NHS England Data Sharing Remote Audit: IQVIA Ltd
This report records the key findings of a remote data sharing audit of IQVIA Ltd between 7 and 11 July 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of IQVIA Ltd between 7 and 11 July 2025. It provides an evaluation of how IQVIA Ltd conforms to the requirements of:
- the data sharing framework contract (DSFC) CON-290392-M1B6L (Version 2.02)
- the data sharing agreement (DSA) DARS-NIC-373563-N8Z9J-v14.5
-
the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Civil Registrations of Death - Secondary Care Cut | Pseudonymised, Sensitive | Latest Available 12/2023 |
| Emergency Care Data Set (ECDS) | Pseudonymised, Non Sensitive |
2020/21 - 2021/22 |
| HES Civil Registration (Deaths) bridge | Pseudonymised, Non Sensitive | Latest Available 03/2021 |
| HES-ID to MPS ID HES Accident and Emergency | Pseudonymised, Non Sensitive |
2016/17 - 2018/19 |
| ES-ID to MPS ID HES Admitted Patient Care | Pseudonymised, Non Sensitive |
2016/17 - 2019/20 |
| ES-ID to MPS ID HES Outpatients | Pseudonymised, Non Sensitive |
2016/17 – 2019/20 |
| Hospital Episode Statistics Admitted Patient Care (HES APC) | Pseudonymised, Non Sensitive |
2020/21 - 2023/24 2023/24_M06 – M13 2024/25_M02 – M05 |
| Hospital Episode Statistics Outpatients (HES OP) | Pseudonymised, Non Sensitive |
Apr 18 - Mar 21 |
The Controller and Processor is IQVIA Ltd.
IQVIA Ltd requires access to NHS England data for the purpose of providing commercial services to clients in the health sector or clients that support the Health Sector.
IQVIA Ltd is a commercial company which generates profit from providing services and solutions, including analysis, interpretation and reports, to its customers. Those analyses, interpretations and reports assist such customers in supporting the understanding of care pathways, delivering clarity to hospitals on their use of medicines, enabling the development of diagnostic algorithms, enabling patients to be recruited to trials, and supporting healthcare commissioners and providers in achieving exceptional Data quality. These services can enable the development of health economic models that evaluate care delivery in relation to outcomes achieved for the patient and in so doing, help advance and benefit healthcare in a variety of different ways.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
|
Audit type |
Routine |
|---|---|
|
Scope areas |
Information Transfer Access Control Data Use and Benefits, including sub-licencing Risk Management Operational Management and Control Data Destruction |
|
Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
IQVIA Ltd has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
IQVIA Ltd will establish a corrective action plan to address each finding shown in the findings table. The Audit Team will validate this plan and the resultant actions will be followed up by the IG Risk and Assurance team at NHS England to confirm the findings have been satisfactorily addressed.
The Audit Team has identified 5 opportunities for improvement which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following table identifies the 2 agreement nonconformities and 1 organisation nonconformity raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1. |
The DSA states that usage of data visualisation and benchmarking software tools is auditable and supported by role-based access controls. However, audit records for activity prior to June 2025 were not available for review, meaning full auditability of software tool usage could not be demonstrated. | Access Control |
DSA - Section 5b. Processing Activities |
Agreement nonconformity |
| 2. | The DSA states that the use and benefits of the data are discussed in bi-annual meetings with a Patient Data Advisory Group. However, a standalone record of agreed benefits was not evidenced in the meeting minutes reviewed during the audit, nor within the group’s terms of reference. | Operational Management | DSA – Section 5a. Objective for processing | Agreement nonconformity |
| 3. | The document ENCL005 Downloading HES Data SOP Version 1 needs updating so that it accurately reflects who is nominated to download NHS England data from Secure Electronic File Transfer (SEFT). | Access Control |
|
Organisation nonconformity |
Opportunities for improvement
The following table identifies 5 opportunity opportunities for improvement which could help an organisation improve its controls or processes.
|
Ref |
Opportunities for improvement |
Link to Area |
|---|---|---|
|
1. |
IQVIA Ltd should consider updating their Record of Processing Activities (ROPA) to reflect current practice and fill in any gaps or queries. | Operational Management |
|
2. |
IQVIA Ltd should consider conducting regular assurance checks to ensure that end users are using the data for the purposes set out in their application. |
Use and Benefits |
| 3. |
IQVIA Ltd should consider creating a summary page of all projects linked to this DSA so that the summaries and associated benefits can be found more easily. |
Use and Benefits |
| 4. | Although new requests are formally reviewed, IQVIA Ltd should consider formally minuting the decision-making process and risk assessment for all new requests. | Operational Management |
| 5. | IQVIA should consider reviewing the uses of the data at the next renewal. | Use and Benefits |
Use of data
IQVIA Ltd confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
IQVIA Ltd confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in the DSA.
| Organisation | Territory of Use |
|---|---|
| IQVIA Ltd | England and Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| IQVIA Ltd | Disk | 90 Days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 23 December 2025 10:43 am