NHS England Post Audit Review: The Institute for Fiscal Studies.
This report provides the formal closure of the remote data sharing audit of The Institute for Fiscal Studies (IFS) between 16 and 23 September 2024.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of The Institute for Fiscal Studies (IFS) between 16 and 23 September 2024 against the requirements of:
- the data sharing framework contract (DSFC) CON-305762-B8S7B (Version 2.01)
- the data sharing agreement (DSA) DARS-NIC-17824-V9F2B-v6.4
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES): Civil Registration (Deaths) bridge | Pseudo/Anonymised, Non-Sensitive | 1997/98 to 2017/18 |
| HES Admitted Patient Care | Pseudo/Anonymised, Non-Sensitive | 1997/98 to 2017/18 |
| HES Outpatients | Pseudo/Anonymised, Non-Sensitive | 2005/06 to 2017/18 |
| HES Accident and Emergency | Pseudo/Anonymised, Non-Sensitive | 2007/08 to 2017/18 |
| Patient Reported Outcome Measures | Pseudo/Anonymised, Non-Sensitive | 2009/10 to 2013/14 |
|
Civil Registration (Deaths) - Secondary Care Cut |
Pseudo/Anonymised, Sensitive | 1997/98 to 2017/18 |
The Controller is the IFS.
The interviews during the original audit were conducted through video conferencing.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Remote Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment and video call of the action plan and supporting evidence supplied by the IFS between May and July 2025.
Post Audit Review Outcome
Based on the evidence provided by the IFS, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and the IFS.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Medium
Current risk statement: Low
Data Recipient’s Acceptance Statement
The IFS has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 6 agreement nonconformities, 4 observations and 1 point for follow-up raised as part of the original audit.
IFS
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The Audit Team were unable to confirm that the server being used to store data provided by NHS England has received software updates on a consistent basis. | Access Control | The IFS have provided evidence to show the servers that store data on site have been regularly patched. |
Agreement nonconformity |
Closed |
| 2 | Not compliant with the technical requirements of the DSFC. | Access Control | The IFS have carried out work to address the key findings. Some low rated actions remain open with work ongoing to address these. |
Agreement nonconformity |
Closed |
| 3 | The data provided by NHS England are not being backed up in line with the requirements of the DSFC and the processes outlined within IFS backup policy. | Information Transfer | The IFS have provided evidence to the Audit Team to show that the onsite back up is encrypted. |
Agreement nonconformity |
Closed |
| 4 | Security logs are not retained as required by the DSFC and IFS Policy. | Access Control | The IFS have provided evidence to support that log retention is being maintained in line with requirements. |
Agreement nonconformity |
Closed |
| 5 | The level of encryption applied to the data in transit was not in line with the requirements of the DSFC. | Access Control | During a video call the IFS was able to confirm that the encryption level meets the requirements of the DSFC. |
Agreement nonconformity |
Closed |
| 6 |
It was noted by the Audit Team that although version 6.4 of the DSA ended on 30 November 2023, IFS have continued to use the data. The Audit Team confirmed that this was for the projects detailed within version 6.4 of the agreement only. The Audit Team noted the use of the data after the DSA expired was identified by NHS England retrospectively, during an amendment application to the DSA. The Audit Team received no evidence to indicate that permission to continue to use the data was given to IFS prior to the data being used. IFS have continued to process data after the DSA has ended. |
Use and Benefits | At the time of this review the IFS have an active DSA in place since April 2025. |
Agreement nonconformity |
Closed |
| 7 |
Two research fellows who were accessing the data provided by NHS England had not signed the latest version of the data access honorary contracts. The Audit Team noted that these two research fellows no longer have access to the data because they are no longer working on projects under the new Data Sharing Agreement. |
Access Control |
The IFS confirmed that access for the two users who had accessed the data without a valid honorary contract has been revoked. The IFS have evidenced that access to the data is restricted to individuals directly employed by the IFS, or suitably approved individuals. This revised approach has been approved by NHS England. |
Observation |
Closed |
| 8 |
A certificate of destruction must be provided to NHS England in December 2024 when data that currently resides within the Enclave storage location at IFS is destroyed. The Audit Team noted that this certificate of destruction has been submitted to NHS England by IFS on 14 October 2024. |
Data Destruction | The IFS have submitted a certificate of destruction to the DAS team and it was approved October 2024. |
Observation |
Closed |
| 9 |
The Audit Team reviewed version 7.2 of the DSA which was yet to be signed off at the time of audit and noted some project status updates that were required to be made. The Audit Team noted that IFS have since updated DARS on these changes during the audit fieldwork, and Version 7.2 of the DSA has now been signed by IFS. |
Access Control | The updates were made during the original audit, after the IFS were made aware of the changes. |
Observation |
Closed |
| 10 |
The Audit Team noted that the Privacy Notice on the IFS website contained outdated information. The Audit Team noted that IFS have updated their Privacy Notice as of 08 October 2024. |
Access Control |
The Audit Team can confirm that the IFS had updated the Privacy Notice in October 2024. |
Observation |
Closed |
| 11 | At the post audit review, the Audit Team will receive an update from IFS on the ongoing project to migrate to a cloud provider from their current on-premises server environment. | Access Control | The Audit Team can confirm that the IFS have agreement with DAS regarding migrating to the cloud provider. The Audit Team has reviewed DARS-NIC-17824-V9F2B-v8.4 and confirmed that a cloud storage provider has been declared as a Processor. |
Follow-up |
Closed |
Opportunities for improvement
The following table identifies 5 opportunities for improvement which could help an organisation improve its controls and processes.
| Ref | Opportunity for improvement | Link to Area |
|---|---|---|
| 1 | The IFS should consider documenting a centralised Quality Control Policy which outlines the expected quality control standards and processes for each IFS research project. | Operational Management |
| 2 | The IFS should consider renaming a technical administrative account identified during the audit. | Access Control |
| 3 | The IFS should consider amending its current Information Asset Register (IAR) and Record of Processing Activities (ROPA) document to include the end date for each DSA. | Operational Management |
| 4 | The IFS should consider documenting a centralised Patch Management Policy that expands on information within the IFS Information Security Manual. | Access Control |
| 5 |
The IFS to consider amending the automatic screen lockout function for users who have access to the data provided by NHS England. The Audit Team noted that following the audit interviews, prior to this report being finalised, IFS have updated the automatic screen lockout function for users from 15 minutes to 5 minutes. |
Access Control |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 11 February 2026 8:22 am