NHS England Data Sharing Remote Audit: UK Biobank
This report records the key findings of a remote data sharing audit of UK Biobank between 17 to 25 March 2025.
Audit summary
Purpose
This report records the key findings of a remote data sharing audit of UK Biobank between 17 to 25 March 2025. It provides an evaluation of how UK Biobank and its Processors conform to the requirements of:
- the data sharing framework contract (DSFC) CON-309882-D1H7D
- the data sharing agreement (DSA) DARS-NIC-08472-V9S6K-v19.2
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following data sets:
Dataset | Classification of data | Dataset period |
---|---|---|
Bridge file: Hospital Episode Statistics to Mental Health Minimum Data Set | Identifiable, Non-sensitive | N/A |
Cancer Registration Data | Identifiable, Sensitive | Latest available |
Civil Registrations of Death | Identifiable, Sensitive | Latest Available |
COVID-19 Vaccination Status | Identifiable, Sensitive | Latest Available |
Demographics | Identifiable, Sensitive | Latest Available |
Hospital Episode Statistics Admitted Patient Care (HES APC) | Identifiable, Sensitive | 1997/98 – 2023/24 |
Hospital Episode Statistics Critical Care (HES Critical Care) |
Identifiable, Non-sensitive |
2008/09 – 2023/24 |
Improving Access to Psychological Therapies (IAPT) v1.5 | Identifiable, Sensitive | 2012/13 – 2021/22 |
Medicines dispensed in Primary Care (NHSBSA data) | Identifiable, Sensitive | Latest Available |
Mental Health and Learning Disabilities Data Set (MHLDDS) | Identifiable, Sensitive | 2014/15 – 2015/16 |
Mental Health Minimum Data Set (MHMDS) | Identifiable, Sensitive | 2006/07 – 2014/15 |
Mental Health Services Data Set (MHSDS) | Identifiable, Sensitive | 2016/17 – 2023/24 |
MRIS - Cause of Death Report | Identifiable, Sensitive | Historic Held |
MRIS - Cohort Event Notification Report | Identifiable, Sensitive | Historic Held |
MRIS - List Cleaning Report | Identifiable, Sensitive | Historic Held |
MRIS - Members and Postings Report | Identifiable, Sensitive | Historic Held |
National Diabetes Audit | Identifiable, Sensitive | 2003/04 – 2023/24 |
NDRS Cancer Registrations | Identifiable, Sensitive | Latest Available |
NDRS National Radiotherapy Dataset (RTDS) | Identifiable, Sensitive | Latest Available |
NDRS Somatic Molecular Dataset | Identifiable, Sensitive | Latest Available |
NDRS Systemic Anti-Cancer Therapy Dataset (SACT) | Identifiable, Sensitive | Latest Available |
The Controller is UK Biobank and the Processors are:
- Amazon Web Services (AWS)
- DNAnexus Inc.
- Nuffield Department of Population Health (NDPH) at the University of Oxford
AWS do not have access to the data and only provide cloud hosting services. The DSA allows the Controller to share data with other organisations under a sub-license agreement.
DNAnexus act only on the instructions of UK Biobank, as the data processor (again subject to an agreement with UK Biobank) and do not have access to any identifiable participant data.
NDPH is the primary store (and reference copy) of the data that form the UK Biobank resource (including the data supplied by NHS England). NDPH, as a data processor (subject to their agreement with UK Biobank) act only on the instructions of UK Biobank and are required to store participant health data (such as the health data supplied by NHS England) in a secure environment and separately to any identifiers (such as name or NHS number).
UK Biobank is a long-term prospective health research study with a specific objective of following up the health of its participants through access to their health records. The resource, which is one of the most-used research resource for health-related research, enables researchers worldwide to study the genetic, social or economic determinants of both common and rare conditions. This in turn will improve the prevention, diagnosis and treatment of a wide range of serious and life-threatening illnesses by contributing to the development of public health guidance for the purposes of primary prevention, development of early detection biomarkers (e.g., polygenic risk scores or imaging biomarkers of internal organs) and the development of new and improved treatments for patients with existing conditions, all of which are of considerable benefit to the public. NHS England health record data is essential for UK Biobank to achieve its aims as a prospective resource enabling researchers to follow up participants and establish risk factors and causality of disease.
UK Biobank’s mission is to enable scientific discoveries that improve human health. UK Biobank’s operational objective is to combine extensive and precise measurement of exposures with detailed and rigorous follow-up for a wide range of health-related outcomes, and to promote innovative science by maximising secure research access to de-identified data.
Over the past 2 decades, UK Biobank has developed into a unique research resource, due to its very large size and the range and detail of participant-level data, including extensive phenotype and genotype information. It is now one of the most detailed and most used research resources for health-related research in the world, enabling researchers worldwide to study the genetic, social or economic determinants of both common and rare conditions that affect people in middle and older age, regardless of risk factors. The ability to link to participants’ health records from NHS England, in order to identify specific outcomes occurring during long-term participant follow-up to inform appropriate disease-based research, is critical and fundamental to UK Biobank’s mission.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.
Audit type and scope
Audit type | Focused |
---|---|
Scope areas |
Sub-licensing Processes and Procedures Information Transfer Access Control Data Use and Benefits Risk Management Operational Management and Control Data Destruction |
Restrictions |
Access control - limited visibility of physical controls |
Within the scope of this audit, NHS England conducted a review of UK Biobank’s sublicensing processes and procedures. Further information on the methodology used in this audit is shown in Appendix 1.
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
UK Biobank and NDPH have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UK Biobank will establish a corrective action plan to address each finding shown in the findings table(s) in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with UK Biobank to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
The Audit Team has identified 3 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following table identifies the 2 agreement nonconformities raised as part of the audit.
UK Biobank
Ref | Finding | Link to area | Clause | Designation |
---|---|---|---|---|
1 | There is no reference to the DSFC incident reporting requirements in UK Biobank and NDPH documents to immediately notify NHS England of any security incident or data breach. | Risk Management | DSFC - 4.1.8 and 4.1.9 | Agreement nonconformity |
2 |
The DSFC requires recipients to ensure that all data licensed under that DSA is securely and permanently destroyed or erased and provide NHS England with an auditable and documented record of destruction. UK Biobank’s internal data destruction processes were found to be adequate. However, the process for documenting data destruction by sublicensees does not require confirmation of the destruction method or evidence detailing the destruction process and the specific storage locations involved. |
Data Destruction |
DSFC – 4.1.7, 14.1, 14.2, Schedule 2 Section A 4.10, Schedule 2 Section B 4.5 Referenced Schedule 1 definitions. |
Agreement nonconformity |
Opportunities for improvement
The following table identifies 3 opportunities for improvement which could help an organisation improve its controls and/or processes.
Ref |
Opportunities for improvement |
Link to Area |
---|---|---|
1 |
UK Biobank to consider including DSA details in their Information Asset Register (IAR), to help identify and manage DSA expiration dates. It should be noted that no findings were raised in relation to asset register processes. |
Operational Management |
2 |
NDPH to consider implementing a policy governance framework or policy management policy to reduce the risk of policy gaps and improve accountability and governance. It should be noted that no findings were raised in relation to policies reviewed within the scope of the audit. |
Operational Management |
3 | NDPH to consider implementing a dormant IT user account policy/procedure/process. It should be noted that no findings were raised in relation to the management of dormant accounts. | Access Control |
Use of data
UK Biobank confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.
Data location
UK Biobank and NDPH confirmed that processing and storage locations, including disaster recovery and backups of the datasets were limited to the locations shown in the following table. These locations conform to the territory of use defined in clause 2c of the DSA.
Organisation | Territory of use |
---|---|
UK Biobank | Worldwide |
NDPH | England |
Amazon Web Services | England |
DNANexus Inc. | England |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Appendix 1
Within the scope of this audit, NHS England conducted a review of UK Biobank’s sublicensing processes and procedures.
The Audit Team selected a randomised sample of 25 sublicensees from a complete list provided by UK Biobank, ensuring representation across the following categories:
- Sublicensees based within the UK
- Sublicensees based outside the UK but within countries or territories that have been granted a data adequacy decision under UK data protection regulations
- Sublicensees based outside the UK but within countries or territories that have not been granted a data adequacy decision under UK data protection regulations and are therefore subject to UK Biobank’s Transfer Risk Assessment (TRA)
- Sublicensees who access data via UK Biobank’s Research Analysis Platform (RAP) only
- Sublicensees who have downloaded NHS England data from the RAP onto their own systems for processing
- Sublicensees with access to NHS England COVID-19 specific datasets
- Sublicensees whose project has closed or has been completed
The Audit Team were provided with documentation held by UK Biobank for each sublicensee.
UK Biobank provided the following for each of the sampled sublicensees:
- Sublicensing Agreement - Material Transfer Agreement (MTA)
- Any additional addendums to the sublicensing agreement
- Sublicensee application submitted to UK Biobank describing their project
- Latest Annual Report submitted by the sublicensee
- Evidence of the documented approval process completed for each sublicensing application
- Where applicable, confirmation of projects being closed and data shared with sublicensees having been destroyed
- For appropriate regions, the relevant TRA
The Audit Team reviewed the evidence provided by UK Biobank, ensuring compliance with the terms of UK Biobank’s DSA and DSFC and adherence to their own policies and procedures evidenced and discussed during the audit interview phase.
The following areas were assessed:
Sublicensing agreements
- MTAs and addendums were reviewed ensuring that the sublicensee’s projects were referenced, and that the applicant principal researcher (or equivalent) had signed the agreement.
- MTAs were reviewed to ensure each agreement restricted the purpose to the associated project, and that the MTA reflected the restrictions, special conditions and processes described in UK Biobank’s DSA.
- Where appropriate, the Audit Team reviewed the additional clauses within MTAs. These included:
- Conditions for use of COVID-19 datasets. Of the 25 sublicensees sampled, 7 were confirmed to have access to COVID-19 datasets and included the required conditions within their MTA.
- Standard Contractual Clauses. Of the 25 sublicensees, 6 were located in territories where an associated TRA had also been provided. The evidence was reviewed and confirmed that additional Standard Contractual Clauses were in place for each of these sublicensees.
Annual reports
- For projects that had been in progress for 1 year or longer, UK Biobank provided a copy of the latest completed annual report for each. Where a sublicensee’s annual report had not been submitted on time, UK Biobank provided a statement as to the reason why. The Audit Team assessed the reports to ensure they were compliant with UK Biobank’s policy, and they did not detail any changes that had not been captured within the relevant MTA.
- Of the 25 sublicensees sampled, 6 were found not to have completed their latest annual report. UK Biobank provided statements relating to each of these. The Audit Team assessed these statements, and additional evidence. The 6 sublicensees were found to be compliant. The remaining 19 annual reports were provided and assessed as compliant by the Audit Team.
Sublicensee applications
- UK Biobank provided extracts of the information submitted by each sublicensee when applying for access to the data. This information included a lay summary of the project, the methodology and the expected public value of the processing. The Audit Team reviewed this evidence to ensure the purposes and aims of each project aligned with the purposes and restrictions in UK Biobank’s DSA.
- Each of the 25 applications sampled were assessed by the Audit Team and found to be compliant with the purposes for processing data within UK Biobank’s DSA.
Approval process
- The Audit Team assessed evidence of the approval stages completed for each access request. The Audit Team found that for each of the 25 sublicensees sampled, each had been subject to the approvals process set out within UK Biobank’s policies.
Transfer Risk Assessments
- UK Biobank provided the completed TRA for each of the applicable territories included within the sampling. Of the 25 sublicensees sampled, 6 were within territories where a TRA was necessary. These were:
- Australia
- China
- India
- Russia*
- Singapore
- United Arab Emirates
- The Audit Team reviewed the TRA for each of these territories, ensuring UK Biobank had identified the relevant risks, appropriate mitigations including the necessary Standard Contractual Clauses. Each of the 6 examples were found to have been completed and corresponded with the MTAs for each sublicensee.
- Any resulting findings of the sublicensing sampling and review have been detailed within section 2 and section 3 of this report.
- *Although outside the scope of this audit, UK Biobank confirmed that they no longer permit new research projects to take place in Russia following guidance from the UK government in 2022. Existing research projects were permitted to continue to completion, but no new projects or requests for additional data have been permitted.
Last edited: 10 June 2025 11:49 am