Skip to main content

NHS Digital Data Sharing Remote Audit: University of Leeds - Clinical Trials Research Unit

This report records the key findings of a remote data sharing audit of the Clinical Trials Research Unit within the Faculty of Medicine and Health at the University of Leeds in February 2022.

Audit summary


This report records the key findings of a remote data sharing audit of the Clinical Trials Research Unit (CTRU) within the Faculty of Medicine and Health at the University of Leeds (UoL) between 7 and 11 February 2022. It provides an evaluation of how CTRU conforms to the requirements of both:

  • the data sharing framework contract (DSFC) CON-315426-K3W7R
  • the data sharing agreement (DSA) DARS-NIC-112910-R4X9X-v2.3

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Identifiable, Non-Sensitive 2016/17 – 2020/21
HES Civil Registration (Deaths) bridge Identifiable, Non-Sensitive Annually
Civil Registration (Deaths) Secondary Care Cut Identifiable, Sensitive Latest available


The Controller is UoL.

The aim of the UK Global Registry of Acute Coronary Events (GRACE) Risk Score Intervention Study, UKGRIS, is to establish whether there is a difference in a patient’s health following an unstable angina attack or a heart attack if treated according to a hospital's usual care or if treated using the GRACE risk score tool.

The UKGRIS randomly assigns recruiting hospitals to either continue with their usual care or use of the GRACE risk score tool for the care of their patients admitted with a suspected non-ST elevation-acute coronary syndrome (NSTEACS), a type of unstable angina attack or heart attack. Sites are only recruited into the study if their usual care is not the use of the GRACE risk score tool.

This report also considers whether the CTRU conform to its own policies, processes and procedures.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the NHS Digital Data Sharing Remote Audit Guide version 1.

Audit type and scope

Audit type Routine
Scope areas

Information transfer
Access control
Data use and benefits
Risk management
Operational management and control
Data destruction

Restrictions Access Control - Limited visibility of physical controls


Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Low

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team will consider compliance, duty of care, confidentiality and integrity, as appropriate.

Data recipient’s acceptance statement

The CTRU has reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

The CTRU will establish a corrective action plan to address each finding shown in the table below. NHS Digital will validate this plan and the resultant actions at a post audit review with the CTRU to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.


The following table identifies the 2 agreement nonconformities, 1 observation, 6 opportunities for improvement and 1 point for follow-up raised as part of the audit.

Ref Finding Link to area Clause Designation
1 Data are being stored at locations not declared within the DSA. Information Transfer DSA, Annex A, Clause 2b Agreement nonconformity
2 Security assessments have not been performed on the infrastructure holding the data supplied by NHS Digital. Access Control DSFC, Schedule 2, Section A, Clause 1.1 Agreement nonconformity
3 The Data Access Request Service (DARS) has requested the CTRU to amend its DSA application by 31 August 2022. In addition to the areas specified by DARS, the DSA should also be updated to:
  • acknowledge remote processing locations where data is being processed on machines using locally installed applications
  • include specific details of the planned linkage between data supplied by NHS Digital and other datasets
  • amend the reference around the database.
Use and Benefits DSA, Annex A, Clauses 5 and 6 Observation
4 The CTRU should reconsider changing its current password settings to be in line with published guidance. Access Control


Opportunity for improvement
5 The CTRU should update its documentation to clarify the type of validation testing that is performed. Access Control   Opportunity for improvement

The CTRU should aim to achieve appropriate staff compliance with CTRU’s own data protection training within the next 12 months. The roll-out of the training had been impacted by the pandemic.

Note: Users working within the CTRU must complete UoL corporate general information security training, which includes data protection, on an annual basis.  This includes users with direct access to the data and it was confirmed all users with direct access to data have completed this UoL training within the past 12 months.

Operational Management   Opportunity for improvement
7 The CTRU should add document version control on the Data Protection Impact Assessment (DPIA). Also, the CTRU should add a section to the DPIA that allows it to be signed off by appropriate personnel. Operational Management   Opportunity for improvement
8 The CTRU should update the Terms of Reference for its Information Governance Committee meetings to include the frequency of the meetings. Minutes should also be taken in these meetings.  Operational Management   Opportunity for improvement
9 The CTRU should follow the UoL corporate risk management methodology, including the use of UoL templates for risk grading and associated risk register format. Currently, the CRTU is using its own risk management processes. Risk Management   Opportunity for improvement
10 At the post audit review, the Audit Team will review evidence of the new approach to managing technical controls around port control. Access Control   Follow-up

Use of data

The CTRU confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

The CTRU confirmed that processing and storage locations, including disaster recovery and backups, of the data were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
CTRU / UoL England / Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
UoL Disk 28 days
UoL (off-site Premises) Disk (Mirror of UoL) 28 days
UoL Tape 12 months

Good Practice

During the audit, the Audit Team noted the following area of good practice:

  • the CTRU was able to clearly demonstrate the value the data supplied under this DSA has had towards benefitting the provision of health and social care in England
  • the CTRU was able to demonstrate that rigorous risk assessments are undertaken for new clinical trials and projects
  • the CTRU has implemented and maintained working practices that were suggested in an earlier data sharing audit
  • the CTRU has taken a thorough approach to the destruction of data.


The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.

NHS Digital has prepared this audit report for its own purposes. As a result, NHS Digital does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS Digital does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 24 April 2022 4:35 pm