NHS England Data Sharing Remote Audit: Adelphi Group Limited
This report records the key findings of a remote data sharing audit of Adelphi Group Limited (Adelphi) between 24 to 28 February 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Adelphi Group Limited (Adelphi) between 24 to 28 February 2025. It provides an evaluation of how Adelphi and its Processor conform to the requirements of:
- the data sharing framework contracts (DSFC)
- CON-670898-F6X6H
- CON-290527-P5C0Y
- the data sharing agreements (DSA)
- DARS-NIC-655446-P9K9Q-v0.7
- DARS-NIC-682583-Z3V2H-v0.7
- the organisations’ own policies, processes and procedures
These DSAs cover the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| National Disease Registration Service (NDRS) Cancer Pathway* | Pseudonymised/ Non-sensitive | Latest Available |
| NDRS Cancer Registrations | Pseudonymised/ Non-sensitive | Latest Available |
| NDRS Linked Cancer Waiting Times (Treatments only) | Pseudonymised/ Non-sensitive | Latest Available |
| NDRS Linked Diagnostics Imaging Dataset | Pseudonymised/ Non-sensitive | Latest Available |
| NDRS Linked Hospital Episode Statistics (HES) Accident and Emergency | Pseudonymised/ Non-sensitive | Latest Available |
| NDRS Linked HES Admitted Patient Care | Pseudonymised/ Non-sensitive | Latest Available |
| NDRS Linked HES Outpatient | Pseudonymised/ Non-sensitive | Latest Available |
| NDRS National Radiotherapy Dataset | Pseudonymised/ Non-sensitive | Latest Available |
| NDRS Systemic Anti-Cancer Therapy Dataset | Pseudonymised/ Non-sensitive | Latest Available |
*This dataset is only on DARS-NIC-682583-Z3V2H-v0.7
The joint Controllers are Adelphi and Merck Sharp and Dohme Limited (MSD); the Processor is Box.com (UK) Ltd (Box.com). Box.com do not have access to the data and only provide cloud hosting services. The interviews were limited to Adelphi. Each DSA covered the following:
- DARS-NIC-682583-Z3V2H-v0.7 provides access to NHS England (NHSE) data for the purpose of the following research project: A retrospective observational study of treatment patterns, resource use and outcomes in patients with early-stage Non-Small Cell Lung Cancer (NSCLC) in England.
- DARS-NIC-655446-P9K9Q-v0.7 provides access to National Disease Registration Service (NDRS) National Cancer Registration and Analysis Service (NCRAS) data for the purposes of the following project: A retrospective observational study of Patient Characteristics, treatment patterns and healthcare resource utilisation for stage II Melanoma in England.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Audit type and scope
|
Audit type |
Focused |
|---|---|
|
Scope areas |
Data Use and Benefits Access Control Information Transfer Operational Management & Control |
|
Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Low
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
Adelphi has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
Adelphi will establish a corrective action plan to address each finding shown in the table below. The Audit Team will validate this plan and the resultant actions will be followed up with Adelphi by the IG Risk and Assurance team at NHS England to confirm the findings have been satisfactorily addressed.
The Audit Team has identified 1 opportunity for improvement which is provided for reference only and will not be followed up.
Findings
The following table identifies 1 organisation nonconformity, 1 observation and 2 follow-up items that were raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
|
The Adelphi data flow diagram states that the data is held in the UK, however this conflicts with the DSA where the territory of use is England and Wales. This applies to both DSAs |
Information Transfer |
DSA, Annex A, Section 5c |
Organisation nonconformity |
|
|
The research outputs agreed in the DSA have changed from what was initially stated in the DSA. Adelphi have produced a presentation and output spreadsheet; however, a report is no longer planned. This applies to DSA NIC-655446-P9K9Q-v0.7. |
Use and Benefits |
DSA, Annex A, Section 5c
|
Observation |
|
|
Adelphi have not produced an output report that was expected by quarter 2 2024 as stated in the DSA. The DSA will need to be updated. This applies to DSA NIC-682583-Z3V2H-v0.7es. |
Use and Benefits | DSA, Annex A, Section 5c | Follow-up |
|
|
The DSA needs to be reviewed and updated to ensure there is no ambiguity regarding end user devices and how they are permitted to process data. This applies to both DSAs |
Access Control |
DSA, Annex A, Section 5b |
Follow-up |
Opportunities for improvement
The following table identifies 1 opportunity for improvement which could help an organisation improve its controls and processes.
|
Ref |
Opportunities for improvement |
Link to Area |
|---|---|---|
|
1. |
Adelphi should remind staff that any outputs should contain an acknowledgement to NHS England as being the source of the data.. |
Use and Benefits |
Use of data
Adelphi confirmed that the datasets were only being processed and used for the purposes defined in the DSAs and were only being linked with those datasets explicitly allowed in the DSAs.
Data location
Adelphi confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in the DSA.
| Organisation | Territory of Use |
|---|---|
| Adelphi | England/Wales |
|
Box.com |
England/Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Box.com |
Cloud |
6 months |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 17 October 2025 2:37 pm