NHS England Post Audit Review: LA-SER Europe Limited
This report provides the formal closure of the remote data sharing audit of LA-SER Europe Limited (LE), between 13 and 16 May 2024.
Audit summary
Purpose
This report provides the formal closure of the remote data sharing audit of LA-SER Europe Limited (LE), between 13 and 16 May 2024 against the requirements of:
- the data sharing framework contract (DSFC) CON-280098-H3R8C-v2.02
- the data sharing agreement (DSA) DARS-NIC-682048-S9P4H-v1.2
- the organisations’ own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| NDRS Cancer Registrations | Anonymised/Pseudonymised, Sensitive | Latest available |
| NDRS Linked HES AE | Anonymised/Pseudonymised, Sensitive | 01April 2007 to 31 March 2020 |
| NDRS Linked HES Outpatient | Anonymised/Pseudonymised, Sensitive | Latest available |
| NDRS Systemic Anti-Cancer Therapy Dataset (SACT) | Anonymised/Pseudonymised, Sensitive | Latest available |
The Controller is LE and the Processors are Certara France and Microsoft UK. Microsoft UK do not have access to the data and only provide cloud hosting services.
Further guidance on the terms used in this post audit review report can be found in version 4 of the Data Sharing Audit Guide.
Post Audit Review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by LE between 18 and 30 June 2025.
Post Audit Review Outcome
Based on the evidence provided by LE, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and LE.
Updated risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low
Original risk statement: Low
Current risk statement: Low
This risk represents a deviation from the terms and conditions of the contractual documents, signed by both parties. In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data Recipient’s Acceptance Statement
LE has reviewed this report and confirmed that it is accurate.
Findings
The following table identifies the 1 observation and 1 point for follow-up raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | It should be recognised that incidents, breaches or deviations to the DSFC must be reported immediately to NHS England. This type of reporting should be recognised and clearly documented in addition to any other regulatory reporting that may be required. | Operational Management | LE supplied both an amendment to their Security and Privacy Incident Response procedure, along with evidence of a communication to the whole project team, reinforcing the need for NHS England to be immediately notified in the event of an incident or breach. | Observation | Closed |
| 2 | At the post audit review, the Audit Team will review the outputs specified within Annex A, Section 5c of the DSA. | Use and Benefits | The Audit Team were supplied with examples of outputs, in both reports and a peer review journal. Evidence was also provided that illustrated how presentations were made by project team members at an international conference. These outputs align with expectations within the DSA. | Follow-up | Closed |
Opportunities for improvement
The following table identifies 2 opportunity for improvement which could help an organisation improve its controls and / or processes.
| Ref | Opportunity for improvement | Link to Area |
| 1. | LE should consider revising its policy on data stored locally on machines. It should be noted that no data provided by NHS England was being stored locally. | Access Control |
| 2. | LE should consider updating its Data Processing and Data Workflows Policy to specify that the National Cancer Registration and Analysis Service (NCRAS) database is not stored locally on a laptop. | Access Control |
Disclaimer
NHS England takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS England cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 31 July 2025 10:44 am