NHS England Data Sharing Remote Audit: Home Office
This report records the key findings of a remote data sharing audit of the Home Office between 23 and 27 June 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of the Home Office between 23 and 27 June 2025. It provides an evaluation of how the Home Office and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC) CON-622644-N9S3P-v2.03
- the data sharing agreement (DSA) DARS-NIC-698171-K4M0B-v0.3
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics (HES) Admitted Patient Care (HES APC) | Aggregated – Small Numbers Not Suppresses |
2009/10 – 2026/27 Q03 |
The Controller is the Home Office and the Processors are Amazon Web Services (AWS), London School of Economics and Political Science (LSE), Microsoft Limited and RAND Europe Community Interest Company.
The Home Office aims to improve the design and implementation of drugs policy by using evidence and analysis to better understand the drugs landscape and the impact of government policies on this landscape. The Director of Addictions & Inclusion at the Office for Health Improvement and Disparities (OHID) within the Department for Health and Social Care (DHSC) is directly in support of this request, which is intended to help OHID to inform drug and alcohol treatment and recovery policy and programme development. The interventions to be evaluated as part of this data processing are all part of the cross-government Drugs Strategy, which brings together the Home Office, DHSC, and other government departments to tackle drug misuse and harms. The Home Office already works closely with DHSC on its drugs interventions. Responding to drug misuse is a multi-departmental issue and learning from the criminal justice system can inform the health system, and vice versa.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.
Audit type and scope
|
Audit type |
Focused |
|
Scope areas |
Access Control Data Use and Benefits |
|
Restrictions |
Access control – limited only to those with access to the NHS England data within the terms of the DSA |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
The Home Office has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
The Home Office provided evidence following the audit which closed the nonconformity finding. There is no requirement for the Home Office to produce a corrective action plan, therefore, no post audit review will be conducted by the Audit Team.
The Audit Team has identified 1 opportunity for improvement in section 3 which is provided for reference only and will not be followed up.
Findings
The following table identifies the 1 agreement nonconformity raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
|
Home Office did not provide NHS England with a certificate of destruction after the destruction of data by one of its processors in June 2024, a certificate of destruction and an amendment to the DSA must be submitted to NHS England as required by the DSA. It should be noted that the Home Office should also maintain a copy of the destruction certificate. Following the audit LSE provided the audit team with a copy of the data destruction certificate. This finding is closed and will not be followed up as part of the post audit review. |
Use and Benefits | DSA Section 6 Special Conditions (5.0) |
Agreement nonconformity |
Opportunities for improvement
The following table identifies 1 opportunity for improvement which could help an organisation improve its controls and processes.
|
Ref |
Opportunities for improvement |
Link to Area |
|
1 |
Home Office to consider completing meeting notes when discussing future projects with processors. |
Use and Benefits |
Use of data
The Home Office confirmed that the dataset was only being processed and used for the purposes defined in the DSA and was not being linked with another dataset.
Data location
The Home Office confirmed that processing and storage locations, including disaster recovery and backups, of the dataset was limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| Home Office | England and Wales |
| RAND | England and Wales |
| LSE | England and Wales |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 16 September 2025 3:17 pm