Skip to main content

NHS England Data Sharing Remote Audit: MAC Clinical Research Finance Ltd (MAC Clinical)

This report records the key findings of a remote data sharing audit of MAC Clinical Research Finance Ltd (MAC Clinical) between 18 to 22 August 2025.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of MAC Clinical Research Finance Ltd (MAC Clinical) between 18 to 22 August 2025. It provides an evaluation of how MAC Clinical and its Processor conform to the requirements of: 

  • the data sharing framework contract (DSFC) - CON-356840-V2R0L 

  • the data sharing agreement (DSA) - DARS-NIC-356980-Z5B9G-v0.22 

  • the organisation’s own policies, processes and procedures 

This DSA covers the provision of the following datasets: 

Dataset Classification of data Dataset period
Emergency Care Data Set (ECDS)

Identifiable, Sensitive

2019/20 – 2025/26 
Hospital Episode Statistics Accident and Emergency (HES A and E) 

Identifiable, Sensitive

2010/11 – 2019/20 
Hospital Episode Statistics Admitted Patient Care (HES APC)  Identifiable, Sensitive 2010/11 – 2025/26 
Hospital Episode Statistics Outpatients (HES OP)  Identifiable, Sensitive 2010/11 – 2025/26 

The Controller is MAC Clinical and the Processor is Microsoft Limited. Microsoft Limited do not have access to the data and only provide cloud hosting services. 

MAC Clinical is a trading arm of parent company MAC Research Ltd. MAC Research Ltd is a Contract Research Organisation (CRO) dedicated to accelerating clinical trials to develop new and improved treatments for patients. Members of the UK public engage MAC Clinical Research Finance Ltd to register onto MAC Clinical’s Volunteer Database. MAC Clinical will access NHSE Data for screening of volunteers for eligibility to be invited onto a specific clinical trial based upon the trial sponsor criteria for eligibility. 

Volunteers give informed consent for MAC Clinical to access their health data for this purpose, or consent is provided on their behalf by a parent or legal representative ('consultee'). Volunteers give informed consent at up to three stages throughout a journey to participate in a clinical trial. The scope of this Data Sharing Agreement is the 'Consent to disclose' phase only: 

Consent to disclose – this is where an individual will consent to their personal identifiers being sent to NHS England to link and obtain medical history. This consent process is within the scope of this Data Sharing Agreement. 

The objective for processing is to improve the quality and efficiency in matching volunteers in the MAC Clinical Envision volunteer database to suitable clinical trials, supporting UK volunteers to access suitable clinical trials whilst maintaining volunteer safety and wellbeing by ensuring that assessments are based on comprehensive healthcare information. 

The interviews during the audit were conducted through video conferencing.  

This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4. 

Audit type and scope 

Audit type 

Routine

Scope areas 

Information Transfer 

Access Control 

Data Use and Benefits, including sub-licencing 

Risk Management 

Operational Management and Control 

Data Destruction 

Restrictions 

Access control - limited visibility of physical controls 

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Medium

In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate. 

Data recipient’s acceptance statement

MAC Clinical has reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

MAC Clinical will establish a corrective action plan to address each finding shown in the findings table. The Audit Team will validate this plan and the resultant actions at a post audit review with MAC Clinical to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings. 

The Audit Team has identified 4 opportunities for improvement which are provided for reference only and will not be followed up as part of any post audit review.  

Findings

The following table identifies the 3 agreement nonconformities, 1 observation, and 3 points for follow-up raised as part of the audit. 

Ref Finding Link to area Clause Designation

1.

MAC Clinical are using a processor that is not declared within the current DSA.  

  • MAC Clinical currently provide administration access to a 3rd party, Tailored 4d Development, a UK based development company who help configure the Envision database. MAC Clinical should contact the Data Access Service (DAS) and ensure the DSA is updated to reference Tailored 4d Development.

  • Whilst a consultancy agreement is in place with Tailored 4D Development, a Data Processing Agreement (DPA) should be created to support this relationship.

  • The consultancy agreement between MAC Clinical and Tailored 4d Development should be reviewed to ensure it still provides the terms required.  The version supplied was created in 2016 and has no indication of an update since, with an IT Contractors Professional Risk Combined Certificate which expired in 2017. 

 Access Control

DSA, Annex A, Section 1c 

DSFC Part 2, Section 4.1.4 

DSFC, Schedule 3, General Data Protection Regulation (GDPR) 

​​​​Agreement nonconformity​ 
2. Security Assessments have not been recently performed. A further test is due to be undertaken in 2025 with outputs and action plans to be shared with audit team.  ​​Access Control​  DSFC Schedule 2, Section A Para 1.1  ​​Agreement nonconformity​ 
3. Administration groups have been provided access to the folder holding the NHSE data.  A review of these groups should be undertaken to ensure access is still required.  ​​Access Control​  DSFC Schedule 2, Section A Para 4.1  ​​Agreement nonconformity​ 
4.

Redundant disks are held for an unspecified period with a third party that has not been declared on the DSA. Currently these disks do not hold any NHSE data, however in the future they could do.  

MAC Clinical should ensure that this third party company is listed as a processor within the DSA. 

 ​​Data Destruction​  DSA Section 1c  ​​Observation​ 
5. MAC Clinical are planning to implement some technical changes to the Envision system.  At the post audit review, the audit team will review the progress with the planned changes, especially for role-based user access.  ​​Access Control​    ​​Follow-up​ 
6. MAC Clinical are planning to undertake an audit of the Envision system in late 2025.  Outcomes and action plans are to be shared with the audit team during the post audit review.  Operational Management   ​​Follow-up​ 

7.

.

 MAC Clinical indicated at the time of the audit no evidence was available for any participant withdrawals.  As part of the post audit review the audit team will review any new evidence, if available, around the withdrawal of participants.  ​​Use and Benefits​    ​​Follow-up​ 

Opportunities for improvement

The following table identifies 4 opportunities for improvement which could help an organisation improve its controls and processes. MAC Clinical may want to consider: 

Ref

Opportunities for improvement

Link to Area 

1.

 Reviewing the password security settings on the organisation active directory.  ​​Access Control​ 

2.

 Ensuring that a check of administration accounts are undertaken, as a minimum, every 12 months. 

​​​​Access Control​ ​ 
3. Creating a more comprehensive guide for staff needing to reset a network password.  ​​Access Control​ 
4. Adopting a review of the expiry of fixed term accounts (FTAs) to ensure any users on these contracts have access revoked immediately. ​​Access Control​ 

Use of data

MAC Clinical confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.  

Data location

MAC Clinical confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table.  These locations conform with the territory of use defined in section 2c of the DSA.

Organisation Territory of Use
MAC Clinical  England and Wales
Microsoft Ltd  England and Wales

Backup retention

The duration for which data may be retained on backup media is:

Organisation Media type Period
Microsoft Ltd  Cloud 28 Days

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed. 

NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.

Last edited: 5 December 2025 4:03 pm