NHS England Post Audit Review: Met Office Health Research Programme (The Met Office)
This report provides the formal closure of the remote data sharing audit of Met Office Health Research Programme (The Met Office) between 10 to 14 June 2024.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Met Office Health Research Programme (The Met Office) between 10 to 14 June 2024 against the requirements of:
-
the data sharing framework contract (DSFC) CON-320650-T5H3H-v2.02
-
the data sharing agreement (DSA) DARS-NIC-70235-T6P9F-v6.02
-
the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Emergency Care Data Set (ECDS) | Anonymised/Pseudonymised, Non-sensitive | 2018/19 – March 2018 Final Data, 2018/19 – 2025/26 |
| Hospital Episode Statistics (HES) Accident and Emergency (HES A and E) | Anonymised/Pseudonymised, Non-sensitive | 2007/08 – 2019/20 |
| HES Admitted Patient Care (HES APC) | Anonymised/Pseudonymised, Non-sensitive | 1989/90 – 2025/26 |
The Controller is The Met Office.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment and a video call of the action plan and supporting evidence supplied by The Met Office between 16 May to 11 August 2025.
Post Audit Review Outcome
Based on the evidence, the Audit Team has concluded that one agreement nonconformity and one point for follow-up remains open. The open findings have now been handed over to the representative of the Senior Information Risk Owner (SIRO) in the Information Governance Risk and Assurance team at NHS England to progress as appropriate with the Met Office.
Updated risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: Medium
Current risk statement: Low
The following table shows the risk assigned in the original audit, and the risk assigned in the previous post audit review.
Data Recipient’s Acceptance Statement
The Met Office has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 4 agreement nonconformities, 2 observations and 2 points for follow-up raised as part of the original audit.
The Met Office
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1. | Not compliant with the technical requirements of the DSFC. | Access Control | Evidence was provided during a meeting with the Met Office that sufficient progress has been made to improve the technical controls identified during the original audit. | Agreement nonconformity | Closed |
| 2. | There was no evidence to show that user permissions to the NHS England data had been reviewed on a regular basis. | Access Control | Evidence has been provided of regular reviews of access permissions, with the latest review conducted on 02 May 2025. | Agreement nonconformity | Closed |
| 3. | Not compliant with the technical requirements of the DSFC. | Information transfer | Evidence provided following a call held on 02 July 2025 that appropriate technical requirements have been met | Agreement nonconformity | Closed |
| 4. | At the time of audit, the Met Office could not evidence that a record of processed activities (ROPA) had been completed for the data supplied under the DSA. | Operational Management |
Evidence provided to the Audit Team of competed ROPA on 16 May 2025. |
Agreement nonconformity | Closed |
| 5. | The current timescales for completion of data security training for all staff at the Met Office did not align with the requirements of the DSFC. | Operational Management | Evidence provided of Data Protection Core Module training which is now undertaken annually. Samples provided of named individuals who completed training in October 2024. | Observation | Closed |
| 6. | Not compliant with the technical requirements of the DSFC. | Access Control | Evidence provided that appropriate technical requirements of the DSFC have now been met. | Observation | Closed |
| 7. | At the post audit review, the Audit Team will review the progress made around reviewing cyber security risk profiles and the implementation of an IT risk register. | Risk Management | Evidence has been provided of work undertaken to progress this finding, namely cyber risk coverage within an internal audit report and risk policy. While this work remains ongoing, sufficient progress has been evidenced for this to be closed | Follow-up | Closed |
| 8. | At the post audit review, the Audit Team will review the outcome of the Oracle account administrator error observed during the audit. | Access Control |
Evidence provided that this issue is a known error and expected behaviour. Ticket update from Oracle provided as evidence to justify closing this finding. |
Follow-up | Closed |
Opportunities for improvement
The following table identifies the 4 opportunities for improvement which could help an organisation improve its controls and/or processes.
| Ref | Opportunity for improvement | Link to Area |
|---|---|---|
| 1. | The Met Office should consider documenting any encryption requirements for data 'at rest' and 'in transfer.' | Access Control |
| 2. | The Met Office should consider documenting its defined timescales for reviewing its internal policies and procedures. | Operational Management |
| 3. | The Met Office should consider including serial numbers of any devices on the certificates of destruction provided to the disposal company. | Data Destruction |
| 4. | The Met Office should consider updating the Hospital Admissions Data System diagram to include the correct up-to-date data flow process. | Information Transfer |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 5 December 2025 4:18 pm