NHS England Data Access Remote Audit: University of Leeds and Leeds Teaching Hospitals NHS Trust
This report records the key findings of a remote data access audit of University of Leeds (UoL) and Leeds Teaching Hospitals NHS Trust (LTHT) between 4 November and 13 November 2024.
Audit summary
Purpose
This report records the key findings of a remote data access audit of University of Leeds (UoL) and Leeds Teaching Hospitals NHS Trust (LTHT) between 4 and 13 November 2024. It provides an evaluation of how UoL and LTHT and its Processor conform to the requirements of:
- the data sharing framework contracts (DSFC): CON-315426-K3W7R – UoL and CON-312951-B3L2Z – LTHT
- the data sharing agreement (DSA) DARS-NIC-402417-N9Z5W- v6.2
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following data sets:
Dataset | Classification of data | Dataset period |
---|---|---|
Cancer Waiting Times (CWT) Data Set | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
Civil Registrations of Death | Pseudonymised, Sensitive | 2010/11 to Latest Available |
COVID-19 General Practice Extraction Service (GPES) Data for Pandemic Planning and Research (GDPPR) | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
COVID-19 Hospitalization in England Surveillance System | Pseudonymised, Sensitive | 2010/11 to Latest Available |
COVID-19 SGSS First Positives (Second Generation Surveillance System) | Pseudonymised, Sensitive | 2010/11 to Latest Available |
COVID-19 UK Non-hospital Antigen Testing Results (Pillar 2) | Pseudonymised, Sensitive | 2010/11 to Latest Available |
Hospital Episode Statistics Accident and Emergency (HES A and E) | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
Hospital Episode Statistics Admitted Patient Care (HES APC) | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
Hospital Episode Statistics Outpatients (HES OP) | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
Medicines dispensed in Primary Care (NHSBSA data) | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
National Cancer Registration Data Set | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
NDRS Cancer Consolidated Data Set | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
Radiotherapy Data Set | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
Systemic Anti-Cancer Therapy Data Set | Pseudonymised, Non-sensitive | 2010/11 to Latest Available |
Uncurated Low Latency Hospital Data Sets - Emergency Care | Pseudonymised, Sensitive | 2010/11 to Latest Available |
The joint Controllers are UoL and LTHT and the Processor is NHS England (NHSE).
The Secure Data Environment (SDE) is a secure data and research analysis platform that is hosted by NHSE. It is part of an interoperable NHS Research SDE network.
This is the first audit on the SDE and is being treated as a pilot. The joint Controllers have stated that they have been working with NHSE (and NHS Digital prior to the merger with NHSE in 2023) in developing the SDE since 2020.
Under this DSA, the UoL and LTHT use the SDE to enable analyses of healthcare datasets to enumerate the impact of COVID-19 on cancer pathways. This includes the analysis of the impact on cancer referral, diagnosis, treatment and outcome. In addition, the analysis will look at the impact of cancer on COVID such as, on rates of COVID infection, hospitalisation and death in discrete health care regions.
The specific aims are to examine the effects of COVID-19 on referral, diagnosis and treatment of cancer; clinical trial activity, patient outcomes, COVID status and rates of COVID infection.
The work is managed by DATA-CAN, who are Health Data Research UK (HDRUK) Hub for Cancer, and is hosted by LTHT. It is founded by multiple organisations including UoL and LTHT. The work is organised into work packages led by representatives of DATA-CAN, employed by either of the joint Controllers.
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.
Audit type and scope
Audit type | Focused |
---|---|
Scope areas |
Access Control Data Use and Benefits Risk Management Operational Management and Control |
Restrictions |
Access control |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Medium
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
UoL and LTHT have reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UoL and LTHT will establish a corrective action plan to address each finding shown in the findings table in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with UoL and LTHT to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.
The Audit Team has identified 6 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.
Findings
The following tables identify the 8 agreement nonconformities and 5 points for follow-up raised as part of the audit.
UoL
Ref | Finding | Link to area | Clause | Designation |
---|---|---|---|---|
1 |
One user is accessing the SDE from an area outside the stated territory of use in the DSA (England and Wales). |
Use and Benefits |
DSA, Annex A, Section 2c DSFC, Part 2, Clause 3.1.1 |
Agreement nonconformity |
2 | There were four authorised SDE users who had requested 17 outputs (aggregated and small number suppressed), however there was a lack of evidence to demonstrate that the work (and the outputs) had been authorised by the Management Group (MG). | Use and Benefits | DSA, Annex A, Section 5a | Agreement nonconformity |
3 | SDE users on honorary contracts are accessing the SDE using non corporate devices which lack necessary security assurances. | Access Control |
DSFC, Part 2, Schedule 2, Section A, Clause 1.1
SDE End User Access Agreement, Clause 10.2 and 16.2 DSFC, Schedule 5, Clause 4.3 DSFC Schedule 2, Section A, Clause 4.5 |
Agreement nonconformity |
4 |
There were nine research and support staff identified who had access to the SDE under this DSA. Access had been granted by the authorised approver, however not through the formal authorisation process. It was acknowledged that a user tracker is needed for audit purposes. The Audit Team was informed that access had been authorised during the MG meetings, however there were no formal minutes from these meetings, apart from video recordings. The UoL failed to share the relevant parts of the video records that documented the authorisation of users to the SDE with the Audit Team. |
Access Control |
DSA, Clause 7.1 DSFC, Part 2, Clause 5.4.6 DSFC, Schedule 2, Section A, Clause 4.1 |
Agreement nonconformity |
5 |
There is no evidence provided to demonstrate regular reviews of user access to the SDE. Furthermore, access needs to be limited to users with active approved projects in the SDE. The Audit Team identified four active SDE account that had not accessed the SDE in the last six months. Furthermore, access needs to be limited to users with active approved projects in the SDE. |
Access Control |
DSFC, Schedule 2, Section A, Clause 4 .3 DSFC, Schedule 2, Section A, Clause 4.1 DSA, Clause 7.1 DSFC, Part 2, Clause 5.4.6 |
Agreement nonconformity |
6 |
There is limited evidence of key documentation to support the MG. No documentation was provided to support the Terms of Reference (ToR) or formal minutes from meetings for the last two years aligning to the requirement of the DSA. The MG is responsible for reviewing applications to access the SDE and ensuring that access aligns with the work package requirements in the DSA, and scientific and clinical ratification. There is limited evidence of key documentation to support the MG. No documentation was provided to support the Terms of Reference (ToR) or formal minutes from meetings for the last two years aligning to the requirement of the DSA. The MG is responsible for reviewing applications to access the SDE and ensuring that access aligns with the work package requirements in the DSA, and scientific and clinical ratification. It should be noted that the Scientific Steering Group (SSG) is referenced in the DSA, however this group has been combined with the MG, due to reduction in funding. The SSG ToR states that it is responsible for discussing matters relating to the scientific aspects of questions and topics and making recommendations to the MG. |
Use and Benefits | DSA, Annex A, Section 5a | Agreement nonconformity |
7 | There is one ongoing project in the SDE, and this was discussed in detail at the MG on 19 May 2022. Minutes were supplied to support this, however the outcome decision to approve the project was not noted. | Use and Benefits | DSA, Annex A, Section 5a | Agreement nonconformity |
8 | At the time of the audit, the UoL failed to provide sufficient evidence to show that LTHT users with active SDE accounts have completed data protection training in the last 12 months. | Operational Management | DSFC, Schedule 2, Section A, Clause 1.2.2 | Agreement nonconformity |
9 | At the post audit review, the Audit Team will request and review the honorary contract for authorised user with access to the SDE, that was not seen during the original audit. | Operational Management | DSA, Annex A, Section 5a | Follow-up |
10 | At the post audit review the Audit Team will review some final outputs produced. It was noted that there has been a delay due to data quality issues, resulting in no final outputs being available at the time of the audit. | Use and Benefits | DSA, Annex A, Section 5c | Follow-up |
11 | At the post audit review, the Audit Team will examine the DATA-CAN privacy policy as it needs to be updated and still refers to UCL partners. | Operational Management | DSA, Annex A, Section 4 | Follow-up |
LTHT
Ref | Finding | Link to area | Clause | Designation |
---|---|---|---|---|
12 | At the post audit review the Audit Team will examine the updated Data Protection Impact Assessment (DPIA). Although a DPIA was completed and approved in 2021, it now requires a review. |
Operational Management |
DSFC, Schedule 3, UK General Data Protection Regulation | Follow-up |
13 | There were 4 authorised SDE users who had requested 17 outputs (aggregated and small number suppressed), however there was a lack of evidence to demonstrate that the work (and the outputs) had been authorised by the Management Group (MG). | Operational Management |
DSFC, Schedule 3, UK General Data Protection Regulation DSFC, Schedule 2, Section A, Clause 3.2 |
Follow-up |
Opportunities for improvement
The following table identifies 6 opportunities for improvement which could help an organisation improve its controls and / or processes.
Ref |
Opportunities for improvement |
Link to Area |
1 |
UoL should consider obtaining acknowledgments of acceptance for the Visiting Title letters. These letters are used by UoL for honorary contractual arrangements with external users. However, since the letters do not require the researcher’s signatures, the UoL is currently relying on the receipt of the letter as a form of acceptance. |
Operational Management |
2 |
UoL should consider developing an honorary contract tracker that will alert the administrator when to disable access to the SDE based on the honorary contract end date and also act as an alert when honorary contract is due for renewal. |
Operational Management |
3 | UoL should consider providing guidance to SDE users that they must log on through the UoL portal when accessing the SDE. This will ensure that any files downloaded will be within the UoL secure environment. | Access Control |
4 | UoL should consider developing a process to identify SDE users who leave before the end of their honorary contract date without informing UoL, ensuring that their access to the SDE is promptly disabled. | Operational Management |
5 | UoL should consider allowing SDE users to add feasibility scripts to the GIT HUB. | Use and Benefits |
6 | UoL should consider adding SDE user details to the project spreadsheet to facilitate tracking. | Access Control |
Use of data
UoL and LTHT confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another data set.
Data location
UoL confirmed that processing locations, including access of the datasets were not limited to the location shown in the following table. These locations do not conform with the territory of use defined in section 2c of the DSA. See finding 1 in Section 2 of this report.
Organisation | Territory of use |
---|---|
UoL | England/Wales |
LTHT | England/Wales |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 19 June 2025 11:57 am