NHS England Data Sharing Remote Audit: Ipsos
This report records the key findings of a remote data sharing audit of Ipsos between 25 November and 5 December 2024.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of Ipsos between 25 November and 5 December 2024. It provides an evaluation of how Ipsos and its Processors conform to the requirements of:
-
the data sharing framework contract (DSFC) CON-325063-H0M5Y-v2.02
-
the data sharing agreement (DSA) DARS-NIC-663093-K1B0K-v1.5
-
the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Maternity Services Data Set (MSDS) v2 | Identifiable, Non-sensitive | 2023/24 M09 |
| Demographics | Identifiable, Sensitive | Latest available |
The Controller is Department of Health and Social Care (DHSC) and the Processors are Ipsos, Formara Limited and Textlocal Limited.
The DHSC requires NHS England data for the purpose of the Infant Feeding Survey (IFS).
The IFS is a well-established survey having been run periodically since 1975. This will be the ninth wave of the survey. The principal purpose of the survey is to collect data that will provide national estimates on the incidence, prevalence and duration of breastfeeding and other feeding practices adopted by mothers during the first eight to ten months after their baby is born. The survey was a key commitment in government’s 2019 childhood obesity plan.
DHSC has commissioned Ipsos to run the IFS. Access is required by Ipsos, on behalf of DHSC, to select the survey sample, carry out the mailing of the questionnaires and send the associated reminders. Ipsos have contracted Formara Limited and Textlocal Limited to carry out specific processing in the form of postal mailings and SMS text messaging.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.1.
Audit type and scope
| Audit type | Focused |
|---|---|
| Scope areas |
Information Transfer Access Control Data Use and Benefits Data Destruction |
| Restrictions |
Access control - limited visibility of physical controls |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
DHSC as Controller along with Ipsos, Formara Limited and Textlocal Limited as Processors have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
Ipsos, Formara Limited and Textlocal Limited will establish a corrective action plan to address each finding shown in the findings tables in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with Ipsos, Formara Limited and Txtlocal Limited to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
The Audit Team has identified 2 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following tables identify the 4 agreement nonconformities, 2 organisation nonconformities, 3 observations and 1 points for follow-up raised as part of the audit.
IPSOS
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
| 1 | A special condition outlined within the DSA with regards to the destruction of data provided by NHS England has not been met. | Data Destruction | DSA, Annex A, Section 6 | Agreement nonconformity |
| 2 | The details of one processor listed on the DSA is incorrect. | Access Control | DSA, Annex A, Section 1c | Agreement nonconformity |
| 3 | Two processors have not been declared on the DSA. | Access Control | DSA, Annex A, Section 1c | Agreement nonconformity |
| 4 | Three medium-rated findings identified during a security assessment performed by Ipsos were not remediated within the appropriate timescale, inline with Ipsos policy. | Access Control | Ipsos Global Vulnerability Management Policy, version 6 | Organisation nonconformity |
| 5 | Ipsos have not completed a Vendor Onboard questionnaire or a Vendor-IT Security Context Question Table for one processor. | Access Control | Ipsos Global Supplier Assessment and Selection Policy, version 2.9 | Organisation nonconformity |
| 6 | One processor advised the Audit Team that they do not provide any data destruction receipt subsequent to data destruction. | Data Destruction | DSA, Annex A, Section 6 | Observation |
| 7 | A certificate of destruction must be provided to the Data Access Service (DAS) when the data that currently resides within all storage locations is destroyed. | Data Destruction | DSA, Annex A, Section 6 | Observation |
| 8 | At the post audit review, the Audit Team will receive an update on the specific outputs that are outlined within section 5c of the DSA. The Audit Team was informed that Ipsos will begin to write the report in January 2025 and publication is expected later in 2025. | Use and Benefits | Follow-up |
Formara Limited
| Ref | Finding | Link to Area | Clause | Designation | ||
| 9 | The server being used to store data provided by NHS England is approaching end-of-support. | Access Control | DSFC, Schedule 2, Section A, Clause 1.1 | Observation |
Textlocal Limited
| Ref | Finding | Link to Area | Clause | Designation |
| 10 | Txtlocal Ltd have not completed their annual DSPT submission. | Access Control | DSA, Annex A, Section 6 | Agreement nonconformity |
Opportunities for improvement
|
Ref |
Opportunities for improvement |
Link to Area |
|
1 |
All processors to be provided with a copy of the DSFC and the DSA. |
Operational Management |
|
2 |
The version control record for the IFS Data Protection Impact Assessment (DPIA) version 6 should be kept up to date. |
Operational Management |
Use of data
Ipsos, Formara Limited and Txtlocal Ltd confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another dataset.
Data location
Ipsos, Formara Limited and Txtlocal Ltd confirmed that processing and storage locations, including disaster recovery and backups, of the datasets were limited to the locations shown in the following table. These locations conform with the territory of use defined in clause 2c of the DSA.
| Organisation | Territory of Use |
|---|---|
| Ipsos | UK and EEA |
| Formara Limited | UK and EEA |
| Txtlocal Ltd | UK and EEA |
Backup retention
The duration for which data may be retained on backup media is:
| Organisation | Media type | Period |
|---|---|---|
| Ipsos | Tape | 10 years |
| Formara Limited | Disk | 56 days |
| Txtlocal Ltd | Cloud | 28 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 17 April 2025 1:46 pm