NHS England Data Sharing Remote Audit: ICNARC
This report records the key findings of a remote data sharing audit of the Intensive Care National Audit and Research Centre (ICNARC) held between 4 and 8 August 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Intensive Care National Audit and Research Centre (ICNARC) held between 04 and 08 August 2025. It provides an evaluation of how ICNARC and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC) CON-303700-Q1B6H-v2.03
- the data sharing agreement (DSA) DARS-NIC-379807-P3R7Z-v7.4
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Civil Registration (Deaths) bridge | Pseudonymised/Anonymised, Non-sensitive | Latest Available 11/2022 |
| Civil Registrations of Death – Secondary Care Cut | Pseudonymised/Anonymised, Sensitive | 1 April 2009 - 31 March 2015 |
| Hospital Episode Statistics Admitted Patient Care | Pseudonymised/Anonymised, Non-sensitive |
2004/5, 2005/6, 2006/7, 2007/8, 2008/9, 2009/10, 2010/11, 2011/12, 2012/13, 2013/14, 2014/15, 2015/16 |
| National Diabetes Audit | Pseudonymised/Anonymised |
April 2008 - March 2009 |
The Controller is ICNARC and the Processors are Babble Cloud Limited and Exponential-e Ltd.
The following is a summary of the aims of the research project provided by ICNARC:
Sophisticated and accurate risk prediction models are key in underpinning fair comparisons amongst health care providers. They can also enable risk-adjusted observational research and risk stratification in randomised controlled trials.
The underlying study follows a previous study conducted by ICNARC, entitled 'Ensuring comparisons of healthcare providers are fair: risk modelling for quality improvement in the critically ill', that addressed risk prediction modelling in three clinical areas:
- Adult general critical care
- Adult cardiothoracic critical care; and
- In-hospital cardiac arrest
Increased understanding of these areas using data linkage with other routinely collected data sources may lead to improvements in the risk models used to underpin national clinical audits in the clinical areas listed above.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.
Audit type and scope
|
Audit type |
Routine |
|---|---|
|
Scope areas |
Information Transfer Access Control Data Use and Benefits Risk Management Operational Management and Control Data Destruction |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
ICNARC has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
ICNARC will establish a corrective action plan to address each finding shown in the findings table. The Audit Team will validate this plan and the resultant actions will be followed up with ICNARC by the IG Risk and Assurance team at NHS England to confirm the finding has been satisfactorily addressed.
The Audit has identified 7 opportunities for improvement which are provided for reference only and will not be followed up.
Findings
The following table identifies the 1 Observation raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1. |
For the PHD student working under the arrangements of an honorary contract, a completed training record for IG awareness was not available. A record of Data Security training undertaken has been provided to the Audit team. | Operational Management |
DSA - Section 5, Honorary Contract |
Observation |
Opportunities for improvement
The following table identifies 7 opportunities for improvement which could help an organisation improve its controls and processes.
|
Ref |
Opportunities for improvement |
Link to area |
|---|---|---|
|
1. |
Review the method for recording NHS England as the source of the data for any future publications. | Use and Benefits |
| 2. | Undertake a check to ensure that the two named processors for the Data Sharing Agreement have full visibility of the Data Sharing Agreement and the Data Sharing Contract. | Use and Benefits |
| 3. | Introduce an internal peer review/quality assurance process for the named individual working under an honorary contract. | Use and Benefits |
| 4. | Develop a risk-based internal audit plan. | Operational Management |
| 5. | Review the approach for policy documents, to standardise the method for capturing information relating to review dates and approval. | Operational Management |
| 6. | Document a process for reviewing dormant accounts at an agreed frequency. | Access Control |
| 7. | Document a process for reviewing privileged accounts at an agreed frequency. | Access Control |
Use of data
ICNARC confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
ICNARC confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| ICNARC | England / Wales |
Backup Retention
| Organisation | Media Type | Period |
|---|---|---|
| Exponential-e-Ltd | Cloud | 90 Days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 17 October 2025 3:08 pm