Skip to main content

Data Sharing Remote Audit: South London and Maudsley NHS Foundation Trust

This report records the key findings of a remote data sharing audit of South London and Maudsley NHS Foundation Trust between September and October 2021.  

Audit summary


This report records the key findings of a remote data sharing audit of South London and Maudsley NHS Foundation Trust (SLaM) between 27 September and 1 October 2021.  It provides an evaluation of how SLaM conforms to the requirements of both:

  • the data sharing framework contract (DSFC) CON-00107-Q0L0N v2.01
  • the data sharing agreement (DSA) DARS-NIC-292279-Z2S5T-v6.6

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Pseudo/Anonymised, Non-sensitive 1997/98 – 2019/20
HES Critical Care Pseudo/Anonymised, Non-sensitive 2008/09 – 2019/20
HES Outpatients Pseudo/Anonymised, Non-sensitive 2003/04 – 2019/20
HES Accident and Emergency  Pseudo/Anonymised, Non-sensitive 2007/08 – 2018/19
Medical Research Information Service (MRIS) – Flagging Current Status Report Identifiable, Sensitive October 2005 - March 2020
MRIS – Cohort Event Notification Report Identifiable, Sensitive October 2005 - March 2020
MRIS - Cause of Death Report Identifiable, Sensitive October 2005 - March 2020
Demographics Pseudo/Anonymised, Sensitive Latest Available, Annually    
Civil Registration - Deaths Pseudo/Anonymised, Sensitive     Latest Available, Annually


The Controller is SLaM and the Processor is Microsoft UK.

SLaM requires HES, mortality and cancer registration data from NHS Digital for the purpose of research in the public interest. The objective of the data collection is to create a research resource to be used for research projects aiming to investigate physical health outcomes (including mortality) and receipt of health care in people with mental health conditions attending secondary mental health care services provided by SLaM. 

This report also considers whether SLaM conform to its own policies, processes and procedures. 

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type Routine
Scope areas

Information transfer
Access control
Data use and benefits
Risk management
Operational management and control
Data destruction

Restrictions Access control - limited visibility of physical controls

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Low

This risk is based on a deviation from the terms and conditions of the contractual documents, signed by both parties, with respect to compliance, duty of care, confidentiality or integrity.

Data recipient’s acceptance statement

SLaM has reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

SLaM will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with SLaM to confirm the findings have been satisfactorily addressed.


The following table identifies the 1 agreement nonconformity, 3 observations, 3 opportunities for improvement and 1 point for follow-up raised as part of the audit.

Ref Finding Link to area Clause Designation Notes
1 SLaM had not conduct security testing of the cloud infrastructure prior to data being transferred. Secuity testing had been conducted for its on-premise infrastructure. Access Control DSFC, Schedule 2, Section A, Clause 1.1 Agreement nonconformity  
2 Following further assessment and agreement of the nature of passwords, the SLaM Information Security Policy will need to be updated as the current policy is inconsistent with the password settings technically enforced. Passwords were amended during the Covid-19 pandemic to be consistent with Government guidelines. Access Control SLaM Information Security Policy, version 8 (February 2020) Observation  
3 A deprecated hash algorithm is used to encrypt the patient identifier in the anonymised datasets made available to approved researchers. Access Control DSFC, Part 2, Clause 5.1.3 Observation  
4 SLaM had completed a Data Protection Impact Assessment (DPIA), however, it did not contain the most up to date information. The DPIA is due to be updated following release of the new Data Sharing Agreement (DSA). Operational Management South East London Data Protection and Privacy Impact Assessment (DPIA) Process, 10 Apr 2019 Observation  
5 SLaM should consider including a reminder to acknowledge the use of HES data in publications, within the guidance provided to users of the Clinical Record Interactive Search (CRIS) system. Operational Management   Opportunity for improvement  
6 SLaM should reassess its use of built-in administrator accounts as recommended by Microsoft. Access Control   Opportunity for improvement  
7 SLaM should consider what specialist training is provided to staff employed in named positions, for example, Information Asset Owner (IAO) and Information Asset Administrator (IAA). Operational Management   Opportunity for improvement  
8 At the post audit review, the Audit Team will review evidence of data destruction in relation to data previously stored on-premise. Data Destruction DSA, Annex A, Clause 6 Follow-up  

Supplementary notes

No notes.

Use of data

SLaM confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

SLaM confirmed that processing and storage locations, including disaster recovery and backups, of the data were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
SLaM England and Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
Microsoft  Cloud storage 7 days

Note: Previous on-premise storage is awaiting destruction. See finding Ref. 8.

Good practice

During the audit, the Audit Team noted the following areas of good practice:

  • SLaM was able to clearly demonstrate the value the data supplied under this DSA has had towards benefitting the provision of health and social care in England
  • Effective governance controls were in place, with regular Board and Information Security Committee meetings, as well as a programme of internal audits providing oversight and assurance.


The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform certain controls, that would normally be assessed whilst onsite, could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 4 March 2022 2:28 pm