Skip to main content

NHS Digital Post Audit Review: University of Aberdeen

This report provides the formal closure of the remote data sharing audit of the University of Aberdeen in April 2021 

Audit summary

This report provides the formal closure of the remote data sharing audit of the University of Aberdeen (UoA) between 19 and 23 April 2021 against the requirements of both:

  • the data sharing framework contract (DSFC) CON-313306-V2W6S
  • the data sharing agreement (DSA) DARS-NIC-322051-S8N9N-v2.4

This DSA covers the provision of the following datasets:

Dataset Classification of data Dataset period
Hospital Episode Statistics (HES) Admitted Patient Care Identifiable, Non-sensitive  2007/08 – 2010/11
Medical Research Information Service (MRIS) – Flagging Current Status Report Identifiable, Sensitive October 2004 – June 2017
MRIS - Cohort Event Notification Report Identifiable, Sensitive October 2004 – June 2017
HES – Admitted Patient Care Identifiable, Non-sensitive  2011/12 – 2019/20
Demographics Identifiable, Sensitive Latest available release


The UoA and the University of Oxford (UoO) are joint Controllers.

Further guidance on the terms used in this post audit review report can be found in version 1 of the NHS Digital Data Sharing Remote Audit Guide. 

Post audit review

This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by the UoA in December 2021. 

Post audit review outcome

Based on the evidence provided by the UoA, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and the UoA.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: Low

Current risk statement: Low

Data recipient’s acceptance statement

The UoA has reviewed this report and confirmed that it is accurate. 


The following table identifies the 2 agreement nonconformities, 5 opportunities for improvement and 1 point for follow-up raised as part of the original audit. 

Ref Finding Link to area Update Designation Status
1 Data is being stored at locations not declared on the DSA. Both locations were UoA buildings. Information Transfer The UoA supplied the details of the two storage locations to the Data Access Request Service (DARS) team on 21 June 2021. 
The details have also been included in an ongoing application. 
Agreement nonconformity Closed
2 2 individuals with access to the data supplied by NHS Digital have not completed their annual Information Governance training. Operational Management The UoA confirmed that the 2 individuals have completed data protection training. The Audit Team were supplied with the training certificates for the 2 individuals showing the training was completed in May and June 2021.  Agreement nonconformity Closed
3 The Controllers should either complete a Data Protection Impact Assessment (DPIA) or document the rational for not completing a DPIA.  Operational Management The Controllers have jointly completed a DPIA screening questionnaire. The Controllers have concluded that a full DPIA is not required. 
A signed copy of the questionnaire was supplied to the Audit Team. 
Opportunity for improvement Closed
4 The UoA should consider completing a Record of Processing Activities (ROPA) for the data provided, as recommended in the Information Commissioner’s Office (ICO) Accountability Framework. Operational Management The UoA has completed a ROPA and a high-level extract of the ROPA was supplied to the Audit Team. Opportunity for improvement Closed
5 The UoA should log all requests to add or remove user access to NHS Digital data via the Service Desk tool, rather than relying on email trails in personal mailboxes. Access Control The UoA are now using the Service Desk tool to log requests to add and remove a user’s access. 
An example of a request and the audit trail to support the request was supplied to the Audit Team. 
Opportunity for improvement Closed
6 The System Level Security Policy (SLSP) should include document version control and be reviewed annually, or whenever a change is made to the system. Operational Management The SLSP was updated and approved in June 2021. The next review date is June 2022. Document control is now managed through the University’s Q-Pulse system. 
Screenshots of the SLSP version 5.0, which supports the above statement, was supplied to the Audit Team. 
Opportunity for improvement Closed
7 The Audit Team suggested that all appropriate teams within the UoA review any new DSFC and DSA to ensure that the parties are fully aware of their responsibilities and are fully compliant. Operational Management The UoA has produced a Research and Innovation Working Procedure for Managing NHS Digital Agreements. This procedure outlines details of the DSA and DSFC review process by internal stakeholders. 
A copy of the procedure, Version 1, was supplied to the Audit Team. 
Opportunity for improvement Closed
8 At the post audit review, the Audit Team will review the University’s revised approach to risk management, regarding updates to the corporate risk register and the associated risk criteria. Risk Management The UoA has developed a new University Risk Management Framework and a new supporting Risk Register Template. These documents will allow a consistent approach to risk management across the University.
Minutes from a meeting held on the 29 June 2021 to support the approval of the framework and the template were made available to the Audit Team. 
Follow-up Closed



NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 14 February 2022 11:43 am