NHS England Post Audit Review: University of Oxford
This report provides the formal closure of the remote data sharing audit University of Oxford (UoO) between 16 and 29 May 2024.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit University of Oxford (UoO) between 16 and 29 May 2024. It provides an evaluation of how the UoO and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC) CON-319043-Y2R5H-v2.03
- the data sharing agreement (DSA) DARS-402963-P0Y5D-v1.8
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Emergency Care Data Set (ECDS) | Anonymised/Pseudonymised | 2019 – 2023 M07 |
| COVID-19 Vaccination Adverse Reactions | Anonymised/Pseudonymised |
Latest available |
| COVID-19 Hospitalization in England Surveillance System | Anonymised/Pseudonymised | Latest available |
| COVID-19 SGSS First Positives (Second Generation Surveillance System) | Anonymised/Pseudonymised | Latest available |
| COVID-19 Vaccination Status |
Anonymised/Pseudonymised |
Latest available |
| COVID-19 General Practice Extraction Service (GPES) Data for Pandemic Planning and Research (GDPPR) |
Anonymised/Pseudonymised |
Latest Available |
| Covid -19 UK Non-hospital Antigen Testing Results (pillar 2) | Anonymised/Pseudonymised |
Latest available |
| HES-ID to MPS-ID HES Accident and Emergency | Anonymised/Pseudonymised | 2016 - 2019 |
| Hospital Episode Statistics (HES) Admitted Patient Care | Anonymised/Pseudonymised | 2018 – 2023 M07 |
| HES Accident and Emergency | Anonymised/Pseudonymised | 2016 – 2020 M12 |
| Secondary Uses Service Payment by Results Episodes | Anonymised/Pseudonymised | 2017 – 2021 |
| Secondary Uses Service Payment By Results Spells | Anonymised/Pseudonymised | 2017 – 2022 |
| Secondary Uses Service Payment By Results Outpatients | Anonymised/Pseudonymised | 2017 – 2022 |
| Secondary Uses Service Payment By Results Accident and Emergency | Anonymised/Pseudonymised | 2017 – 2022 |
| Mental Health Services Data Set (MHSDS) | Anonymised/Pseudonymised | 2016 - 2019 |
| Improving Access to Psychological Therapies (IAPT) v1.5 | Anonymised/Pseudonymised | 2018 - 2021 |
| Civil Registrations of Death | Anonymised/Pseudonymised | Latest Available |
| National Diabetes Audit | Anonymised/Pseudonymised | 2016 – 2019 |
The Controller is the UoO and the Processors are Public Health Scotland (PHS), the University of Edinburgh (UoE) and the University of Liverpool.
The interviews during the original audit were conducted through video conferencing.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment, with additional calls to assess progress against the action plan and discuss supporting evidence supplied by UoO between August to November 2025.
Post Audit Review Outcome
Based on the evidence provided by the UoO, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and UoO.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Low
Current risk statement: Low
Data Recipient’s Acceptance Statement
UoO has reviewed this report and confirmed that it is accurate.
Findings
The following tables identify the 1 agreement nonconformity, 1 organisation nonconformity, 3 observations and 3 points for follow-up raised as part of the original audit.
UoO
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The DSA limits access to substantive employees employed by the UoE as stated in the DSA. The Audit Team found 2 of the users accessing the data were not substantive employees of UoE. There was no formal process to allow researchers who were substantive employees of other organisations through an honorary contract with UoO to access data. | Operational Management | An update to the DSA has been made which reinforces the requirements around honorary contracts. The revised DSA specifies the organisations now listed as processors, with access limited to substantive employees from those institutions. |
Agreement nonconformity |
Closed |
| 2 | UoO did not provide annual data protection training to researchers. There were no checks in place to ensure that researchers from external organisations attended annual data protection training with their employing organisation. During the audit UoO contacted the researcher employing organisations and confirmed they had attended annual data protection training in the last 12 months. | Operational Management | Evidence was provided to the audit team which shows processes have been updated to ensure data protection training is to be undertaken on an annual basis. |
Observation |
Closed |
| 3 | The data processing agreement in place between the UoO and PHS did not reference the current DSA and DSFC to ensure the Processor acknowledges compliance with these documents. | Operational Management | A revised and updated data processing agreement (DPA) has been provided to the audit team, which clearly includes references to both the DSA and DSFC. |
Observation |
Closed |
PHS
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 4 | The retention period for the study data was not recorded in the Information Asset Register (IAR). | Operational Management | An updated IAR was shared on screen during a video call, which showed that retention periods are now included in the register. |
Organisation nonconformity |
Closed |
| 5 | The NSH user agreement form did not reflect the territory of use as defined in the DSA, therefore requires updating. | Access Control | The National Safe Haven (NSH) user agreement is part of a wider improvement exercise, so the omission identified during is still subject to completion. However, emphasis on territory of use requirements within the DSA has been included in the DPA between UoO and PHS. |
Observation |
Closed |
UoE
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 6 | At the post audit review, the Audit Team will review the status of the NSH infrastructure migration and decommission of the hardware including the disks which held NHS England data. | Data Destruction | A certificate of destruction has been provided as evidence to show that the disks containing the NHS England data have been virtually shredded. |
Follow-up |
Closed |
| 7 | At the post audit review, the Audit Team will examine some technical requirements of the DSFC which were not available at the time of the audit. | Access Control | UoE shared the content of the most recent security check, along with follow up plans, during a video call. It was also confirmed that further testing would be on an annual basis. |
Follow-up |
Closed |
| 8 | At the post audit review, the Audit Team will review the status of database software updates. | Access Control | Software updates were demonstrated during a video call. The audit team were able to witness that all database updates were up to date. |
Follow-up |
Closed |
Opportunities for improvement
The following table identifies 1 opportunity for improvement which could help an organisation improve its controls and processes.
| Ref | Opportunity for improvement | Link to Area |
|---|---|---|
| 1 | The UoE should consider implementing email alerts for high priority issues to notify relevant technical staff and the service desk. | Access Control |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 22 December 2025 2:56 pm