its use, where it may be stored, the security requirements that will be met and who can access and process it, including any third parties. 

Find out how NHS Digital makes decisions about data access.

Why data sharing audits are important

The audit team carries out data sharing audits to check that organisations meet the obligations in their contract and agreement. The team also confirm that organisations adhere to their own policies and procedures relating to data sharing and security.

Audits help assure us, and the public, that organisations are handling the data securely and are using it for the purposes for which it was provided. Audits also help organisations to improve and achieve good practice in how they operate. 

Final audit reports are published here to aid transparency.

How audits are conducted

For further information on the audit process, please refer to our current Audit Guide.

How findings are classified

An audit report identifies findings where an organisation has not met specific elements of its contract or agreement, or where the audit team believes improvements can be made. 

Each finding is given one of the following classifications: 

Agreement nonconformity

The data recipient has failed to meet one of the requirements set out in their data sharing framework contract, data sharing agreement or any communication between NHS Digital and the data recipient, either during or after their application.

For example, it may be found during an audit that data is being stored at a different secure location to the one the data recipient specified in their data sharing agreement and so the agreement will need amending (as long as that location meets the same requirements).  

It could also be when a data recipient fails to meet one of the guidelines identified in their data sharing framework contract, (including later versions), except when they are able to provide a documented justification as to why such guidance is not applicable (such as when their own processes achieve the same end). 

Organisation nonconformity

This is a variation from a requirement specified in the data recipient’s own documentation. 

For example, the organisation is not undertaking compliance checks, such as internal audits, as prescribed in its own documentation.

Observation

This is when there is not a nonconformity, but the data recipient is in a situation where one could arise if they do not take appropriate action.  

For example, the staff that may in the future process the data have not completed the necessary information governance training at the time of the audit. The observation would be that staff need to complete the training before they process the data. 

Opportunity for improvement

The audit team may identify opportunity for improvements which could help an organisation improve its controls or their effectiveness based on the audit team’s experience and knowledge from other data sharing audits. 

For example, the audit team may suggest that key staff undertake specialist training.

Follow Up

Any materials such as documentation considered important by the audit ream that could not be provided within the timeframe of the audit may be identified in the audit report as “follow-up”. This material will be reviewed by the audit team, at the post audit review. If issues are identified during the post audit review, further findings may be raised by the audit team.

Just because an agreement nonconformity is identified (an organisation is not complying with the contract or agreement), it does not mean there has been a breach of data protection law or that privacy or security of any data has been put at risk.

An overall risk score is also calculated, based on the findings, their classification and the type of data being shared. A report is then produced and provided to the organisation, these are also published on our website.  

How audits are followed up

When findings are identified, the audit team works with the organisation to produce an action plan to show how the organisation will address the findings. Post audit reviews are then carried out to ensure the findings have been addressed satisfactorily.  Each final post audit report is published here.

The data we collect and provide access to is only used to benefit health and social care in a legal, ethical and transparent manner. Where serious findings are identified, NHS Digital works with the organisation to rectify the problem and ensure that patient data is protected while also ensuring that the organisation can continue its work to achieve the benefits for health and care services. 

NHS Digital takes its responsibility to safeguard data very seriously and where necessary can suspend access to data, but it is important that any action taken is proportionate.

Therefore any potential penalties, such as removal of access to data, are balanced with safeguarding against a potential negative impact to patient care.  For example, if a CCG has to return all the data it holds, it would be unable to commission vital services for patients. Equally, ceasing access to data for a clinical trial would mean that the potential benefits of that trial for patient care and treatment would not be achieved since it could not be concluded.

However, if there is a significant breach of the data sharing agreement then NHS Digital may require that the data provided is destroyed. If appropriate, in relation to personal data breaches, we may report the organisation to the Information Commissioner’s Office (ICO).

2023 audits

View all our 2023 data sharing audits and post audit reviews.

2022 audits

View all our 2022 data sharing audits and post audit reviews.

2021 audits

View all our 2021 data sharing audits and post audit reviews.

Audit Guides

Audits conducted between October 2016 and December 2017 were against Version 1 of the Audit Guide.

Audits conducted between January 2018 and 26 July 2019 were against Version 2 of the Audit Guide.

Audits conducted from 29 July 2019 were against Version 3 of the Audit Guide.  

In November 2020, the Audit Team started to conduct audits remotely against a new Remote Audit Guide.

To assist the data recipient with the audit process NHS Digital has also produced an Action Plan template.

Last edited: 20 December 2022 12:52 pm