Skip to main content

Data Sharing Remote Audit: Small Area Health Statistics Unit at Imperial College London

This report records the findings of a remote data sharing audit of the Small Area Health Statistics Unit (SAHSU) at Imperial College London in June 2021.

Audit summary


This report records the key findings of a remote data sharing audit of the Small Area Health Statistics Unit (SAHSU) at Imperial College London (ICL) where the interviews were conducted between 28 June and 2 July 2021. It provides an evaluation of how the SAHSU conforms to the requirements of both:

  • the data sharing framework contract (DSFC) CON-312177-J7P3H
  • the data sharing agreement (DSA) DARS-NIC-204903-P1J7Q-v3.8

SAHSU currently have an ongoing application with the Data Access Request Service (DARS) team, which outlines changes with respect to processing and storage activities. These changes were implemented from July 2020 by SAHSU. SAHSU was able to provide email correspondence which outlined the changes that had been agreed with DARS. As a result, SAHSU was assessed against the current DSA, and the changes agreed with DARS.

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Identifiable, Sensitive 1990/91 - 2021/22_M06
HES Critical Care Identifiable, Sensitive 2008/09 - 2021/22_M06
HES Accident and Emergency Identifiable, Sensitive 2008/09 - 2018/19
Emergency Care Data Set (ECDS) Identifiable, Sensitive 2018/19 - 2021/22_M06
HES: Civil Registration (Deaths) bridge Identifiable, Non-sensitive Latest available
Civil Registration (Deaths) - Secondary Care Cut Identifiable, Sensitive Latest available


The Controller is ICL.

SAHSU was established in 1987 as a recommendation of the Black inquiry into the incidence of leukaemia and lymphoma in children and young adults near the Windscale/Sellafield nuclear power plant. The main role of SAHSU is to assess the risk to the health of the population from environmental factors by analysing health and population data at a small area scale. 

SAHSU is funded by Public Health England to contribute to public health in the UK.

This report also considers whether SAHSU conform to its own policies, processes and procedures. 

The interviews during the audit were conducted through video conferencing. 

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type Routine
Scope areas

Information transfer
Access control
Data use and benefits
Risk management
Operational management and control
Data destruction

Restrictions Access control - limited visibility of physical controls


Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium – Low.

Current risk statement: High

This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.

Data recipient’s acceptance statement

SAHSU has reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

SAHSU will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the SAHSU to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.


The following table identifies the 6 agreement nonconformities, 1 organisation nonconformity, 2 observations, 9 opportunities for improvement and 1 point for follow-up raised as part of the audit. 

Ref Finding Link to area Clause Designation Notes
1 The database holding data supplied by NHS Digital has not been patched for some time. Access control DSFC Part 2, Schedule 2, Section A, clause 1.1 Agreement nonconformity  
2 Data in transit between the primary datacentre and the backup sites is not fully encrypted as required by the DSFC. Information transfer DSFC, Schedule 2, Section A, clause 4.6 Agreement nonconformity  
3 Vulnerability scans have not been conducted on elements of the infrastructure. Access control DSFC Part 2, Schedule 2, Section A, clause 1.1 Agreement nonconformity  
4 Findings from validation testing have not been cleared within a reasonable timescale and no formal remediation plan has been established. Access control DSFC Part 2, Schedule 2, Section A, clause 1.1 Agreement nonconformity  
5 ICL has not carried out a formal risk assessment of the physical controls at ICL’s data centres. Access control DSFC, Part 2,Schedule 2, Section A, Clause 3 Agreement nonconformity  

Two master students had been given access to data supplied by NHS Digital, which is not permitted by the DSA. 

During the audit access to the data by the master students was suspended by SAHSU, and a request was made to DARS to update the DSA.

Use and benefits DSA, Annex A, Section 5b Agreement nonconformity  
7 The data supplied by NHS Digital has not been classified in line with SAHSU Information Classification Policy. Operational management SAHSU Information Classification Policy Organisation nonconformity  
8 Although the DSA requires all PhD students to have substantive contracts in place with Imperial College London, no such contracts could be provided for any of the PhD students in the Unit. Use and benefits DSA, Annex A, Section 5b Observation  
9 Anti-virus alerts for the servers holding data supplied by NHS Digital are only forwarded to a single IT contact. If the contact was unavailable, then no action would be taken against the alerts. It was, however, stated that SAHSU plan to utilise the anti-virus solution used by the rest of ICL, where events would be captured in a log management tool and alerts issued to a group email address. Access control DSFC Part 2, Schedule 2, Section A, clause 1.1 Observation  
10 SAHSU should consider developing procedures or enhancing existing documentation to cover the following: 
  • the local storage of Active Directory (AD) administrator account passwords
  • firewall management, for example, responsibilities, rule changes and configuration changes
  • assessing security incidents and informing NHS Digital where appropriate
  • electronic destruction of data supplied by NHS Digital
Operational management   Opportunity for improvement  
11 SAHSU should proactively monitor the database logs. Operational management   Opportunity for improvement  
12 The Information Asset Owner (IAO) should consider completing specialist IAO training. Operational management   Opportunity for improvement  
13 SAHSU should consider adding appropriate document management information to its Data Protection Impact Assessment (DPIA). Operational management   Opportunity for improvement  
14 SAHSU should consider deactivating user accounts that have not been accessed for more than six months. Access control   Opportunity for improvement  
15 SAHSU risk management process could be improved by regular review of the risk register at a group meeting, including the IAO. SAHSU should also consider formal risk management training. Risk management   Opportunity for improvement  
16 SAHSU should consider automatically blocking remote connections in certain circumstances.  Access control   Opportunity for improvement  
17 ICL should consider proactive review of swipe card access to the datacentre as currently this is only done when users join or leave the organisation. Access control   Opportunity for improvement  
18 SAHSU should consider carrying out a risk assessment on the statistical server as it may store temporary files if there is any abnormal shutdown of the statistical tools. Risk management   Opportunity for improvement  
19 At the time of audit, ‘old’ servers had not been destroyed but still contained data supplied by NHS Digital. At the post audit review, the Audit Team will review the data destruction process and view a completed certificate of destruction. Data destruction   Follow-up  


Supplementary notes

No notes

Use of data

SAHSU confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

SAHSU confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
ICL England/ Wales (temporary approval of access across UK during the pandemic)


Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
ICL Disk 3 months
ICL Tape 6 months


Good practice

During the audit, the Audit Team noted the following area of good practice:

  • SAHSU has developed and ask users to complete a homeworking risk assessment
  • SAHSU was able to demonstrate the benefits to health and social care from the outputs it had produced using data supplied by NHS Digital.


The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 18 August 2021 9:19 am