NHS England Data Sharing Remote Audit: Centre for Health Economics at the University of York
This report records the key findings of a remote data sharing audit of The Centre for Health Economics (CHE) at the University of York (UoY) between 6 – 10 October 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of The Centre for Health Economics (CHE) at the University of York (UoY) between 06 – 10 October 2025. It provides an evaluation of how CHE and its Processor conform to the requirements of:
- the data sharing framework contract (DSFC) CON-314909-S3P2M (Version 2.02)
- the data sharing agreement (DSA) DARS-NIC-667040-B5T1X-v0.12
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Civil Registrations of Death - Secondary Care Cut |
Pseudo/Anonymised, Sensitive |
Historic Data Request |
| Emergency Care Data Set (ECDS) | Pseudo/Anonymised, Sensitive |
October 2017 to March 2018 Final Data 2018/19 - 2021/22 |
|
Hospital Episode Statistics Accident and Emergency (HES A and E) |
Pseudo/Anonymised, Non Sensitive | 2007/8 – 2021/22 |
|
Hospital Episode Statistics Critical Care (HES Critical Care) |
Pseudo/Anonymised, Non Sensitive | 2011/12 – 2021/22 |
|
Hospital Episode Statistics Outpatients (HES OP) |
Pseudo/Anonymised, Non Sensitive | 2003/4 – 2021/22 |
|
Mental Health and Learning Disabilities Data Set (MHLDDS) |
Pseudo/Anonymised, Sensitive | 2014/15 – 2015/16 |
|
Mental Health Minimum Data Set (MHMDS) |
Pseudo/Anonymised, Sensitive | 2011/12 - 2013/14 |
| Mental Health Services Data Set (MHSDS) | Pseudo/Anonymised, Sensitive |
2016/17 - 2020/21 |
|
Patient Reported Outcome Measures (Linkable to HES) |
Pseudo/Anonymised, Non Sensitive | 2009/10 – 2020/21 |
|
Civil Registrations of Death - Secondary Care Cut |
Pseudo/Anonymised, Sensitive | Latest Available |
|
Community Services Data Set (CSDS) |
Pseudo/Anonymised, Non Sensitive | 2015/16 – 2023/24 |
| Emergency Care Data Set (ECDS) | Pseudo/Anonymised, Sensitive | 2022/23 Q4 - 2026/27 Q2 |
|
Hospital Episode Statistics Admitted Patient Care (HES APC) |
Pseudo/Anonymised, Sensitive | 2022/23 Q4 - 2026/27 Q1 |
|
Hospital Episode Statistics Critical Care (HES Critical Care) |
Pseudo/Anonymised, Non Sensitive | 2023/24 - 2025/26 |
|
Hospital Episode Statistics Outpatients (HES OP) |
Pseudo/Anonymised, Non Sensitive | 2022/23 Q4 - 2026/27 Q1 |
| Improving Access to Psychological Therapies (IAPT) v1.5 | Pseudo/Anonymised, Sensitive | April 2012 - March 2022 |
| Improving Access to Psychological Therapies (IAPT) v2 | Pseudo/Anonymised, Non Sensitive | April 2021 - March 2025 |
|
Mental Health and Learning Disabilities Data Set (MHLDDS) |
Pseudo/Anonymised, Sensitive | 2014/15 - 2015/16 |
|
Mental Health Minimum Data Set (MHMDS) |
Pseudo/Anonymised, Sensitive | 2011/12 - 2023/24 |
|
Patient Reported Outcome Measures (Linkable to HES) |
Pseudo/Anonymised, Non Sensitive |
Historic Data Request Latest available |
The Controller is the UoY and the Processor is Amazon Web Services.
The CHE is a research department of UoY, dedicated to the study of the economics of health and health care. CHE produces policy relevant research and innovative methods that advance the use of health economics to improve population health. As the NHS continues to grapple with financial pressures, research carried out in CHE aims to support decisions about where and how increasingly limited budgets are spent.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
|
Audit type |
Focused |
|---|---|
|
Scope areas |
Data Use and Benefits Access Control Data Destruction Operational Management and Control |
|
Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
CHE has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
CHE will establish a corrective action plan to address each finding shown in the findings table. The Audit Team will validate this plan and the resultant actions will be followed up by the IG Risk and Assurance team at NHS England to confirm the findings have been satisfactorily addressed.
The Audit has identified 5 opportunities for improvement which are provided for reference only and will not be followed up.
Findings
The following table identifies the 2 agreement nonconformities and 3 follow-ups raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1 |
The DSA states that the Data Access Request Group (DARG) must use the terms of reference from September 2023 and must not implement any changes to these until approval in writing is received from NHS England. Changes to the terms of reference were made in July 2025 and, although NHS England were notified, there was no evidence of approval being received. | Operational Management | DSA Section 6 Special Conditions |
Agreement nonconformity |
| 2 | During the interviews CHE informed the Audit Team that security checks were scheduled to take place every 3 years. The last check was carried out in 2022. | Access Control | DSFC Schedule 2, Section A Clause 1.1 | Agreement nonconformity |
| 3 | The Audit Team were informed that there is an established firewall change management process in place. However, this process was not documented. Formal documentation should be developed. | Access Control | Follow-up | |
| 4 | CHE does not have a Quality Control Policy. Updated guidance or a Quality Control Policy should be developed to provide consistency of approach. | Operational Management | Follow-up | |
| 5 | A signed contract between the UoY and the disposal contractor is needed. It should clearly specify the responsibilities of both parties, as recommended by The Information Commissioner's Office guidance for IT asset destruction. | Data Destruction | Follow-up |
Opportunities for improvement
The following table identifies 5 opportunities for improvement which could help an organisation improve its controls or processes.
|
Ref |
Opportunities for improvement |
Link to Area |
|---|---|---|
|
1 |
A process for identifying and managing dormant accounts would enhance security processes. It should be noted that no findings were raised in relation to the management of dormant accounts. | Access Control |
|
2 |
CHE should ask the University of York to consider implementing password throttling or other methods of increased password security to help prevent potential unauthorised access. |
Access Control |
| 3 | Although access logs are available and updated, file auditing is not turned on. CHE should advise the University of York of this opportunity for improvement. | Access Control |
| 4 | The Audit Team suggest that the starters and leavers process documents are revised to include guidance for movers to ensure consistency across teams. | Access Control |
| 5 | CHE should advise the University of York to include the serial numbers of destroyed equipment within the certificate of destruction provided by the third-party destruction company. | Data Destruction |
Use of data
CHE confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
CHE confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| UoY | UK & European Economic Area |
| Amazon Web Services | UK & European Economic Area |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| CHE at the UoY | Hard Disk Drive | 90 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 22 December 2025 3:26 pm