NHS England Data Sharing Remote Audit: University of Cambridge EPIC
This report records the key findings of a remote data sharing audit of the University of Cambridge (UoC) between 28 April and 2 May 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the University of Cambridge (UoC) between 28 April and 2 May 2025. It provides an evaluation of how UoC and its Processor conform to the requirements of:
- the data sharing framework contract (DSFC) CON-321529-Q1B0S-v 2.02
- the data sharing agreement (DSA) DARS-NIC-321968-S4Q6L-v7.7
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
MRIS-Cause of Death Report |
Identifiable, Sensitive |
|
|
MRIS-Flagging Current Status Report |
Identifiable, Sensitive |
|
|
HES-ID to MPS-ID Admitted Patient Care |
Identifiable, Non-sensitive |
1997/98 – 2020/21 |
|
Mental Health Minimum Data Set (MHMDS) |
Identifiable, Non-sensitive |
2006/07 – 2013/14 |
|
Mental Health Services Data Set (MHSDS) |
Identifiable, Sensitive |
2016/17 – 2023/24 |
|
HES-ID to MPS-ID HES Outpatients |
Anonymised, Non-sensitive |
2016/17 – 2023/24 |
|
Civil Registrations of Death |
Identifiable, Sensitive |
Latest Available |
|
Demographics |
Identifiable, Sensitive |
Latest Available |
|
Mental Health and Learning Disabilities Data Set (MHLDDS) |
Identifiable, Sensitive |
2014/15 – 2015/16 |
|
Cancer Registration Data |
Identifiable, Sensitive |
Latest Available |
|
Hospital Episode Statistics Outpatients (HES OP) |
Identifiable, Non-sensitive |
2003/04 – 2025/26 |
|
MRIS – Members and Postings Report |
Identifiable, Sensitive |
|
|
MRIS – Cohort Event Notification Report |
Identifiable, Sensitive |
|
|
HES Admitted Patient Care (HES APC) |
Identifiable, Non-sensitive |
2000/01 – 2025/26 |
| National Diabetes Audit | Identifiable, Sensitive | 2003/04 – 2025/26 |
UoC is the Controller.
The European Prospective Investigation into Cancer (EPIC) Norfolk study is a long-standing research project that was established to examine the relationship between lifestyle (in particular, diet and physical activity), biological factors and health outcomes.
The study recruited men and women aged 49 – 79 years of age between 1993 and 1998 from 35 participating general practices in Norfolk.
The participants have continued to provide follow up data and attend additional health checks for over 30 years.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.
Audit type and scope
|
Audit type |
Focused |
|
Scope areas |
Information Transfer Access Control Data Use and Benefits, including sub-licencing Risk Management Operational Management and Control Data Destruction |
|
Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The UoC has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The UoC will establish a corrective action plan to address the finding shown in the table in section 2. The Audit Team will validate this plan and the resultant action will be followed up with UoC by the IG Risk and Assurance Team at NHS England, to confirm the finding has been satisfactorily addressed.
The Audit Team has identified 4 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following table identifies the 1 organisation nonconformity raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
|
Security assessments have not been performed. | Access Control | System Management Policy, Section G |
Organisation nonconformity |
Opportunities for improvement
The following table identifies 4 opportunities for improvement which could help an organisation improve its controls and processes.
|
Ref |
Opportunities for improvement |
Link to Area |
|
1 |
The UoC should consider specialist training for Information Asset Owners (IAO) and Information Asset Administrators (IAA). | Operational Management |
|
2 |
The UoC should consider creating a Record of Processing Activities (ROPA) at the Medical School Level. |
Operational Management |
| 3 | The UoC should consider documenting the procedure for deleting sensitive (electronic) data. | Data Destruction |
| 4 | The UoC should consider updating the publication template to reflect the source of the data supplied by NHS England in outputs produced. | Use and Benefits |
Use of data
The UoC confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
UoC confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA
| Organisation | Territory of Use |
|---|---|
|
UoC |
England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
|
UoC |
Disk |
30 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 3 July 2025 3:31 pm