NHS England Data Sharing Audit: Cambridge University Hospitals NHS Foundation Trust & University of Cambridge
This report records the key findings of a remote data sharing audit of Cambridge University Hospitals NHS Foundation Trust (CUHFT) and the University of Cambridge (UoC) between 12 and 16 January 2026.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Cambridge University Hospitals NHS Foundation Trust (CUHFT) and the University of Cambridge (UoC) between 12 and 16 January 2026. It provides an evaluation of how CUHFT, UoC and their Processors conform to the requirements of:
- the data sharing framework contracts (DSFC)
- CON-314354-C8S4C (Version 2.03)
- CON-321529-Q1B0S (Version 2.03)
- the data sharing agreement (DSA) DARS-NIC-753801-J5B3X-v1.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Customer - Data Quality Report - Aggregate (Recruitment) |
Aggregated – Small Numbers Suppressed Anonymous Non sensitive |
Latest available |
| Mailing - Cohort - Non-aggregate (Comms & Recruitment) |
Identifiable Mailing Provider Output for Recruitment and Communications cohorts Sensitive Mailing Provider Output for Recruitment and Communications cohorts |
Latest available |
The joint Controllers are CUHFT and UoC. The Processor(s) are Amazon Web Services (AWS) and iPLATO.
The following is a summary of the aims of the Heartburn Health Programme, and BEST4 Screening Trial, provided by the CUHFT and UoC:
The aim of the Heartburn Health Programme is to create a resource of participants with heartburn, indigestion or acid reflux. The Programme aims to build a community of volunteers with heartburn and allow experts to research issues like:
- How to manage symptoms more effectively and reduce the need for long-term medication.
- How to find more serious health problems such as severe inflammation and cancer early, when they are easier to treat.
As part of the Heartburn Health Programme, participants will have consented to health-related data collection, and to be contacted regarding specific research opportunities.
The BEST4 Screening Trial is one of the first research opportunities that Heartburn Health participants might be eligible to participate in. The aim of the BEST4 Screening Trial is to assess the use of a capsule sponge device as a screening tool to identify signs of the precancerous condition Barret's Oesophagus (BO), which can often be a precursor for Oesophageal Adenocarcinoma (OAC) (cancer of the food pipe). Using the capsule sponge device could be a simple, alternative method of screening for these conditions. The current screening method for patients who are identified as being high risk is endoscopy, which is an invasive and uncomfortable procedure, as well as being expensive for the NHS and often not easily accessible. The BEST4 Screening Trial will identify if the capsule sponge procedure is a viable alternative to this process, and whether it could improve rates of OAC-associated late-stage disease and death.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4
Audit type and scope
|
Audit type |
Focused |
|---|---|
|
Scope areas |
Information Transfer Access Control Data Use and Benefits Data Destruction |
|
Restrictions |
Access Control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
CUHFT and UoC have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
CUHFT and UoC will establish a corrective action plan to address each finding. The Audit Team will validate this plan and the resultant actions will be followed up with CUHFT and UoC by the IG Risk and Assurance Team at NHS England to confirm the findings have been satisfactorily addressed.
Findings
The following table identifies the 1 agreement nonconformity, 1 organisation nonconformity and 2 observations raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1 |
Evidence has not been provided which details the contractual relationship between iPLATO and AWS. Section 5a of the DSA states: “Amazon Web Services provide cloud hosting services and will store the data as contracted by iPLATO.” A generic high-level agreement for AWS was presented as evidence which details AWS’s standard service terms. The Audit Team was informed AWS does not offer bespoke agreements. A DPIA was provided however it does not cover how NHSE data is stored. |
Information Transfer |
GDPR Article 28 DSFC Part 2, Section 4.1.4 |
Agreement nonconformity |
| 2 |
Evidence has not been provided which demonstrates that the password settings align to the criteria determined in iPLATO’s Acceptable Use Policy for both standard and admin access. Note: The current password settings are in alignment with National Cyber Security Centre guidance. |
Access Control | DSFC Schedule 2, Section A, 4.2 |
Organisation nonconformity |
| 3 | Evidence has been provided of a process for checking cached files. However, the process does not identify a frequency for these reviews to be undertaken. CUHFT should update the process to ensure these reviews are scheduled and undertaken. | Information Transfer | DSFC Schedule 2, Section A, 4.9 |
Observation |
| 4 | Whilst a migration strategy for unsupported systems was viewed, there is no detailed criteria and process describing the key activities for managing end of life assets. | Data Destruction | DSFC Schedule 2, Section A, 3.2 |
Observation |
Use of Data
CUHFT and UoC confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data Location
CUHFT and UoC confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA
| Organisation | Territory of Use |
| Amazon Web Services | UK |
| iPLATO | UK |
Backup Retention
The duration for which data may be retained on backup media is:
| Organisation | Media Type | Period |
| Amazon Web Services (AWS) | Cloud | 30 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 26 March 2026 4:05 pm