NHS England Post Audit Review: GRAIL INC
This report provides the formal closure of the remote data sharing audit of GRAIL Inc and its Processor between 2 and 6 October 2023.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of GRAIL Inc and its Processor between 2 and 6 October 2023 against the requirements of:
- the data sharing framework contract (DSFC) CON-440011-T3F5R-v2.02 (GRAIL Bio UK Ltd)
- the data sharing agreement (DSA) DARS-NIC-604851-W0M3S-v5.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
NDRS Linked Cancer Waiting Times (Treatments only) |
Anonymised/Pseudonymised |
Latest available |
|
NDRS Linked DIDs |
Anonymised/Pseudonymised |
Latest available |
| NDRS Linked HES APC | Anonymised/Pseudonymised | Latest available |
|
NDRS Cancer Registry |
Anonymised/Pseudonymised | Latest available |
|
NDRS Rapid Cancer Registrations |
Anonymised/Pseudonymised |
Latest available |
|
Emergency Care Data Set (ECDS) |
Anonymised/Pseudonymised |
2021/22 – 2025/26 M12 |
| NDRS Linked HES Outpatients | Anonymised/Pseudonymised |
Latest available |
The University of Oxford (UoO) and GRAIL Bio UK Ltd are joint controllers. The processors are GRAIL Inc, Amazon Web Services (AWS) UK and AWS, Inc (USA). This audit focussed on GRAIL Inc and AWS USA.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by GRAIL Inc between 11 and 28 August 2025.
Post Audit Review Outcome
Based on the evidence provided by the GRAIL Inc, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and GRAIL Inc.
Updated risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: Low
Current risk statement: Low
Data Recipient’s Acceptance Statement
GRAIL Inc has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies 1 observation and 3 points for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1. | GRAIL Inc to amend its Data Sharing Agreement (DSA) prior to the data being processed in the new system in Q1 2024. The Data Protection Impact Assessment (DPIA) and Record of Processing Activities (ROPA) for the data provided by NHS England will also need to be reviewed and updated to be in line with any changes to data processing activities. | Access Control |
GRAIL Inc has confirmed in writing the following: (i) they decided not to pursue the new system, HEOR which is shorthand for the resource utilisation analyses, as described in the DSA v6.8. Therefore, an updated DPIA and ROPA were not required. (ii) At the time of the original audit GRAIL Inc were looking to change the underlying IT system. Since then, they have decided not to make changes to the system application and therefore no changes were required to the DSA, ROPA and DPIA. |
Observation | Closed |
| 2. | At the post audit review, the Audit Team will review tangible outputs from the study which is expected to be completed by Q2 2024. | Use and Benefits | GRAIL Inc made a decision not to pursue the HEOR analysis and therefore no output was produced. |
Follow-up |
Closed |
| 3. | At the post audit review, the Audit Team will review GRAIL Inc’s revised approach to data management and retention. | Operational Management | A copy of the Data Governance Policy version 1.0 with a release date of 01 November 2024 was shared with the Audit Team. |
Follow-up |
Closed |
| 4. | At the post audit review, the Audit Team will review the revised strategy for managing governance, risk and compliance that will allow GRAIL Inc to further strengthen its current manual risk management processes. | Risk Management | A new risk management software solution has been implemented. Screenshots of the new risk register system were shared with the Audit Team. | Follow-up | Closed |
Opportunities for improvement
The following table identifies 2 opportunities for improvement which could help an organisation improve its controls and processes.
GRAIL Inc should consider:
| Ref | Opportunity for improvement | Link to Area |
|---|---|---|
| 1. | Reducing the number of touchpoints of the data. | Information Transfer |
| 2. | Documenting the processes for electronic data deletion from cloud services. | Data Destruction |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 5 December 2025 4:06 pm