Skip to main content

NHS England Post Audit Review: Newcastle University – Mini Mitral Trial

This report provides the formal closure of the remote data sharing audit of Newcastle University Clinical Trials Unit (NCTU) between 27 January and 4 February 2025.

Audit summary

Purpose

This report provides the formal closure of the remote data sharing audit of Newcastle University Clinical Trials Unit (NCTU) between 27 January and 4 February 2025 against the requirements of:

  • the data sharing framework contract (DSFC): CON-313015-G5C8C
  • the data sharing framework contract (DSFC): CON-318044-Z5W4J
  • the data sharing agreement (DSA): DARS-NIC-361864-N8Pf1S-v1.2
  • the organisations’ own policies, processes and procedures

Details of the datasets received under this DSA can be found in the original report: NHS England Data Sharing Remote Audit: Newcastle University – Mini Mitral Trial - NHS England Digital

The joint controllers are South Tees Hospitals NHS Foundation Trust (South Tees Hospitals NHSFT) and University of Newcastle upon Tyne. The processors stated in the current agreement are; Oxford University Hospitals NHS Foundation Trust, The Royal Wolverhampton NHS Trust and University Hospitals Sussex NHS Foundation Trust, however as noted in the audit findings, these processors are no longer required and have therefore been removed from the updated version of the DSA.

This study, the UK Mini Mitral Trial, compares the 2 operations (sternotomy and mini thoracotomy) in 329 patients, to see how well they recover and return to normal activities. The trial's primary objective is to compare the 2 different types of surgery.

The interviews during the audit were conducted through video conferencing.  

Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.

Post Audit Review 

This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by NCTU between December 2025 and April 2026.

Post Audit Review Outcome 

Based on the evidence provided by NCTU, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and NCTU.

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

The following table shows the risk assigned in the original audit, and the risk assigned in the post audit review.

Original risk statement: Medium

Current risk statement: Low

Data Recipient’s Acceptance Statement 

NCTU has reviewed this report and confirmed that it is accurate.

Findings

The following table identifies the 5 agreement nonconformities, 1 observation and 1 point for follow up raised as part of the original audit.

Ref Finding Link to area Update Designation Status
1 One person outside the territory of use stated within the DSA was provided with a process to access data provided by NHS England. However subsequent evidence during the audit confirmed that no such access had occurred, and access has been revoked. Access Control

Corrective action to revoke access was taken and evidenced during the original audit to confirm no access had taken place.

No access will be granted until authorised by The Data Access Service (DAS) and included within the new DSA.

Agreement nonconformity

 Closed
2 A limited number of staff had access to data provided by NHS England that no longer required the access. These were current substantive employees. The Audit Team found no evidence that anyone had accessed the data and furthermore that this access was revoked during the audit. Access Control Corrective action was taken during the audit to revoke access that was no longer required and appropriate preventive measures are being implemented within NCTU

Agreement nonconformity

 Closed
3. The Audit Team noted a lack of representation for some key roles which could significantly impact the operational management of information governance at the University Operational Management The Audit Team confirmed through evidence that actions have been taken to address the lack of resilience in Information Governance (IG) at the University. Evidence was provided to confirm that further Data Protection Officer (DPO) training has been provided to additional members of the Information Governance team to ensure that appropriate cover is now in in place in the absence of key IG staff.

Agreement nonconformity

 Closed
4.

The Audit Team noted the following issues relating to honorary contracts:

  1. An honorary contract between Newcastle University and a member of staff from Durham University was incomplete, with responsibilities for the conduct of that user in relation to the project not clearly defined.
  2. An honorary contract addendum between The University of Newcastle upon Tyne, South Tees Hospitals NHS Foundation Trust and The University of Durham was incomplete.
 Operational Management

This finding is no longer applicable as the original staff member is no longer working under an honorary contract and no longer has any involvement with data provided by NHS England.

The Audit Team were informed that a new honorary contract will be established with a replacement member of staff, and responsibilities for the conduct of the user will be clearly defined. Any new honorary contracts (plus addendum if necessary) will be reviewed by DAS as part of the data applications process.

 Agreement nonconformity No longer applicable
5. The Privacy Notice on the Mini Mitral website was out of date and referenced the incorrect Controllers as it referenced South Tees as the sole controller. NU were not mentioned as joint controller. Operational Management

The Audit Team confirmed that the original trial website privacy notice has been taken offline. A trial specific page is now available on the South Tees Hospitals Trust website. We confirmed that the joint controller status is now shown within the updated privacy notice. The updated privacy notice can be found at UK Mini Mitral - South Tees Hospitals NHS Foundation Trust.

 Agreement nonconformity Closed
6. Three data processors listed within the DSA are no longer required to be listed as data processors. Use and Benefits The Audit Team confirmed that a new Data Sharing Agreement is in the process of being updated and the three processors have been removed from the new version of the DSA. The new version of the DSA will be reviewed by DAS as part of the data applications process.

Observation

 Closed
7. As part of the post audit review, the Audit Team will review evidence of the security assessment due to be performed in July 2025. This will illustrate that the area being used to store data provided by NHS England was included within its scope and any findings were appropriately actioned Access Control

The Audit Team received evidence to confirm that the area being used to store data provided by NHS England was included within the scope of a security assessment performed in January 2026.

One finding was raised in relation to this area and the Newcastle University Cyber Security Team provided evidence to confirm that this has now been remediated.

Follow-up

 Closed

Disclaimer

NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 29 May 2026 1:55 pm