NHS England Data Sharing Remote Audit: Newcastle University – Mini Mitral Trial
This report records the key findings of a remote data sharing audit of the Newcastle University Clinical Trials Unit (NCTU) between 27 January and 4 February 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Newcastle University Clinical Trials Unit (NCTU) between 27 January and 4 February 2025. It provides an evaluation of how NCTU and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC): CON-313015-G5C8C
- the data sharing framework contract (DSFC): CON-318044-Z5W4J
- the data sharing agreement (DSA): DARS-NIC-361864-N8Pf1S-v1.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Civil Registrations of Death | Identifiable, Sensitive | 2019/20 – 2024/25 |
| Emergency Care Data Set (ECDS) | Identifiable, Non Sensitive | 2019/20 – 2024/25 |
| Hospital Episode Statistics Accident and Emergency (HES A&E) | Identifiable, Non Sensitive | 2016/17 – 2019/20 |
| Hospital Episode Statistics Admitted Patient Care (APC) | Identifiable, Non Sensitive | 2016/17 – 2023/24 |
| Hospital Episode Statistics Outpatients (HES OP) | Identifiable, Non Sensitive | 2016/17 – 2023/24 |
The Joint Controllers are South Tees Hospital NHS Foundation Trust (South Tees Hospital NHSFT) and University of Newcastle upon Tyne. The Processors are; Oxford University Hospitals NHS Foundation Trust, The Royal Wolverhampton NHS Trust and University Hospitals Sussex NHS Foundation Trust.
This study, the UK Mini Mitral Trial, compares the two operations (sternotomy and mini thoracotomy) in 329 patients, to see how well they recover and return to normal activities. The trial's primary objective is to compare the two different types of surgery.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.
Audit type and scope
|
Audit type |
Focused |
|---|---|
|
Scope areas |
Data Use and Benefits, including sub-licencing Information Transfer Access Control Operational Management and Control |
|
Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
Newcastle University (NU), NCTU and South Tees Hospital NHSFT have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
NU, NCTU and South Tees Hospital NHSFT will establish a corrective action plan to address each finding shown in the findings tables in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with NCTU to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
The Audit Team has identified 4 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following table identifies the 5 agreement nonconformities, 1 observation and 1 point for follow up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1.
|
One person outside the territory of use stated within the DSA was provided with a process to access data provided by NHS England. However subsequent evidence during the audit confirmed that no such access had occurred, and access has been revoked. | Access Control | DSA, Annex A, Section 2c |
Agreement nonconformity |
| 2. | A limited number of staff had access to data provided by NHS England that no longer required the access. These were current substantive employees. The Audit Team found no evidence that anyone had accessed the data and furthermore that this access was revoked during the audit. | Access Control | DSFC, Schedule 2, Section A, Clause 4.1 | Agreement nonconformity |
| 3. | The Audit Team noted a lack of representation for some key roles which could significantly impact the operational management of information governance at the University. | Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) | Agreement nonconformity |
| 4. |
The Audit Team noted the following issues relating to honorary contracts:
|
Operational Management | DSA Schedule 1, Annex A, Section 5a | Agreement nonconformity |
| 5. | The Privacy Notice on the Mini Mitral website was out of date and referenced the incorrect Controllers as it referenced South Tees as the sole controller. NU were not mentioned as joint controller. | Operational Management | DSA Schedule 1, Annex A, Section 4 | Agreement nonconformity |
| 6. | Three data processors listed within the DSA are no longer required to be listed as data processors. | Use and Benefits | DSA Schedule 1, Annex A, Section 1c | Observation |
| 7. | As part of the post audit review, the Audit Team will review evidence of the security assessment due to be performed in July 2025. This will illustrate that the area being used to store data provided by NHS England was included within its scope and any findings were appropriately actioned. | Access Control | Follow-up |
Opportunities for improvement
The following table identifies 4 opportunities for improvement which could help an organisation improve its controls and processes.
|
Ref |
Opportunities for improvement |
Link to Area |
|---|---|---|
|
1 |
NU to consider updating the Information Asset Register to include Information Asset Administrators (IAA), deletion dates and a notes section that identifies the need to inform NHS England should any data breach occur. | Operational Management |
|
2 |
NU to consider documenting a centralised backup policy. It should be noted that no findings were raised in relation to backup processes. | Information Transfer |
| 3 | NU to consider documenting an encryption policy. It should be noted that no findings were raised in relation to encryption processes. | Information Transfer |
| 4 | NCTU to consider updating the data breach processes described in the NCTU information governance policy to specifically reference NHS England. | Operational Management |
Use of data
NCTU confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
NCTU confirmed that access to data processing locations of the datasets were not limited to the location shown in the following table. See finding 1 in the table above for more information.
| Organisation | Territory of Use |
|---|---|
|
NCTU |
England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
|
NCTU |
Disk |
90 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 4 July 2025 3:45 pm