Skip to main content

NHS England Data Sharing Remote Audit: UK Biobank

This report records the key findings of a remote data sharing audit of UK Biobank between 17 to 25 March 2025.

Audit summary

Purpose

This report records the key findings of a remote data sharing audit of UK Biobank between 17 to 25 March 2025. It provides an evaluation of how UK Biobank and its Processors conform to the requirements of:

  • the data sharing framework contract (DSFC) CON-309882-D1H7D
  • the data sharing agreement (DSA) DARS-NIC-08472-V9S6K-v19.2
  • the organisation’s own policies, processes and procedures

This DSA covers the provision of the following data sets:

Dataset Classification of data Dataset period
Bridge file: Hospital Episode Statistics to Mental Health Minimum Data Set Identifiable, Non-sensitive  N/A
Cancer Registration Data Identifiable, Sensitive  Latest available
Civil Registrations of Death Identifiable, Sensitive  Latest Available
COVID-19 Vaccination Status Identifiable, Sensitive  Latest Available
Demographics Identifiable, Sensitive  Latest Available
Hospital Episode Statistics Admitted Patient Care (HES APC) Identifiable, Sensitive  1997/98 – 2023/24
Hospital Episode Statistics Critical Care (HES Critical Care)

Identifiable, Non-sensitive

2008/09 – 2023/24
Improving Access to Psychological Therapies (IAPT) v1.5 Identifiable, Sensitive  2012/13 – 2021/22
Medicines dispensed in Primary Care (NHSBSA data) Identifiable, Sensitive  Latest Available
Mental Health and Learning Disabilities Data Set (MHLDDS) Identifiable, Sensitive  2014/15 – 2015/16
Mental Health Minimum Data Set (MHMDS) Identifiable, Sensitive  2006/07 – 2014/15
Mental Health Services Data Set (MHSDS) Identifiable, Sensitive  2016/17 – 2023/24
MRIS - Cause of Death Report Identifiable, Sensitive  Historic Held
MRIS - Cohort Event Notification Report Identifiable, Sensitive  Historic Held
MRIS - List Cleaning Report Identifiable, Sensitive  Historic Held
MRIS - Members and Postings Report Identifiable, Sensitive  Historic Held
National Diabetes Audit Identifiable, Sensitive  2003/04 – 2023/24
NDRS Cancer Registrations Identifiable, Sensitive  Latest Available
NDRS National Radiotherapy Dataset (RTDS) Identifiable, Sensitive  Latest Available
NDRS Somatic Molecular Dataset Identifiable, Sensitive  Latest Available
NDRS Systemic Anti-Cancer Therapy Dataset (SACT) Identifiable, Sensitive  Latest Available

The Controller is UK Biobank and the Processors are:

  • Amazon Web Services (AWS)
  • DNAnexus Inc.
  • Nuffield Department of Population Health (NDPH) at the University of Oxford

AWS do not have access to the data and only provide cloud hosting services. The DSA allows the Controller to share data with other organisations under a sub-license agreement.

DNAnexus act only on the instructions of UK Biobank, as the data processor (again subject to an agreement with UK Biobank) and do not have access to any identifiable participant data.

NDPH is the primary store (and reference copy) of the data that form the UK Biobank resource (including the data supplied by NHS England). NDPH, as a data processor (subject to their agreement with UK Biobank) act only on the instructions of UK Biobank and are required to store participant health data (such as the health data supplied by NHS England) in a secure environment and separately to any identifiers (such as name or NHS number).

UK Biobank is a long-term prospective health research study with a specific objective of following up the health of its participants through access to their health records. The resource, which is one of the most-used research resource for health-related research, enables researchers worldwide to study the genetic, social or economic determinants of both common and rare conditions. This in turn will improve the prevention, diagnosis and treatment of a wide range of serious and life-threatening illnesses by contributing to the development of public health guidance for the purposes of primary prevention, development of early detection biomarkers (e.g., polygenic risk scores or imaging biomarkers of internal organs) and the development of new and improved treatments for patients with existing conditions, all of which are of considerable benefit to the public. NHS England health record data is essential for UK Biobank to achieve its aims as a prospective resource enabling researchers to follow up participants and establish risk factors and causality of disease.

UK Biobank’s mission is to enable scientific discoveries that improve human health. UK Biobank’s operational objective is to combine extensive and precise measurement of exposures with detailed and rigorous follow-up for a wide range of health-related outcomes, and to promote innovative science by maximising secure research access to de-identified data.

Over the past 2 decades, UK Biobank has developed into a unique research resource, due to its very large size and the range and detail of participant-level data, including extensive phenotype and genotype information. It is now one of the most detailed and most used research resources for health-related research in the world, enabling researchers worldwide to study the genetic, social or economic determinants of both common and rare conditions that affect people in middle and older age, regardless of risk factors. The ability to link to participants’ health records from NHS England, in order to identify specific outcomes occurring during long-term participant follow-up to inform appropriate disease-based research, is critical and fundamental to UK Biobank’s mission.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.


Audit type and scope

Audit type Focused
Scope areas

Sub-licensing Processes and Procedures

Information Transfer

Access Control

Data Use and Benefits

Risk Management

Operational Management and Control

Data Destruction

Restrictions

Access control - limited visibility of physical controls

Within the scope of this audit, NHS England conducted a review of UK Biobank’s sublicensing processes and procedures. Further information on the methodology used in this audit is shown in Appendix 1.

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Low

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.


Data recipient’s acceptance statement

UK Biobank and NDPH have reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

UK Biobank will establish a corrective action plan to address each finding shown in the findings table(s) in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with UK Biobank to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.

The Audit Team has identified 3 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.


Findings

The following table identifies the 2 agreement nonconformities raised as part of the audit.


UK Biobank

Ref Finding Link to area Clause Designation
1 There is no reference to the DSFC incident reporting requirements in UK Biobank and NDPH documents to immediately notify NHS England of any security incident or data breach. ​​Risk Management DSFC - 4.1.8 and 4.1.9  Agreement nonconformity
2

The DSFC requires recipients to ensure that all data licensed under that DSA is securely and permanently destroyed or erased and provide NHS England with an auditable and documented record of destruction. UK Biobank’s internal data destruction processes were found to be adequate.

However, the process for documenting data destruction by sublicensees does not require confirmation of the destruction method or evidence detailing the destruction process and the specific storage locations involved.
​​Data Destruction

DSFC – 4.1.7, 14.1, 14.2, Schedule 2 Section A 4.10, Schedule 2 Section B 4.5

Referenced Schedule 1 definitions.

Agreement nonconformity

Opportunities for improvement

The following table identifies 3 opportunities for improvement which could help an organisation improve its controls and/or processes.  

Ref

Opportunities for improvement

Link to Area 

1

UK Biobank to consider including DSA details in their Information Asset Register (IAR), to help identify and manage DSA expiration dates. It should be noted that no findings were raised in relation to asset register processes.

​​Operational Management​ 

2

NDPH to consider implementing a policy governance framework or policy management policy to reduce the risk of policy gaps and improve accountability and governance. It should be noted that no findings were raised in relation to policies reviewed within the scope of the audit.

​​Operational Management​

3 NDPH to consider implementing a dormant IT user account policy/procedure/process. It should be noted that no findings were raised in relation to the management of dormant accounts. Access Control

Use of data

UK Biobank confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were only being linked with those datasets explicitly allowed in the DSA.

Data location

UK Biobank and NDPH confirmed that processing and storage locations, including disaster recovery and backups of the datasets were limited to the locations shown in the following table. These locations conform to the territory of use defined in clause 2c of the DSA.

Organisation Territory of use
UK Biobank Worldwide
NDPH England
Amazon Web Services England
DNANexus Inc. England

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed. 

NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report. 


Appendix 1

Within the scope of this audit, NHS England conducted a review of UK Biobank’s sublicensing processes and procedures.

The Audit Team selected a randomised sample of 25 sublicensees from a complete list provided by UK Biobank, ensuring representation across the following categories:

  • Sublicensees based within the UK
  • Sublicensees based outside the UK but within countries or territories that have been granted a data adequacy decision under UK data protection regulations
  • Sublicensees based outside the UK but within countries or territories that have not been granted a data adequacy decision under UK data protection regulations and are therefore subject to UK Biobank’s Transfer Risk Assessment (TRA)
  • Sublicensees who access data via UK Biobank’s Research Analysis Platform (RAP) only
  • Sublicensees who have downloaded NHS England data from the RAP onto their own systems for processing
  • Sublicensees with access to NHS England COVID-19 specific datasets
  • Sublicensees whose project has closed or has been completed

The Audit Team were provided with documentation held by UK Biobank for each sublicensee.

UK Biobank provided the following for each of the sampled sublicensees:

  • Sublicensing Agreement - Material Transfer Agreement (MTA)
  • Any additional addendums to the sublicensing agreement
  • Sublicensee application submitted to UK Biobank describing their project
  • Latest Annual Report submitted by the sublicensee
  • Evidence of the documented approval process completed for each sublicensing application
  • Where applicable, confirmation of projects being closed and data shared with sublicensees having been destroyed
  • For appropriate regions, the relevant TRA

The Audit Team reviewed the evidence provided by UK Biobank, ensuring compliance with the terms of UK Biobank’s DSA and DSFC and adherence to their own policies and procedures evidenced and discussed during the audit interview phase.

The following areas were assessed:

Sublicensing agreements

  • MTAs and addendums were reviewed ensuring that the sublicensee’s projects were referenced, and that the applicant principal researcher (or equivalent) had signed the agreement.
  • MTAs were reviewed to ensure each agreement restricted the purpose to the associated project, and that the MTA reflected the restrictions, special conditions and processes described in UK Biobank’s DSA.
  • Where appropriate, the Audit Team reviewed the additional clauses within MTAs. These included:
    • Conditions for use of COVID-19 datasets. Of the 25 sublicensees sampled, 7 were confirmed to have access to COVID-19 datasets and included the required conditions within their MTA.
    • Standard Contractual Clauses. Of the 25 sublicensees, 6 were located in territories where an associated TRA had also been provided. The evidence was reviewed and confirmed that additional Standard Contractual Clauses were in place for each of these sublicensees.

Annual reports

  • For projects that had been in progress for 1 year or longer, UK Biobank provided a copy of the latest completed annual report for each. Where a sublicensee’s annual report had not been submitted on time, UK Biobank provided a statement as to the reason why. The Audit Team assessed the reports to ensure they were compliant with UK Biobank’s policy, and they did not detail any changes that had not been captured within the relevant MTA.
  • Of the 25 sublicensees sampled, 6 were found not to have completed their latest annual report. UK Biobank provided statements relating to each of these. The Audit Team assessed these statements, and additional evidence. The 6 sublicensees were found to be compliant. The remaining 19 annual reports were provided and assessed as compliant by the Audit Team.

Sublicensee applications

  • UK Biobank provided extracts of the information submitted by each sublicensee when applying for access to the data. This information included a lay summary of the project, the methodology and the expected public value of the processing. The Audit Team reviewed this evidence to ensure the purposes and aims of each project aligned with the purposes and restrictions in UK Biobank’s DSA.
  • Each of the 25 applications sampled were assessed by the Audit Team and found to be compliant with the purposes for processing data within UK Biobank’s DSA.

Approval process

  • The Audit Team assessed evidence of the approval stages completed for each access request. The Audit Team found that for each of the 25 sublicensees sampled, each had been subject to the approvals process set out within UK Biobank’s policies.

Transfer Risk Assessments

  • UK Biobank provided the completed TRA for each of the applicable territories included within the sampling. Of the 25 sublicensees sampled, 6 were within territories where a TRA was necessary. These were:
    • Australia
    • China
    • India
    • Russia*
    • Singapore
    • United Arab Emirates
  • The Audit Team reviewed the TRA for each of these territories, ensuring UK Biobank had identified the relevant risks, appropriate mitigations including the necessary Standard Contractual Clauses. Each of the 6 examples were found to have been completed and corresponded with the MTAs for each sublicensee.
  • Any resulting findings of the sublicensing sampling and review have been detailed within section 2 and section 3 of this report.
  • *Although outside the scope of this audit, UK Biobank confirmed that they no longer permit new research projects to take place in Russia following guidance from the UK government in 2022. Existing research projects were permitted to continue to completion, but no new projects or requests for additional data have been permitted.

Last edited: 10 June 2025 11:49 am