NHS England Data Sharing Audit: University of Newcastle
This report records the key findings of a remote data sharing audit of University of Newcastle (UoN) between 3 and 6 November 2025.
Audit summary
This report records the key findings of a remote data sharing audit of University of Newcastle (UoN) between 3 and 6 November 2025. It provides an evaluation of how UoN conforms to the requirements of:
- the data sharing framework contract (DSFC) CON-318044-Z5W4J-v2.02
- the data sharing agreement (DSA) DARS-NIC-167794-K1P8H-v4.3
- the organisation’s own policies, processes and procedures
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Hospital Episode Statistics Admitted Patient Care (HES APC) | Pseudonymised, Non-sensitive | 1997/98 to 2024/25 |
The Controller is UoN.
UoN requires access to NHS England data for the purpose of the following research project: Impact of patient choice in inequality in surgical and diagnostic procedures.
The following is a summary of the aims of the research project provided by UoN:
UoN seek to examine the impact of patient choice in the NHS in both secondary care as choice of provider and in primary care as choice of GP.
Research Questions:
1. Since the introduction of patient choice of general practitioner (GP) in 2015 and free choice at referral between 2006 and 2008 in the NHS in England, what has been the effect on elective treatment access, utilisation and quality for hip and knee replacement, cataract surgery, arthroscopies, hernia operations and cholecystectomies?
2. Have any changes in access, utilisation and quality occurred equitably with respect to socio-economic deprivation, age, gender and comorbidity?
3. What is the effect of selecting a GP out of area, the use of different provider types and the use of referral management centres on equity?
4. Are there modifiable delivery or implementation aspects of the "patient choice" procedures and processes that could ameliorate any inequities found in the analysis?
The interviews during the audit were conducted through video conferencing.
This is an exception report based on the criteria expressed in the Data Sharing Audit Guide version 4
Audit type and scope
|
Audit type |
Focused |
|---|---|
|
Scope areas |
Data Use and Benefits Data Destruction |
Overall risk statement
Based on evidence presented during the audit and the type of data being shared the following risk has been assigned from the options of Critical - High - Medium - Low.
Current risk statement: Low
In deriving this risk, the Audit Team takes into account compliance, duty of care, confidentiality and integrity, as appropriate.
Data recipient’s acceptance statement
Auditee has reviewed this report and confirmed that it is accurate.
Data recipient’s action plan
UoN will establish a corrective action plan to address each finding shown in the findings table in Section 2. The Audit Team will validate this plan and the resultant actions will be followed up with UoN by the IG Risk and Assurance team at NHS England to confirm the findings have been satisfactorily addressed.
The Audit has identified 3 opportunities for improvement in Section 3 which are provided for reference only and will not be followed up.
Findings
The following table identifies the 1 observation raised as part of the audit.
| Ref | Finding | Link to area | Clause | Designation |
|---|---|---|---|---|
|
1 |
The Audit Team noted that a specialist tool or mechanism would be required to adequately destroy the data within the 28 day period, as outlined within the DSFC. | Data Destruction | DSFC, Part 2, Section 4.1.7 |
Observation |
Opportunities for Improvement
The following table identifies 3 opportunities for improvement which could help an organisation improve its controls or processes. UoN should consider:
| Ref | Opportunity for Improvement | Link to area |
|---|---|---|
|
1 |
Developing a formal policy or enhancing the existing guidance available within the University’s IT Service area, to support the electronic deletion of data to ensure that specific requirements of the DSFC are carried out. | Data Destruction |
| 2 | Distributing guidance on the destruction of electronic data to all relevant NU staff, particularly any staff involved in handling NHSE data. | Data Destruction |
| 3 | Asking the third-party data destruction contractor to provide a detailed list of the physical assets destroyed along with the data destruction certificate, including asset numbers. This list would allow NU to reconcile the assets sent for destruction with those destroyed. | Data Destruction |
Use of Data
UoN confirmed that the dataset was only being processed and used for the purposes defined in the DSA(s) and was not being linked with another dataset.
Data Location
UoN confirmed that processing and storage locations, including disaster recovery and backups, of the dataset was limited to the location shown in the following table. These locations conform with the territory of use defined in section 2c of the DSA.
| Organisation | Territory of Use |
| UoN | England & Wales |
Backup Retention
The duration for which data may be retained on backup media is:
| Organisation | Media Type | Period |
| UoN | Disk | 90 days |
Disclaimer
The audit was based upon a sample of the data recipient’s activities, as observed by the Audit Team. The findings detailed in this audit report may not include all possible nonconformities which may exist. In addition, as the audit interviews were conducted through a video conference platform, certain controls that would normally be assessed whilst onsite could not be witnessed.
NHS England has prepared this audit report for its own purposes. As a result, NHS England does not assume any liability to any person or organisation for any loss or damage suffered or costs incurred by it arising out of, or in connection with, this report, however such loss or damage is caused. NHS England does not assume liability for any loss occasioned to any person or organisation acting or refraining from acting as a result of any information contained in this report.
Last edited: 11 June 2026 11:27 am