NHS England Post Audit Review: University Hospitals Birmingham NHS Foundation Trust
This report provides the formal closure of the remote data sharing audit of the University Hospitals Birmingham NHS Foundation Trust (UHBFT) and its Processor between 5 and 14 February 2024.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of the University Hospitals Birmingham NHS Foundation Trust (UHBFT) and its Processor between 5 and 14 February 2024 against the requirements of:
- the data sharing framework contract (DSFC) CON-314093-X4T8R-v2.02
- the data sharing agreement (DSA) DSA-NIC-77142-Q4D1D-v1.5
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES): Civil Registration (Deaths) bridge | Anonymised/Pseudonymised, Non-sensitive | 1997/98 – 2018/19 |
| HES Outpatients | Anonymised/Pseudonymised, Non-sensitive | 2003/04 – 2018/19 |
| Civil Registrations of Death | Anonymised/Pseudonymised, Sensitive | Latest available |
The Controller is UHBFT and the Processor is The University of Birmingham (UoB).
UHBFT requires access to NHS England data for the purpose of the Epidemiology of Cancer After Solid Organ Transplant (EpCOT) study. The main objective for the EpCOT project is to link datasets which already exist in isolation to create an integrated dataset that can explore post-transplant cancer epidemiology.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.
Post Audit Review
This post audit review comprised of a desk-based assessment and video call of the action plan and supporting evidence supplied by the UHBFT between May 2024 and January 2026.
Post Audit Review Outcome
Based on the evidence provided by the UHBFT, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and UHBFT.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: Medium
Current risk statement: Low
Data Recipient’s Acceptance Statement
UHBFT has reviewed this report and confirmed that it is accurate.
Findings
The following tables identify the 5 agreement nonconformities, 2 organisation nonconformities, 3 observations and 2 points for follow-up raised as part of the original audit. The 4 opportunities for improvement identified during the original audit are included in an additional table below.
UHBFT
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 |
The Data Processing Agreement between UHBFT and UoB has now expired. UHBFT has developed a new data processing agreement that includes the terms of the DSA to ensure compliance. It has been shared with UoB and is awaiting feedback and signature. The Audit Team also suggested that UHBFT ensures the appropriate teams and stakeholders review any new DSFC and DSA. This will ensure the organisation is aware of its responsibilities and is fully compliant. |
Operational Management |
The Audit Team has been provided with a signed Data Processing Agreement (DPA) which has been produced, reviewed and signed by both parties (UHBFT and UoB). Following an upcoming revision to the current agreements, UoB and UHBFT will ensure both the DSFC and DSA will be shared with relevant stakeholders. |
Agreement nonconformity |
Closed |
| 2 | UHBFT will complete its Data Security and Protection Toolkit (DSPT) improvement plan prior to the next DSA being agreed and signed. | Operational Management | UHBFT have worked on the DSPT improvement plan which now shows as “meeting standards” for their latest submission. This work has been done and will support the upcoming renewal of their agreement. |
Observation |
Closed |
UoB
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 3 | Data in transit between the storage location and the backup site is not encrypted to the standard as required by the DSFC. | Information Transfer | Encryption for data in transit has been updated to meet the requirements of the DSFC. Screenshot evidence was supplied to the Audit Team to support this change. |
Agreement nonconformity |
Closed |
| 4 | There was no evidence to show that access reviews of the locations being used to store data supplied by NHS England are reviewed on a regular basis. It was noted during the audit that one SQL service account with access to the data should be deactivated. | Access Control | The SQL account referred to has been removed. An access permissions report has been generated monthly to review ongoing access, an example of which was provided as evidence. | Agreement nonconformity | Closed |
| 5 | No recent security assessments have been performed on the infrastructure used to store data supplied by NHS England. |
Access Control |
Evidence was supplied to assure that security assessments were now scheduled on a monthly basis. | Agreement nonconformity | Closed |
| 6 |
UoB has not completed a Record of Processing Activities (ROPA) for the data supplied under the DSA. Instead, information specific to the DSA datasets is spread across different documents. Once the ROPA is completed, it should be passed to the Controller for review and approval. The Audit Team noted that a ROPA was completed during the audit. However, it is yet to be reviewed and approved by the Controller. |
Operational Management | A ROPA has been completed and stored in the UoB Data Asset Register for reference. The entry has been made available to UHBFT Information Governance Team for review and approval | Agreement nonconformity | Closed |
| 7 | UoB to review the Microsoft Windows security log retention to ensure security logs are retained inline with UoB Policy. | Access Control |
The UoB Hardening Standard has been updated to reflect that retention of security logs will be for a minimum of 6 months, with an upper maximum limit of 1 year. As an interim measure these logs have been exported and saved separately for 6 months while the update to the standard is agreed and approved. The revised standard was provided as evidence. |
Organisation nonconformity |
Closed |
| 8 | The SQL database holding data provided by NHS England is not encrypted, as required by the Data Processing Agreement between UHBFT and UoB. | Access Control | Screenshot evidence was provided to the Audit Team to clearly show that appropriate encryption has now been employed. | Organisation nonconformity | Closed |
| 9 | The Data Protection Impact Assessment (DPIA) created by UoB is currently in draft format. As Controller, UHBFT must review and approve the DPIA. | Operational Management | An updated and approved DPIA was provided as evidence which showed that both UoB and UHBFT are sighted on its contents. | Observation | Closed |
| 10 | The Server used to store data provided by NHS England is running an Operating System that is approaching end of support. | Access Control | Evidence was provided to show that the data has been migrated onto a fully supported Windows Server. | Observation | Closed |
| 11 | At the post audit review, the Audit Team will review progress of the migration of the Server being used to store data provided by NHS England. | Access Control |
Migration of the Server being used to store NHS England data was completed in March 2024. |
Follow-up | Closed |
| 12 | At the post audit review, the Audit Team will review the results of a security assessment scheduled to be performed in 2024. | Access Control |
Significant improvements and enhancements to the overall security assessments and processes have been evidenced as a result of the original audit, especially to the platform holding the NHS England data. An assessment has recently been undertaken and the output has been shared with the Audit Team, which included an update on all actions which arose and have now been suitably addressed. |
Follow-up | Closed |
Opportunities for improvement
The following table identifies 4 opportunities for improvement which could help an organisation improve its controls and processes.
| Ref | Opportunity for improvement | Link to Area |
|---|---|---|
| 1 | UoB to consider encrypting desktops that are being used to download data provided by NHS England. | Access Control |
| 2 | UoB to consider implementing a function to automatically disable inactive user accounts after a set period. | Access Control |
| 3 | UoB to update its Information Asset Register (IAR) to include the correct DSA end date. | Operational Management |
| 4 | UoB to consider maintaining a record of the annual physical reviews of the UoB datacentre. | Access Control |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 26 March 2026 2:03 pm