NHS England Data Sharing Audit: Cambridge University Hospitals NHS Foundation Trust
This report records the key findings of a remote data sharing audit of Cambridge University Hospitals NHS Foundation Trust (CUHFT) and University of Cambridge (UoC) where the interviews were conducted between 20 and 23 October 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Cambridge University Hospitals NHS Foundation Trust (CUHFT) and University of Cambridge (UoC) where the interviews were conducted between 20 and 23 October 2025. It provides an evaluation of how CUHFT and UoC conform to the requirements of:
- the data sharing framework contract (DSFC)
- CON-314354-C8S4C-v2.02 (CUHFT)
- CON-321529-Q1B0S-v2.02 (UoC)
- the data sharing agreement (DSA) NIC-662465-L3R5W-v0.3
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
|
Civil Registrations of Death |
Sensitive, Identifiable |
Latest available, quarterly |
| Hospital Episode Statistics – Admitted Patient Care (HES APC) | Sensitive, Identifiable | 2022/23 – 2027/28 Q02 |
The Joint Controllers and Processors are CUHFT and UoC.
The primary objective of the Pragmatic randomised trial of High Or Standard PHosphAte Targets in End-stage kidney disease (PHOSPHATE) research study, is to test the hypothesis that phosphate lowering treatment to reduce serum phosphate level towards the normal level reduces fatal and non-fatal major cardiovascular events in patients receiving dialysis compared to a strategy of liberalised phosphate control with phosphate-lowering treatment for serum phosphate levels.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4
Audit type and scope
|
Audit type |
Focused |
|---|---|
|
Scope areas |
Access Control Operational Management and Control |
|
Restrictions |
Access Control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
CUHFT has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
CUHFT will establish a corrective action plan to address each finding shown in the findings table. The Audit Team will validate this plan and the resultant actions will be followed up with CUHFT by the IG Risk and Assurance team at NHS England to confirm the findings have been satisfactorily addressed.
The Audit has identified 4 opportunities for improvement, which are detailed in table after the findings, and are provided for reference only and will not be followed up.
Findings
The following table identifies the 6 observations, and 2 points for follow-up raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1 |
CUHFT do not currently have a Record of Processing Activities (ROPA) but do have a Data Management Plan which outlines some information which would typically exist within a ROPA. | Operational Management |
Observation |
|
| 2 | The processing activities outlined within the DSA do not reflect current practice at CUHFT and require updating. | Access Control |
Observation |
|
| 3 | One data processor identified during the audit was not listed on the DSA. | Operational Management |
Observation |
|
| 4 | Engineers who will be supporting the CUHFT IT estate where the NHS England data is due to be stored are based outside of the territory of use outlined within the DSA. The DSA should be updated to reflect where processing will occur. | Access Control |
Observation |
|
| 5 | Data provided by NHS England must be recorded on an Information Asset Register. | Operational Management |
Observation |
|
| 6 | The timescales noted in the CUHFT procedure for reporting incidents do not reflect the requirements of the DSFC. | Operational Management |
Observation |
|
| 7 | During the follow up process the IG Risk and Assurance Team will check to ensure that UoC have submitted an Annual Confirmation Report (ACR) for PHOSPHATE to NHS England. | Operational Management |
Follow-up |
|
| 8 | As part of the follow up process the IG Risk and Assurance Team will review evidence to confirm that an administrative account identified at CUHFT during the Audit has been disabled. | Access Control |
Follow-up |
Opportunities for improvement
The following table identifies 4 opportunities for improvement which could help an organisation improve its controls or processes.
|
Ref |
Opportunities for improvement |
Link to Area |
|---|---|---|
|
1. |
The UoC should ensure they use the citation noted under Special Conditions of the DSA details that “This work uses data provided by patients and collected by the NHS as part of their care and support”. |
Operational Management |
| 2. |
UoC to consider documenting the frequency of access reviews performed for the area that is being used to store data provided by NHS England. Although the Audit Team found that access reviews were being performed, the frequency of reviews had not been outlined within UoC policy. |
Access Control |
| 3. | CUHFT to consider documenting the frequency of access reviews that will be performed on the area that will be used to store data provided by NHS England. | Access Control |
| 4. | CUHFT should consider obtaining, from the participant, a signature confirming they wish to fully withdraw from the study. | Operational Management |
Use of Data
CUHFT confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data Location
CUHFT and UoC confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of Use |
| CUHFT | England & Wales |
| UoC | England & Wales |
Backup Retention
The duration for which data may be retained on backup media is:
| Organisation | Media Type | Period |
| UoC | Disk | 30 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 11 February 2026 8:19 am