NHS England Data Access Audit: Evidera Ltd
This report records the key findings of a remote data access audit of Evidera Ltd between 2 and 6 June 2025.
Audit summary
Purpose
This report records the key findings of a remote data access audit of Evidera Ltd between 2 and 6 June 2025. It provides an evaluation of how Evidera Ltd conforms to the requirements of:
- the data sharing framework contract (DSFC) CON-313304-M4K1F-v2.03
- the data sharing agreement (DSA) DARS-NIC-561357-X0F3N-v3.2
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Civil Registrations of Death |
Pseudonymised, Sensitive |
Latest Available |
|
COVID-19 General Practice Extraction Service (GPES) Data for Pandemic Planning and Research (GDPPR) |
Pseudonymised, Sensitive | Jan 2019 – Aug 2023 |
|
COVID-19 SGSS First Positives (Second Generation Surveillance System) |
Pseudonymised, Sensitive | April 2020 to February 2024 |
|
COVID-19 Vaccination Status |
Pseudonymised, Non-sensitive | Latest Available |
|
Hospital Episode Statistics Accident and Emergency (HES A and E) |
Pseudonymised, Non-sensitive | 2019/20 |
|
HES Admitted Patient Care (HES APC) |
Pseudonymised, Non-sensitive | 2021/22 – 2025/26 M06 |
|
HES Critical Care (HES CC) |
Pseudonymised, Non-sensitive | 2021/22 – 2025/26 M06 |
|
HES Outpatients (HES OP) |
Pseudonymised, Non-sensitive | 2021/22 – 2025/26 M06 |
|
Medicines dispensed in Primary Care (NHSBSA) |
Pseudonymised, Non-sensitive | Latest Available |
|
NDRS Cancer Consolidated Data Set |
Non-sensitive | Latest Available |
|
Uncurated Low Latency Hospital Data Sets – Admitted Patient Care |
Pseudonymised, Non-sensitive | Latest Available |
|
Uncurated Low Latency Hospital Data Sets – Critical Care |
Pseudonymised, Non-sensitive | Latest Available |
|
Uncurated Low Latency Hospital Data Sets – Emergency Care |
Pseudonymised, Non-sensitive | Latest Available |
|
Uncurated Low Latency Hospital Data Sets – Outpatient |
Pseudonymised, Non-sensitive | Latest Available |
The Controller is AstraZeneca UK Ltd and the Processor is Evidera Ltd.
AstraZeneca UK Ltd requires access to NHS England data to generate the evidence necessary to understand the unmet need in the preventions and treatment of COVID-19 following the deployment of vaccination campaigns.
Although COVID-19 is declining following the rollout of vaccination, certain populations like immunocompromised and elderly are still disproportionately impacted. This study continues to provide key contemporary evidence on the burden of COVID-19 in high risk populations. Furthermore, this continues to inform the assessment and usage guidance of new generations of COVID-19 prophylaxis and treatments.
AstraZeneca UK Ltd is the sponsor and the controller organisation responsible for ensuring the data will be processed for the purpose described in the DSA.
Evidera Ltd has been contracted by AstraZeneca UK Ltd to conduct this piece of research, acting as the sole data processor, Evidera Ltd will be the only entity to process the data. Data is held within the Secure Data Environment (SDE).
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
|
Audit type |
Focused |
|---|---|
|
Scope areas |
Access Control - focused on SDE specific access controls with broader access controls excluded. Data Use and Benefits Risk Management Operational Management and Control |
|
Restrictions |
Access Control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
AstraZeneca UK Ltd and Evidera Ltd have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
AstraZeneca UK Ltd will establish a corrective action plan to address the finding shown in the table below. The Audit Team will validate this plan and the resultant actions will be followed up with AstraZeneca UK Ltd by the IG Risk and Assurance team at NHS England to confirm the finding has been satisfactorily addressed.
The Audit Team has identified 4 opportunities for improvement which are provided for reference only and will not be followed up.
Findings
The following table identifies the 1 agreement nonconformity raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1. |
Users from Evidera Ltd have accessed the SDE and requested outputs after the SDE contract expired on 31 March 2025. | Access Control | DSFC, Schedule 5 |
Agreement nonconformity |
Opportunities for improvement
The following table identifies 4 opportunities for improvement which could help an organisation improve its controls and processes.
|
Ref |
Opportunities for improvement |
Link to Area |
|---|---|---|
|
1. |
Evidera Ltd should consider updating future publications to reflect the source of the data supplied by NHS England. |
Use and Benefits |
| 2. | Evidera Ltd should consider creating an internal approval process to grant access to the SDE. | Access Control |
| 3. | Evidera Ltd should consider creating a Record of Processing Activities (ROPA) at project level. | Operational Management |
| 4. | Evidera Ltd should consider creating a regular review process of user access to the SDE. | Access Control |
Use of data
AstraZeneca UK Ltd and Evidera Ltd confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 17 October 2025 2:23 pm