NHS England Post Audit Review: University of Bristol
This report provides the formal closure of the remote data sharing audit of University of Bristol (UoB) between 22 and 30 January 2024.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of University of Bristol (UoB) between 22 and 30 January 2024. It provides an evaluation of how the UoB and its Processor conform to the requirements of:
- the data sharing framework contracts (DSFC):
- UoB: CON-304765-H4P3X-v2.02
- Royal Devon University Healthcare NHS Foundation Trust (RDUH):
CON-306176-T4X6H-v2.02
- the data sharing agreement (DSA) DARS-NIC-134719-D5W2Y-v0.17
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care | Identifiable, Non-sensitive | 2017/18 – 2022/23_M09 |
| HES Critical Care | Identifiable, Non-sensitive | 2017/18 – 2022/23_M09 |
| HES Outpatients | Identifiable, Non-sensitive | 2017/18 – 2022/23_M09 |
| HES Accident and Emergency | Identifiable, Non-sensitive | 2017/18 – 2019/20 |
| Diagnostic Imaging Data Set | Identifiable, Non-sensitive | Latest available |
| HES Civil Registration (Deaths) bridge | Identifiable, Non-sensitive | Latest available |
| Bridge file: HES to Diagnostic Imaging Dataset | Identifiable, Non-sensitive | Latest available |
| Emergency Care Data Set (ECDS) | Identifiable, Sensitive | 2020/21 – 2022/23_M09 |
| Civil Registrations of Death – Secondary Care Cut | Identifiable, Sensitive | Latest available |
The Joint Controllers are UoB and and RDUH. The Processor is The University Hospitals Bristol and Weston NHS Foundation Trust (UHBW). UHBW’s role is limited to providing IT hosting services.
The interviews during the original audit were conducted through video conferencing.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.
Post Audit Review
This post audit review comprised of a desk-based assessment with additional calls to assess progress against the action plan and supporting evidence supplied by UoB and UHBW. This review was undertaken between February and December 2025.
Post Audit Review Outcome
Based on the evidence provided by the UoB and UHBW, the Audit Team has closed all the findings. Therefore, no further action is required by all parties.
Updated risk statement
Based on the results of this post audit review the risk statement has been reassessed against the options of Critical - High - Medium - Low.
Original risk statement: High
Current risk statement: Low
Data Recipient’s Acceptance Statement
UoB, RDUH and UHBW have reviewed this report and confirmed that it is accurate.
Findings
The following tables identify the 6 agreement nonconformities, 2 organisation nonconformities, 2 observations and 2 points for follow-up raised as part of the original audit.
UoB
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | No coherent Record of Processing Activities (ROPA) to cover the data supplied under the DSA currently exists. The information relating to the data is spread across different documents. | Operational Management | UoB have provided an updated ROPA, which covers the data supplied under the agreement. |
Agreement nonconformity |
Closed |
| 2 | The UoB are recording Cyber Security Team risks in a risk register. The Audit Team were verbally informed that the risk review period was monthly, but some high rated risks had not been reviewed for at least 3 months. | Risk Management | A revised and updated framework for risk management has been provided as evidence, especially the approach around Cyber Risk management. This revised framework was presented to the UoB Operations Board. |
Agreement nonconformity |
Closed |
| 3 | As Joint Controller, RDUH must be involved in the review and approval of the Data Protection Impact Assessment (DPIA) and ROPA. | Operational Management | Evidence was provided to the Audit Team which clearly showed that both controllers had signed off against the DPIA and ROPA. |
Agreement nonconformity |
Closed |
| 4 | Validation testing of required security controls has not been conducted. | Access Control | UoB have supplied a comprehensive schedule of security checks and investigations being run across the full estate, including where the NHSE data resides. A summary report along with actions has also been supplied which illustrates good practice is being undertaken. |
Agreement nonconformity |
Closed |
| 5 |
Technical security controls had not been applied as detailed in a technical standards document. |
Access Control | The evidence supplied for finding 4 also provides an illustration of how checks undertaken will assure compliance with UoB policies and the actual system settings. |
Organisation nonconformity |
Closed |
| 6 |
The UoB have included a clause in their data agreement with the UHBW to implement appropriate technological and organisational measures to protect against accidental loss, destruction, damage, alteration or disclosure of any personal data. However, they do not obtain evidence of compliance and assurance of this clause from the UHBW. Whilst the UHBW were very open during the remote audit meetings and provided a range of evidence, they declined the opportunity to share the results of security testing and associated remediation plan(s) to the Audit Team. |
Access Control | Security assurances between UoB and UHBW are discussed and minuted within regular meetings. A copy of an agenda for these meetings was provided as evidence. |
Observation |
Closed |
| 7 | At the post audit review, the Audit Team will look at the progress on implementation of the Information Governance (IG) Risk Framework and the IG risk register. | Operational Management | A revised risk management framework has been produced, and copies of the framework and register were provided as evidence. |
Follow-up |
Closed |
| 8 |
At the post audit review, the Audit Team will look at the GDPR compliance audit report that is to be undertaken in first quarter of 2024. |
Operational Management | A copy of the latest GDPR compliance report (Final Version) was provided by UoB. |
Follow-up |
Closed |
UHBW
| Ref | Finding | Link to Area | Update | Designation | Status |
| 9 | A security group which did not require access to the data was assigned to the folder containing NHSE data. | Access Control | Evidence was provided that clearly shows inherited permissions to the folder have been updated. Only specific accounts needing access have the ability to do so. |
Agreement nonconformity |
Closed |
| 10 | No audit trail of access to the folder containing NHSE data was available. | Access Control | An updated audit trail provided as evidence showed checks undertaken and that access is restricted to permitted users. |
Agreement nonconformity |
Closed |
| 11 | One of the UHBW laptops issued to the UoB was encrypted to AES-128. The UHBW Cryptographic Control and Key Policy states that laptops must have full disk encryption installed and operational to a minimum level of AES-256. | Information Transfer | The laptop identified during the audit is part of a wider device upgrade. Given it has encryption, NHSE are content for this device to be part of that wider piece of work, so it complies with local policies over time. |
Organisation nonconformity |
Closed |
| 12 | The UHBW have not met all the Data Security Protection Toolkit (DSPT) assertions in its 2022/23 submission but are working towards full compliance. | Operational Management | The DSPT Team within NHSE confirmed that the UHBW continues to submit updates to an improvement plan and are content that good progress is being made. |
Observation |
Closed |
Opportunities for improvement - UoB
The following table identifies 6 opportunities for improvement which could help an organisation improve its controls and processes.
| Ref | Opportunity for improvement | Link to Area |
|---|---|---|
| 1 |
The UoB should consider implementing USB device port control. |
Access Control |
| 2 | The postal addresses of all the processing and storage locations should be added to the Information Asset Register (IAR) entry for this study. | Operational Management |
| 3 | UoB should consider specialist training for the Information Asset Owners (IAO) and Information Asset Administrators (IAA). | Operational Management |
| 4 |
In the event of an NHSE data breach or contract breach, the UoB should ensure that any person handling the event is familiar with and able to meet the defined NHSE reporting requirements. This was addressed immediately after the closing meeting and evidence was provided to the Audit Team |
Operational Management |
| 5 |
The UoB should consider undertaking a compliance check against the requirements of the DSFC and DSA.
|
Operational Management |
Opportunities for improvement - UHBW
| Ref | Opportunity for improvement | Link to Area |
| 6 | The UHBW should review the updates available for the STATA application and apply them to the UHBW laptops and devices as necessary. | Access Control |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 11 February 2026 8:21 am