Skip to main content

NHS Digital Data Sharing Remote Audit: Intensive Care National Audit & Research Centre (ICNARC)

This report records the key findings of a remote data sharing audit of the Intensive Care National Audit & Research Centre in October 2021. 

Audit summary


This report records the key findings of a remote data sharing audit of the Intensive Care National Audit & Research Centre (ICNARC) between 18 and 22 October 2021. It provides an evaluation of how ICNARC conforms to the requirements of both:

  • the data sharing framework contact (DSFC) CON-303700-Q1B6H v2.01
  • the data sharing agreement (DSA) DARS-NIC-46844-W5V5G-v2.3

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Medical Research Information Service (MRIS) – Cohort Event Notification Report Identifiable, Sensitive Nov 2017 – Jan 2018
MRIS – Flagging Current Status Report Identifiable, Sensitive Nov 2017 – Jan 2018


The Controller is ICNARC, and the Processors are Nasstar and Exponential-e (not named on the active DSA). Although Iron Mountain is also named as a Processor on the active DSA, the company is no longer being used and was therefore excluded from this audit.

Many critically ill patients suffer disturbing psychological symptoms, such as panic or hallucinations, during their stay in the intensive care unit. Doctors believe that these frightening experiences are caused by the effects of illness, drugs, stressful treatments such as being on a breathing machine (ventilator), and by the alien environment of the intensive care unit. There is now strong evidence that these stressful experiences may trigger longer-term psychological problems for patients, such as post-traumatic stress disorder, severe depression and anxiety. The POPPI (Provision of Psychological support to People in Intensive care) study seeks to establish if psychological training for nurses improves patients’ wellbeing after a stay in the intensive care unit. In this instance the mortality data supplied by NHS Digital was used to prevent correspondence being sent to a patient that had passed away. Currently the data is not being used as the study has finished.

This report also considers whether ICNARC conforms to its own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.  

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type Routine
Scope areas

Information transfer
Access control
Data use and benefits
Risk management
Operational management and control
Data destruction

Restrictions Access control - limited visibility of physical controls


Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Low

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.

Data recipient’s acceptance statement

ICNARC has reviewed this report and confirmed that it is accurate. 

Data recipient’s action plan

ICNARC will establish a corrective action plan to address each finding shown in the findings table below. NHS Digital will validate this plan and the resultant actions at a post audit review with ICNARC to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.


The following table identifies the 3 agreement nonconformities, 1 observation, 5 opportunities for improvement and 1 point for follow-up raised as part of the audit.  

Ref Finding Link to area Clause Designation Notes
1 There is no evidence to show that NHS Digital was informed in a reasonable timeframe of the significant changes to the Processors and processing infrastructure in 2019/2020, which ICNARC stated it made with the aim of enhancing the security of the data. Although NHS Digital was informed in October 2021, it is important that these changes are formally recognised and accepted.   Access control DSA, Annex A, clauses 1c and 5b Agreement nonconformity  
2 The data processing and storage locations specified on the active DSA and the in-progress application do not accurately reflect the current locations. Information transfer DSA, Annex A, clause 2 Agreement nonconformity  
3 There was no evidence to show that user access to the locations holding data supplied by NHS Digital is reviewed on a regular basis.    Access control DSA, clause 7
ICNARC, Access Control Procedure DSP DOC 01-1.2.1g, clause 7
ICNARC, User Access Management DSP DOC 04-4.1.2, clause 6
Agreement nonconformity  
4 If processing of the data supplied by NHS Digital resumes, then ICNARC will need to ensure that all staff with access to the data supplied by NHS Digital have completed the data protection training within the last 12 months. Operational Management DSFC, Schedule 2, Section A, clause 1.2.2 Observation  
5 ICNARC should review its general privacy notice and any study specific privacy notice to ensure there is limited opportunity for confusion due to differing commitments.    Operational Management   Opportunity for improvement  

Although ICNARC is currently tracking and reviewing all identified vulnerabilities, the Audit Team suggested that the Network Security Policy is amended, to recognise that medium and low risks are also evaluated and addressed. 

Operational Management   Opportunity for improvement  
7 The Audit Team suggested that some documentation should be maintained for its service review meetings with the infrastructure provider. Risk management should be added as a standing agenda item at these meetings.  Operational management   Opportunity for improvement  
8 The Audit Team suggested that “providers of data” is added to the notification section in the Information Security Incident Management document. Operational Management   Opportunity for improvement  
9 ICNARC should review the asset information reporting it receives from its Processor to ensure its relevance and accuracy. Operational Management   Opportunity for improvement  
10 At the post audit review the Audit Team will review the evidence associated with the destruction of equipment and tapes that previously held data supplied by NHS Digital. The destruction is planned for later in 2021. Data Destruction   Follow-up  


Supplementary notes

No notes

Use of data

ICNARC confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

ICNARC confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table.  These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
Exponential-e England / Wales 


Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
Exponential-e Disk 28 days


Good practice

During the audit, the Audit Team noted the following area of good practice:

  • A number of papers from the research were published in renowned journals. ICNARC reported significant interest in the research undertaken
  • ICNARC was proactive in the use of regular meetings to disseminate information.


The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 17 January 2022 1:31 pm