Skip to main content

NHS England Data Access Remote Audit: University of Leeds and Leeds Teaching Hospitals NHS Trust

This report records the key findings of a remote data access audit of University of Leeds (UoL) and Leeds Teaching Hospitals NHS Trust (LTHT) between 4 November and 13 November 2024.

Audit summary

Purpose

This report records the key findings of a remote data access audit of University of Leeds (UoL) and Leeds Teaching Hospitals NHS Trust (LTHT) between 4 and 13 November 2024. It provides an evaluation of how UoL and LTHT and its Processor conform to the requirements of:

  • the data sharing framework contracts (DSFC): CON-315426-K3W7R – UoL and CON-312951-B3L2Z – LTHT
  • the data sharing agreement (DSA) DARS-NIC-402417-N9Z5W- v6.2
  • the organisation’s own policies, processes and procedures

This DSA covers the provision of the following data sets:

Dataset Classification of data Dataset period
Cancer Waiting Times (CWT) Data Set Pseudonymised, Non-sensitive 2010/11 to Latest Available
Civil Registrations of Death Pseudonymised, Sensitive 2010/11 to Latest Available
COVID-19 General Practice Extraction Service (GPES) Data for Pandemic Planning and Research (GDPPR) Pseudonymised, Non-sensitive 2010/11 to Latest Available
COVID-19 Hospitalization in England Surveillance System Pseudonymised, Sensitive 2010/11 to Latest Available
COVID-19 SGSS First Positives (Second Generation Surveillance System) Pseudonymised, Sensitive 2010/11 to Latest Available
COVID-19 UK Non-hospital Antigen Testing Results (Pillar 2) Pseudonymised, Sensitive 2010/11 to Latest Available
Hospital Episode Statistics Accident and Emergency (HES A and E) Pseudonymised, Non-sensitive 2010/11 to Latest Available
Hospital Episode Statistics Admitted Patient Care (HES APC) Pseudonymised, Non-sensitive 2010/11 to Latest Available
Hospital Episode Statistics Outpatients (HES OP) Pseudonymised, Non-sensitive 2010/11 to Latest Available
Medicines dispensed in Primary Care (NHSBSA data) Pseudonymised, Non-sensitive 2010/11 to Latest Available
National Cancer Registration Data Set Pseudonymised, Non-sensitive 2010/11 to Latest Available
NDRS Cancer Consolidated Data Set Pseudonymised, Non-sensitive 2010/11 to Latest Available
Radiotherapy Data Set Pseudonymised, Non-sensitive 2010/11 to Latest Available
Systemic Anti-Cancer Therapy Data Set Pseudonymised, Non-sensitive 2010/11 to Latest Available
Uncurated Low Latency Hospital Data Sets - Emergency Care Pseudonymised, Sensitive 2010/11 to Latest Available

The joint Controllers are UoL and LTHT and the Processor is NHS England (NHSE).

The Secure Data Environment (SDE) is a secure data and research analysis platform that is hosted by NHSE. It is part of an interoperable NHS Research SDE network.

This is the first audit on the SDE and is being treated as a pilot. The joint Controllers have stated that they have been working with NHSE (and NHS Digital prior to the merger with NHSE in 2023) in developing the SDE since 2020.

Under this DSA, the UoL and LTHT use the SDE to enable analyses of healthcare datasets to enumerate the impact of COVID-19 on cancer pathways. This includes the analysis of the impact on cancer referral, diagnosis, treatment and outcome. In addition, the analysis will look at the impact of cancer on COVID such as, on rates of COVID infection, hospitalisation and death in discrete health care regions.

The specific aims are to examine the effects of COVID-19 on referral, diagnosis and treatment of cancer; clinical trial activity, patient outcomes, COVID status and rates of COVID infection.

The work is managed by DATA-CAN, who are Health Data Research UK (HDRUK) Hub for Cancer, and is hosted by LTHT. It is founded by multiple organisations including UoL and LTHT. The work is organised into work packages led by representatives of DATA-CAN, employed by either of the joint Controllers.

The interviews during the audit were conducted through video conferencing.

This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4.0.


Audit type and scope

Audit type Focused
Scope areas

Access Control

Data Use and Benefits

Risk Management

Operational Management and Control
Restrictions

Access control

Overall risk statement

Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.

Current risk statement: Medium

This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.


Data recipient’s acceptance statement

UoL and LTHT have reviewed this report and confirmed that it is accurate.

Data recipient’s action plan

UoL and LTHT will establish a corrective action plan to address each finding shown in the findings table in section 2. The Audit Team will validate this plan and the resultant actions at a post audit review with UoL and LTHT to confirm the findings have been satisfactorily addressed. The post audit review will also consider the outstanding evidence at which point the Audit Team may raise further findings.

The Audit Team has identified 6 opportunities for improvement in section 3 which are provided for reference only and will not be followed up as part of any post audit review.


Findings

The following tables identify the 8 agreement nonconformities and 5 points for follow-up raised as part of the audit.


UoL

Ref Finding Link to area Clause Designation
1

One user is accessing the SDE from an area outside the stated territory of use in the DSA (England and Wales).

​​Use and Benefits

DSA, Annex A, Section 2c

DSFC, Part 2, Clause 3.1.1
Agreement nonconformity
2 There were four authorised SDE users who had requested 17 outputs (aggregated and small number suppressed), however there was a lack of evidence to demonstrate that the work (and the outputs) had been authorised by the Management Group (MG). ​​Use and Benefits DSA, Annex A, Section 5a Agreement nonconformity
3 SDE users on honorary contracts are accessing the SDE using non corporate devices which lack necessary security assurances. Access Control
DSFC, Part 2, Schedule 2, Section A, Clause 1.1

SDE End User Access Agreement, Clause 10.2 and 16.2

DSFC, Schedule 5, Clause 4.3

DSFC Schedule 2, Section A, Clause 4.5

Agreement nonconformity
4

There were nine research and support staff identified who had access to the SDE under this DSA. Access had been granted by the authorised approver, however not through the formal authorisation process. It was acknowledged that a user tracker is needed for audit purposes. 

The Audit Team was informed that access had been authorised during the MG meetings, however there were no formal minutes from these meetings, apart from video recordings. The UoL failed to share the relevant parts of the video records that documented the authorisation of users to the SDE with the Audit Team.

Access Control

DSA, Clause 7.1

DSFC, Part 2, Clause 5.4.6

DSFC, Schedule 2, Section A, Clause 4.1 

Agreement nonconformity
5

There is no evidence provided to demonstrate regular reviews of user access to the SDE. Furthermore, access needs to be limited to users with active approved projects in the SDE.

The Audit Team identified four active SDE account that had not accessed the SDE in the last six months. Furthermore, access needs to be limited to users with active approved projects in the SDE.

Access Control

DSFC, Schedule 2, Section A, Clause 4 .3

DSFC, Schedule 2, Section A, Clause 4.1

DSA, Clause 7.1

DSFC, Part 2, Clause 5.4.6

Agreement nonconformity
6

There is limited evidence of key documentation to support the MG. No documentation was provided to support the Terms of Reference (ToR) or formal minutes from meetings for the last two years aligning to the requirement of the DSA. The MG is responsible for reviewing applications to access the SDE and ensuring that access aligns with the work package requirements in the DSA, and scientific and clinical ratification.

There is limited evidence of key documentation to support the MG. No documentation was provided to support the Terms of Reference (ToR) or formal minutes from meetings for the last two years aligning to the requirement of the DSA. The MG is responsible for reviewing applications to access the SDE and ensuring that access aligns with the work package requirements in the DSA, and scientific and clinical ratification.

It should be noted that the Scientific Steering Group (SSG) is referenced in the DSA, however this group has been combined with the MG, due to reduction in funding. The SSG ToR states that it is responsible for discussing matters relating to the scientific aspects of questions and topics and making recommendations to the MG.

Use and Benefits DSA, Annex A, Section 5a Agreement nonconformity
7 There is one ongoing project in the SDE, and this was discussed in detail at the MG on 19 May 2022.  Minutes were supplied to support this, however the outcome decision to approve the project was not noted. Use and Benefits DSA, Annex A, Section 5a Agreement nonconformity
8 At the time of the audit, the UoL failed to provide sufficient evidence to show that LTHT users with active SDE accounts have completed data protection training in the last 12 months. Operational Management DSFC, Schedule 2, Section A, Clause 1.2.2 Agreement nonconformity
9 At the post audit review, the Audit Team will request and review the honorary contract for authorised user with access to the SDE, that was not seen during the original audit. Operational Management DSA, Annex A, Section 5a Follow-up
10 At the post audit review the Audit Team will review some final outputs produced. It was noted that there has been a delay due to data quality issues, resulting in no final outputs being available at the time of the audit. Use and Benefits DSA, Annex A, Section 5c Follow-up
11 At the post audit review, the Audit Team will examine the DATA-CAN privacy policy as it needs to be updated and still refers to UCL partners. Operational Management DSA, Annex A, Section 4 Follow-up

LTHT

Ref Finding Link to area Clause Designation
12 At the post audit review the Audit Team will examine the updated Data Protection Impact Assessment (DPIA). Although a DPIA was completed and approved in 2021, it now requires a review.

Operational

Management

DSFC, Schedule 3, UK General Data Protection Regulation Follow-up
13 There were 4 authorised SDE users who had requested 17 outputs (aggregated and small number suppressed), however there was a lack of evidence to demonstrate that the work (and the outputs) had been authorised by the Management Group (MG). Operational Management

DSFC, Schedule 3, UK General Data Protection Regulation

DSFC, Schedule 2, Section A, Clause 3.2

Follow-up

Opportunities for improvement

The following table identifies 6 opportunities for improvement which could help an organisation improve its controls and / or processes.  

Ref

Opportunities for improvement

Link to Area 

1

UoL should consider obtaining acknowledgments of acceptance for the Visiting Title letters. These letters are used by UoL for honorary contractual arrangements with external users. However, since the letters do not require the researcher’s signatures, the UoL is currently relying on the receipt of the letter as a form of acceptance.

​​Operational Management​ 

2

UoL should consider developing an honorary contract tracker that will alert the administrator when to disable access to the SDE based on the honorary contract end date and also act as an alert when honorary contract is due for renewal.

​​Operational Management​

3 UoL should consider providing guidance to SDE users that they must log on through the UoL portal when accessing the SDE. This will ensure that any files downloaded will be within the UoL secure environment. Access Control
4 UoL should consider developing a process to identify SDE users who leave before the end of their honorary contract date without informing UoL, ensuring that their access to the SDE is promptly disabled. Operational Management
5 UoL should consider allowing SDE users to add feasibility scripts to the GIT HUB. Use and Benefits
6 UoL should consider adding SDE user details to the project spreadsheet to facilitate tracking. Access Control

Use of data

UoL and LTHT confirmed that the datasets were only being processed and used for the purposes defined in the DSA and were not being linked with another data set.

Data location

UoL confirmed that processing locations, including access of the datasets were not limited to the location shown in the following table. These locations do not conform with the territory of use defined in section 2c of the DSA. See finding 1 in Section 2 of this report.

Organisation Territory of use
UoL England/Wales
LTHT England/Wales

Disclaimer

The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed. 

NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report. 

Last edited: 19 June 2025 11:57 am