NHS England Post Audit Review: NHS North Central London Integrated Care Board
This report provides the formal closure of the remote data sharing audit of NHS North Central London Integrated Care Board (NCL ICB) between 4 and 7 March 2024.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of NHS North Central London Integrated Care Board (NCL ICB) between 4 and 7 March 2024 against the requirements of:
- the data sharing framework contract (DSFC) CON-369360-Z5R7D-v2.02
- the data sharing agreements (DSA):
- DARS-NIC-362253-J5V8L-v3.2
- DARS-NIC-615974-Y3R7Q-v0.2
- the organisations’ own policies, processes and procedures
These DSAs cover the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Commissioning Datasets | Sensitive | Ad-hoc irregular dissemination |
| Invoice Validation Datasets | Identifiable; Sensitive | Ad-hoc irregular dissemination |
The Controller is NCL ICB and the Processors are NHS North East London ICB, Microsoft Limited, NHS South West London ICB, NHS North of England Commissioning Support Unit (NECS CSU), NHS North West London ICB and NHS South East London ICB. The DSA allows the Controller to share data with other organisations under a sub-license agreement.
Data provided by NHS England is used to provide intelligence to support the commissioning of health services. The data is analysed so that health care provision can be planned to support the needs of the population within the ICB area.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment of the action plan and supporting evidence supplied by NCL ICB in December 2025.
Post Audit Review Outcome
Based on the evidence provided by the NCL ICB, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and NCL ICB.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Low
Current risk statement: Low
Data Recipient’s Acceptance Statement
NCL ICB has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 3 observations raised as part of the original audit.
NCL ICB
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | NCL ICB must have Data Processing Agreements in place with all processors listed in the DSA before they are used. However, some organisations are not currently processing data and are listed to allow them to do so in the future. Alternatively, any inactive processors should be removed from the DSA. | Operational Management | The Audit Team received evidence to confirm that Data Processing Agreements are now in place between all processors listed within the DSA. |
Observation |
Closed |
| 2 | Staff under honorary contract are accessing data provided by NHS England. The details of these users and details of the oversight process to authorise these users has not been outlined within the DSA. | Operational Management | The Audit Team confirmed that the details of staff under honorary contract and details of the oversight process to authorise these users has been discussed and agreed with DAS and will be outlined within the next version of the DSA. |
Observation |
Closed |
| 3 | Two NCL ICB servers used to store data provided by NHS England are running an Operating System that is approaching end of support. | Access Control | The Audit Team received evidence to confirm all servers used to store data provided by NHS England are running supported Operating Systems. |
Observation |
Closed |
Opportunities for improvement - NECS CSU
| Ref | Opportunity for improvement | Link to Area |
| 4 | NECS CSU should ensure that the Controlled Environment for Finance (CEfF) Standard Operating Procedure (SOP) is reviewed within its allocated review date. | Operational Management |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 26 March 2026 1:54 pm