NHS England Data Sharing Remote Audit: Manchester University NHS Foundation Trust
This report records the key findings of a remote data sharing audit of Manchester University NHS Foundation Trust (MFT) between 3 March and 7 March 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Manchester University NHS Foundation Trust (MFT) between 3 March and 7 March 2025. It provides an evaluation of how MFT and its Processor conform to the requirements of:
- the data sharing framework contract (DSFC) CON-324681-Z8K6R
- the data sharing agreement (DSA) DARS-NIC-656836-T2J0T-v2.3
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| National Cancer Registration and Analysis Service (NDRS) Cancer Registrations | Pseudonymised, Sensitive | Latest available |
| NDRS Linked Cancer Waiting Times (Treatments only) | Pseudonymised, Sensitive | Latest available |
| NDRS Linked Hospital Episode Statistics (HES) Accident and Emergency | Pseudonymised, Sensitive | Latest available |
| NDRS Linked HES Admitted Patient Care | Pseudonymised, Sensitive | Latest available |
| NDRS Linked HES Outpatient | Pseudonymised, Sensitive | Latest available |
| NDRS National Radiotherapy Dataset | Pseudonymised, Sensitive | Latest available |
The Controller is MFT and the Processor is The University of Manchester (UoM).
The DSA covers the Multifrequency Bioimpedance in the Early Detection of Lymphoedema Study (BEA study). The study determines how socioeconomic status, obesity and diabetes relate to breast cancer recurrence and death using 1229 female breast cancer patients undergoing Axillary Node Clearance. The aim of the study is to improve survival and reduce unwarranted variations in care for future breast cancer patients.
The original DSA was put in place between MFT and Public Health England (PHE) in 2021. The data was shared with MFT in 2021. The DSA was transferred to NHS Digital (now NHS England) in 2022. No further data is needed from NHS England.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.
Audit type and scope
| Audit type | Focused |
|---|---|
| Scope areas |
Information Transfer (MFT and UoM) Access Control (UoM) Operational Management and Control (MFT and UoM) Data Destruction (UoM) |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
MFT and UoM have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
MFT and UoM will establish a corrective action plan to address each finding shown in the findings tables in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with MFT to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
The Audit Team has identified 2 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following tables identify the 3 agreement nonconformities, 2 organisation nonconformities and 1 observation raised as part of the audit. During the audit 2 of these findings were closed.
MFT
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | There is no valid Data Processing Agreement (DPA) in place between MFT and UoM, which is a requirement in the DSA. The DSA has been renewed on an annual basis. | Information Transfer |
DSA, Schedule 1, Annex A, Section 5b |
Agreement nonconformity |
| 2 |
The DSA states that the data will not be backed up to another location, however, the UoM are backing up the data to another physical location. It should be noted that MFT confirmed that this statement was left in the DSA by mistake. |
Information Transfer |
DSA, Schedule 1, Annex A, Section 5b |
Agreement nonconformity |
| 3 | The Privacy Information on the MFT trials website hasn’t been updated in line with internal document updates. | Operational Management |
Records Management Policy Section 2, Records Retention Policy, Section 2, Records Retention Schedule |
Organisation nonconformity |
| 4 |
MFT are planning to transfer the data back from the UoM and store at MFT. MFT should:
|
Data Destruction |
DSFC, Schedule 2, Section A, Clause 4.10 DSFC, Schedule 2, Section B, Clause 4.5 DSFC, Schedule 3 NHS England Destruction and Disposal of Sensitive Data Good Practice Guidelines Version: 3.0 |
Observation |
UoM
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 |
UoM were not fully compliant with access control requirements outlined within the DSA. The DSA states that data will only be accessed by substantive employees, however, a PhD student was granted access to the data. UoM verbally stated that even though access was granted, the PhD student did not access the data, however there are no access logs available to support this for that period as they have passed the retention period. |
Access Control |
DSA, Schedule 1, Annex A, Section 5a |
Agreement nonconformity |
| 2 | The certificate of destruction, following data upload to Data Safe Haven (DSH) via the ingress virtual machine (VM), was not retained, which is a breach of UoM’s internal policy. The ingress VM is a temporary storage area for the data prior to being uploaded to the DSH. | Information Transfer | Data Safe Haven Standard Operating Procedure, Section 4 clause 4.3 |
Organisation nonconformity |
Opportunities for improvement - MFT
|
Ref |
Opportunities for improvement |
Link to Area |
|
1 |
MFT as the Controller should consider formally documenting the rationale for not completing a Data Protection Impact Assessment (DPIA) and Record of Processing Activities (ROPA) for the pseudonymised data supplied under the DSA. MFT believe that the data is low risk and have interpreted that a DPIA and ROPA are not required under General Data Protection Regulation (GDPR). The DSA states that the NDRS datasets supplied are classified as ‘pseudonymised’ and ‘sensitive’, and the legal basis for sharing GDPR ‘Article 6(1) (e) – public task’ and ‘Article 9(2)(h) – Health and social care’. The data supplied has been linked to pseudonymised BEU data (identifiers removed) through a unique person ID. It should be noted that UoM as the Processor have completed a DPIA screening questionnaire and ROPA. |
Operational Management |
|
2 |
MFT to consider updating the draft study report to indicate NHS England as the source of the data |
Use and Benefits |
Use of data
MFT confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with the dataset explicitly allowed in the DSA.
Data location
MFT and the UoM confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of use |
|---|---|
| UoM | England/Wales |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| UoM | Disk | 28 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 10 June 2025 11:51 am