NHS England Data Sharing Remote Audit: NHS South-East London Integrated Care Board (SEL ICB)
This report records the key findings of a remote data sharing audit of NHS South-East London Integrated Care Board (SEL ICB) between 8 and 22 September 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of NHS South-East London Integrated Care Board (SEL ICB) between 8 and 22 September 2025. It provides an evaluation of how SEL ICB and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC) CON-739910-L4J3M
- the data sharing agreement (DSA) DARS-NIC-615981-K2W5D-v4.3
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Commissioning Datasets | Anonymised/Pseudonymised/Sensitive |
1 April 2008 - Latest available |
| Invoice Validation Datasets | Identifiable, Sensitive | 1 April 2013 - Latest available |
The Controller is SEL ICB, and the Processors are Liaison Financial Services Ltd, NHS North Central London Integrated Care Board (ICB), NHS North-East London ICB, NHS North of England Commissioning Support Unit, NHS North-West London ICB, NHS South West London ICB, Snowflake Computing UK Limited (Snowflake) and Microsoft Limited. Microsoft Limited does not have access to the data and only provide cloud hosting services. The DSA allows the Controller to share data with other organisations under a sub-license agreement.
The Health and Social Care Act 2022 has created 42 ICBs. SEL ICB is responsible for NHS commissioning functions. It is also accountable for NHS spend and performance within the system. Within the SEL ICB geographical area, there is also an Integrated Care Partnership (ICP), a joint committee which brings together SEL ICB and its partner local authorities, and other locally determined representatives (for example from health, social care, public health; and potentially others, such as social care or housing providers) to set local priorities and develop an integrated health and social care strategy. The datasets requested are required to support commissioning activities.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.
Audit type and scope
|
Audit type |
Focused - limited to SEL ICB as a Controller and Snowflake as Processor |
|---|---|
|
Scope areas |
Information Transfer – Snowflake only Access Control – Snowflake only Data Destruction - Snowflake only Data Use and Benefits including sub-licensing requirements - SEL ICB only Operational Management and Control - SEL ICB only |
|
Restrictions |
Access control limited to limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Medium
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
SEL ICB has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
SEL ICB will establish a corrective action plan to address each finding shown in the findings table. The Audit Team will validate this plan and the resultant actions at a post audit review with SEL ICB to confirm the findings have been satisfactorily addressed.
The Audit Team has identified 4 opportunities for improvement which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following table identifies the 3 agreement nonconformities and 4 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1. |
There were no contractual arrangements provided to evidence arrangements between SEL ICB (the Controller) and Snowflake (the Processor). Following the audit SEL ICB have provided additional information which clarifies the arrangements between all the parties going forwards. |
Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) |
Agreement nonconformity |
| 2. |
There was no up to date Memorandum of Understanding (MoU) between NEL ICB (Host for One London) and SEL ICB. Following the audit SEL ICB provided an up-to-date MOU with NEL ICB. |
Operational Management | DSFC, Schedule 3, UK General Data Protection Regulation (UK GDPR) | Agreement nonconformity |
| 3. | Liaison Financial Services Limited is not named on NHS England’s list of Controlled Environment for Finance organisations against SEL ICB. | Access Control | DSA Section 6 Special Conditions, Clause 3.0 Controlled Environment for Finance Providers | Agreement nonconformity |
| 4. | At the post audit review the Audit Team will review sub-licencing arrangements to confirm compliance with the DSA. | Access Control | Follow-up | |
| 5. | At the post audit review the Audit Team will review plans being developed for the OneLondon Secure Data Environment (SDE) and ensure they align with the updated DSA. | Access Control | Follow-up | |
| 6. | At the post audit review the Audit Team will review the updated Data Protection Impact Assessment (DPIA) for the Snowflake platform. | Operational Management | Follow-up | |
|
7. |
At the post audit review the Audit Team will review the exemption process outlined in the Equipment and Acceptable Use Policy to confirm that it has been updated to specify that NHS England data can only be accessed from within the permitted territory of use. | Access Control | Follow-up |
Opportunities for improvement
The following table identifies 4 opportunities for improvement which could help an organisation improve its controls and processes. SEL ICB should consider:
|
Ref |
Opportunities for improvement |
Link to Area |
|---|---|---|
|
1. |
Conducting regular user access review checks, rather than relying on the joiners, movers and leavers process. SEL ICB have conducted initial rounds of access review checks since this report has been developed. |
Access Control |
|
2. |
Updating its Incident Management Policy to include the timely reporting of any incidents relating to data supplied under this DSA to NHS England. |
Operational Management |
| 3. | Updating its ICT Network and Cyber Security Policy to reflect current practice on data backup, rather than any legacy solutions. | Information Transfer |
| 4. |
Citing the source of the data as required within the DSA Section 6 Special Conditions Clause 4.0 Citation. SEL ICB have updated all data processing outputs to ensure each cites the source of the data being processed. |
Use and Benefits |
Use of data
SEL ICB confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
SEL ICB confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| SEL ICB | UK |
| Snowflake | UK |
| Microsoft Limited | UK |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Microsoft Ltd | Cloud (MS Azure) | 3 years |
| Snowflake Computing UK Limited | Disk (Snowflake time travel and failsafe feature) | 90 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 22 December 2025 3:17 pm