Skip to main content

NHS England Post Audit Review: Manchester University NHS Foundation Trust

This report provides the formal closure of the remote data sharing audit of Manchester University NHS Foundation Trust (MFT) and its Processor between 3 and 7 March 2025.

Audit summary

Purpose

This report provides the formal closure of the remote data sharing audit of Manchester University NHS Foundation Trust (MFT) and its Processor between 3 and 7 March 2025 against the requirements of:

  • the data sharing framework contract (DSFC) CON-324681-Z8K6R 
  • the data sharing agreement (DSA) DARS-NIC-656836-T2J0T-v2.3
  • the organisations’ own policies, processes and procedures

Details of the datasets received under this DSA can be found in the original report.

The Controller is MFT and the Processor is The University of Manchester (UoM).

Further guidance on the terms used in this post audit review report can be found in the Data Sharing Audit Guide version 4.0.

Post Audit Review 

This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by MFT in January and February 2026

Post Audit Review Outcome 

Based on the evidence provided by the MFT, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and MFT

Updated risk statement

Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.

Original risk statement: Medium

Current risk statement: Low

Data Recipient’s Acceptance Statement 

MFT has reviewed this report and confirmed that it is accurate.

Findings

The following tables identify the 3 agreement nonconformities; 2 organisation nonconformities and 1 observation raised as part of the original audit. During the original audit 2 of these findings were closed.

UoM

Ref Finding Link to area Update Designation Status
1 There is no valid Data Processing Agreement (DPA) in place between MFT and UoM, which is a requirement in the DSA.  The DSA has been renewed on an annual basis. Information Transfer The DPA between MFT and UoM has been renewed since the original audit.

Agreement nonconformity

 Closed
2 The DSA states that the data will not be backed up to another location, however, the UoM are backing up the data to another physical location.
It should be noted that MFT confirmed that this statement was left in the DSA by mistake.		 Information Transfer UoM have been removed as a data processor under the renewed data sharing agreement (DSA) with NHS England. 

Agreement nonconformity

 No longer applicable
3 The Privacy Information on the MFT trials website hasn’t been updated in line with internal document updates. Operational Management Changes were made to the MFT trial’s website in June 2025. The Trust has since retired this internet page.  Organisation nonconformity Closed
4

MFT are planning to transfer the data back from the UoM and store at MFT. MFT should:

  • Prior to transfer, MFT should engage with the Data Access Service (DAS) and must ensure they meet security requirements documented in the DSFC and DSA.
Follow data destruction guidance by DAS and ensure that UoM completes a certificate of destruction once the data has been transferred. A copy of the certificate should be sent to the DAS team by MFT as the Controller.		 Data Destruction MFT engaged with the DAS and followed the destruction guidance. A data destruction certificate has been provided to DAS via email.

Observation

 Closed
5

UoM were not fully compliant with access control requirements outlined within the DSA.

The DSA states that data will only be accessed by substantive employees, however, a PhD student was granted access to the data. UoM verbally stated that even though access was granted, the PhD student did not access the data, however there are no access logs available to support this for that period as they have passed the retention period.		 Access Control

The Register spreadsheet (UoM Record of Processing Activities (ROPA)) has been updated to record the status of data users (i.e. substantive, honorary, student) permitted to access the data under individual DSAs. All data access requests will be checked against the information in ‘Authorised Data User Status’ prior to approval.  

Agreement nonconformity

 Closed
6 The certificate of destruction, following data upload to Data Safe Haven (DSH) via the ingress virtual machine (VM), was not retained, which is a breach of UoM’s internal policy. The ingress VM is a temporary storage area for the data prior to being uploaded to the DSH Information Transfer UoM have provided evidence that an action is now in place to ensure retention of any future certificates of destruction. Organisation nonconformity Closed

Disclaimer

NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

Last edited: 26 March 2026 1:51 pm