NHS England Post Audit Review: Our Future Health
This report provides the formal closure of the remote data sharing audit of Our Future Health (OFH) between 02 and 06 December 2024.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of Our Future Health (OFH) between 02 and 06 December 2024 against the requirements of:
- the data sharing framework contract (DSFC) CON-640689-Q9J6Q-v2.02
- the data sharing agreement (DSA) DARS-NIC-411795-X5N2V-v0.9
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Civil Registrations of Death |
Identifiable, Sensitive |
Latest available |
|
Demographics |
Identifiable, Sensitive |
Latest available |
|
Emergency Care Data Set (ECDS) |
Identifiable, Sensitive |
2019 – 2027 Q2 |
|
Hospital Episode Statistics Accident and Emergency (HES A and E) |
Identifiable, Non-Sensitive |
2007 - 2020 |
|
Hospital Episode Statistics Admitted Patient Care (HES APC) |
Identifiable, Non-Sensitive |
1997 – 2027 Q1 |
|
Hospital Episode Statistics Critical Care (HES Critical Care) |
Identifiable, Non-Sensitive |
2008 – 2027 Q1 |
|
Hospital Episode Statistics Outpatients (HES OP) |
Identifiable, Non-Sensitive |
2003 – 2027 Q1 |
|
National Diabetes Audit |
Identifiable, Sensitive |
2003 – 2025 |
|
NDRS Cancer Pathway |
Identifiable, Non-Sensitive |
Latest available |
|
NDRS Cancer registration (pre-1995) |
Identifiable, Non-Sensitive |
1985 - 1994 |
|
NDRS Cancer Registrations |
Identifiable, Sensitive |
Latest available |
|
NDRS National Radiotherapy Dataset (RTDS) |
Identifiable, Non-Sensitive |
Latest available |
|
NDRS Somatic Molecular Dataset |
Identifiable, Sensitive |
Latest available |
|
NDRS Systemic Anti-Cancer Therapy Dataset |
Identifiable, Sensitive |
Latest available |
The Controller is OFH and the Processors are Microsoft Azure Limited and DNAnexus Inc. Microsoft Azure Limited provides cloud storage and DNAnexus Inc provide the Trusted Research Environment (TRE) software functionality. The DSA allows the Controller to share data with other organisations under a sub-license agreement.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Post Audit Review
This post audit review comprised of a desk-based assessment with video calls to review the action plan and supporting evidence supplied by OFH between 25 June and 11 August 2025.
Post Audit Review Outcome
Based on the evidence, the Audit Team has found that OFH has not fully addressed all the findings at the time of this report. 1 observation remains open. The open finding will now be handed over to the Information Governance (IG) Risk and Assurance team at NHS England to monitor progress as appropriate with OFH.
Updated risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: Low
Current risk statement: Low
Data Recipient’s Acceptance Statement
OFH has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 3 agreement nonconformities, 2 observations and 1 point for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | Only high-level information on the datasets provided under the DSA has been recorded in the Information Asset Register (IAR). | Operational Management | OFH have provided an updated version of their IAR which includes a greater level of detail for the datasets provided within the DSA. It now aligns with the requirements of the DSFC. | Agreement nonconformity | Closed |
| 2 | OFH have staff with enhanced privileged access to systems and information. In many, but not yet all, systems privilege is subject to automatic expiration (acting as an access review), however in other systems the review for privileged access is not formalised and scheduled. This creates a risk that staff no longer requiring this level of access retain it when not required. | Access Control | OFH have undertaken manual checks of privileged accounts in systems holding NHSE data, which have confirmed no evidence of misuse. The residual risk during this interim period is assessed as low. In parallel, a programme is underway to implement automated expiry of privileged access across all relevant systems, strengthening long-term controls. This work will be completed by the end of 2025. | Agreement nonconformity | Closed |
| 3 | A process for identifying and managing dormant accounts would enhance security processes. | Access Control | OFH have provided evidence to the Audit Team that an automated check for dormant accounts is run daily, which identifies accounts not accessed for a specified period. An email is sent to the Information Security team for any follow up actions. | Agreement nonconformity | Closed |
| 4 | There is no reference to DSFC incident reporting requirements in OFH documents. | Operational Management |
Reference to reporting requirements have been incorporated into the OFH Security Incident Management Process v2.0, which is subject to a wider review. A copy of a draft has been supplied to the Audit Team. In the interim any incidents impacting NHSE data will see immediate action taken. The IG Risk and Assurance Team within NHSE will monitor and check on the publication of this process document once completed by OFH. |
Observation |
Open |
| 5 | The OFH password standard follows national guidance on the complexity and recommended requirements for access to systems and networks. However, no mention is included of any action to be taken in the event of a major cyber-attack. | Access Control | The OFH password standard has been updated and now includes reference to actions to be taken in the event of a cyber-attack. A copy of the updated standard was provided as evidence. |
Observation |
Closed |
| 6 | Within the DSA a declaration has been made that outputs from the cohort are expected to be published in 2024. At the time of the audit no outputs were evidenced. | Use and Benefits | The Audit Team have been provided with links to publications which make reference to the outputs from the cohort provided under the DSA. | Follow-up | Closed |
Opportunities for improvement
The following table identifies 2 opportunities for improvement which could help an organisation improve its controls and processes.
| Ref | Opportunity for improvement | Link to Area |
|---|---|---|
| 1. | Additional monitoring of the automation that ensures organisational leavers and movers are removed from access to systems should be developed. | Access Control |
| 2. | All OFH policies and procedures would benefit from the addition of a review date section within each document. This would support the timely review and change to these documents whenever an update in practice, law or a stipulated review period required it. | Operational Management |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 26 September 2025 2:37 pm