NHS England Data Sharing Audit: University of Liverpool – The Roy Castle Lung Cancer Research Programme
This report records the key findings of a remote data sharing audit of University of Liverpool (UoL) between 16 – 20 April 2026.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of University of Liverpool (UoL) between 16 – 20 April 2026. It provides an evaluation of how UoL conforms to the requirements of:
- the data sharing framework contract (DSFC) CON-312559-T8H2T-v2.03
- the data sharing agreement (DSA) DARS-NIC-147982-J7KGV-v9.2
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Demographics | Identifiable, Sensitive | Latest available May 2025 |
| MRIS – Flagging Current Status Report | Identifiable, Sensitive | October 2007 – May 2019 |
| Hospital Episode Statistics (HES) Out-patients (HES OP) | Identifiable, Non-sensitive | 2003/04 – 2016/17 |
| MRIS – Cause of Death Report | Identifiable, Sensitive | October 2007 – October 2019 |
| HES Accident and Emergency (HES A and E) | Identifiable, Sensitive | 2007/08 – 2014/15 |
| NDRS Somatic Molecular Dataset | Anonymised, Sensitive | Latest available May 2025 |
| NDRS Cancer Registrations | Identifiable, Sensitive | Latest available May2025 |
| Cancer Registration Data | Identifiable, Sensitive | Latest available May 2025 |
| HES Admitted Patient Care (HES APC) | Identifiable, Non-sensitive | 1999/00 – 2018/19_M12 |
| NDRS Cancer Registration (pre 1995) | Anonymised/Pseudonymised, Sensitive | 1985 - 1994 |
| MRIS – Cohort Event Notification Report | Identifiable, Sensitive | October 2007 – October 2019 |
| Civil Registrations of Death | Identifiable, Sensitive | Latest available May2025 |
The Controller and Processor is UoL.
The UoL requires access to NHS England data for the purpose of the research project The Roy Castle Lung Cancer Research Programme’s Liverpool Lung Project (LLP). The LLP is one of the largest prospective lung cancer case-control and population cohort studies in Europe.
The primary objective of the LLP is to create risk models for lung cancer and identify risk models or 'biomarkers' that inform the risk of lung cancer, provide opportunities for early diagnosis, or give information on disease prognosis. The LLP achieves those objectives through a rolling portfolio of projects which are devised in response to publications and developments in science. It is an evolving process as knowledge and research practices develop (such as the integration of new analytical methodologies). The research agenda is ultimately determined by the chief investigator in conjunction with collaborative researchers at the UoL.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 5.
Audit type and scope
|
Audit type |
Focused |
|---|---|
|
Scope areas |
Data Use and Benefits Operational Management and Control Data Destruction |
| Restrictions | None |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The UoL has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UoL will establish a corrective action plan to address each finding. The Audit Team will validate this plan and the resultant action will be followed up with UoL by the Information Governance Risk and Assurance team at NHS England to confirm the finding has been satisfactorily addressed.
The Audit has identified 1 opportunity for improvement which is provided for reference only and will not be followed up.
Findings
The following table identifies the 1 observation raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1 |
The UoL should update its data breach procedures to ensure that NHS England is immediately notified in accordance with the DSFC in the event an incident is either suspected or occurs. | Operational Management | DSFC, Part 2, Schedule 2, Section A, clause 4.1.8 |
Observation |
Opportunities for improvement
The following table identifies 1 opportunity for improvement which could help an organisation improve its controls or processes.
|
Ref |
Opportunities for improvement |
Link to Area |
|---|---|---|
|
1. |
The information asset owner (IAO) should consider undertaking specialist role-based training. | Operational Management |
Use of data
UoL confirmed that the datasets were only being processed and used for the purposes defined in the DSA were not being linked with another dataset.
Data location
UoL confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA
| Organisation | Territory of Use |
|---|---|
| The UoL | England / Wales |
Backup Retention
The duration for which data may be retained on backup media is
| Organisation | Media Type | Period |
|---|---|---|
| UoL | Disk | 30 Days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 29 May 2026 1:39 pm