Written by Technical Team | Last updated 10.10.2025 | 12 minute read
The Personal Demographics Service (PDS) underpins identity across the NHS, holding core patient details such as name, date of birth, address, NHS number, GP, and nominated pharmacy. These records ensure that clinical and administrative systems can accurately match the right person to the right record. When software integrates with the PDS FHIR API, it interacts with the national “source of truth” for patient identity. That makes audit logging more than a technical detail—it’s fundamental to clinical safety, data protection, operational resilience, and public trust.
From a legal and governance perspective, audit trails enable organisations to evidence access to and changes made to personal data, respond effectively to data subject requests, and support incident investigations. The NHS Data Security and Protection Toolkit (DSPT) requires robust assurance, and NHS England has strengthened expectations around independent auditing—meaning that every organisation must demonstrate, not just declare, that it keeps data safe.
A well-designed audit approach provides a “golden thread” through every PDS interaction: who or what accessed patient data, the lawful basis and purpose for that access, what was viewed or changed, which identifiers were involved, and how the transaction flowed across internal components and Spine-facing services. That thread drastically reduces time-to-root-cause during incidents, demonstrates accountability to regulators, and protects clinicians and patients by evidencing that identity operations were performed safely and appropriately.
At a minimum, an audit trail must capture enough detail to reconstruct any PDS access or change quickly and reliably. For read or search operations, the record should show the request sent from your system, the response received, and the context of the transaction. For updates, it must also prove the intent, authorisation, and outcome. Because the PDS API is exposed on the NHS API Platform and uses modern REST/OAuth patterns, audit design starts with HTTP metadata and identity claims, then extends into clinical safety and privacy considerations specific to demographics data.
Where NHS services publish audit guidance, it should be mirrored and adapted for PDS. Some NHS FHIR services, for example, recommend recording correlation IDs and request IDs to align client-side and platform-side logs during incident triage. While PDS and other services may be separate, the principle is the same: deterministic correlation across client and platform logs accelerates investigations and reduces uncertainty.
NHS digital services also highlight the importance of standard HTTP headers and JSON Web Tokens (JWTs) for authorisation and downstream audit provenance. Even if an API does not mandate specific headers, adopting consistent correlation practices across your systems will make your logs more coherent and valuable. IHE Basic Audit Log Patterns (BALP) recommend that if an X-Request-ID is used for a REST call, it should be recorded in your audit entity so that downstream systems can correlate related events.
A robust PDS audit record should capture the following information in a privacy-conscious manner:
Importantly, you must not log more personal data than necessary to reconstruct events and satisfy regulatory requirements. Pseudonymising patient identifiers in application logs can often be achieved by hashing with a salt or using tokenisation, provided you can re-identify data under controlled conditions for legitimate purposes such as incident investigation or data subject access requests.
A sound audit strategy also considers the context of PDS usage. Many organisations use the PDS FHIR API across different workflows—identity assurance at registration, patient search at the point of care, or back-office data quality tasks. Each of these requires slightly different audit fields (for example, “registration channel” versus “clinical context”) so that governance and safety teams can make sense of the data later. Defining these fields early prevents costly retrofits and gaps in traceability.
The goal is simple to describe but complex to achieve: capture the minimum necessary detail, make it impossible or provably evident to alter, and make it instantly searchable across your ecosystem. In modern NHS cloud architectures, this typically means streaming structured audit events from applications via a message bus or log pipeline into a central log analytics platform, such as Splunk or Azure Monitor, with strict controls that prevent anyone from modifying historical data. On the Spine side, national components also maintain their own audit and transaction logs; your records must align with theirs through shared identifiers.
Start at the edge, where PDS calls originate. The API-calling component—say, a patient-matching microservice—should emit a single canonical audit event per discrete PDS interaction. This event should carry your correlation ID and any request ID returned by the platform. Define a consistent schema for this event, such as a JSON structure based on the FHIR AuditEvent resource, and route it through an append-only pipeline: immutable storage, checksum chaining or digital signing to detect tampering, and strictly controlled access rights for operations staff. If using managed cloud logging, enable features such as object immutability and write-once archive tiers.
Ensure that every system in your architecture preserves and propagates the correlation ID, and that every service both logs and forwards that identifier. Your analytics layer should then expose curated dashboards keyed on the correlation ID, the NHS number (preferably pseudonymised), or an internal patient key. These dashboards should answer three questions instantly: who accessed or modified demographics data, what exactly they did, and how the request travelled, including any failures or retries.
Because PDS supports both application-restricted and user-restricted access modes via the NHS API Platform, your audit design must handle “system-to-system” automation and “user-in-the-loop” clinical flows equally well. For automated access, identity relates to the system and lawful basis; for user-mediated access, the audit trail must capture the user identity and role so that governance teams can confirm that appropriate permissions were applied. Your schema should accommodate both use cases without compromise.
It’s also wise to recognise that some PDS interactions may be routed through intermediary NHS components, such as the Spine Secure Proxy used by other FHIR programmes. Even if your solution interacts directly with the PDS, applying the same discipline—always log, always correlate, always preserve IDs—ensures your audit data remains compatible with wider NHS ecosystems and multi-service investigations.
Although the PDS FHIR API is delivered through the NHS API Platform rather than the Spine Secure Proxy, you can still align with FHIR conventions across the NHS to keep your audit trail predictable and interoperable. Start by modelling each PDS interaction as a FHIR AuditEvent. This resource captures security- and privacy-relevant actions: who did what, to which entity, when, where, and why. Using the AuditEvent fields—type, subtype, outcome, agent, source, and entity—you can represent both the technical HTTP interaction and the higher-level business intent.
For example, a GET /Patient/{nhsNumber} request could be logged as a read (action = R), with the NHS number represented as an entity reference (stored pseudonymously when feasible). The authenticated user or system would be captured as an agent with their role and organisation. For updates, such as a PATCH /Patient, the action would be U, and the event should include details of the changed fields—enough to demonstrate intent and outcome without exposing unnecessary personal data.
Across headers and transport, consistency is key. Best practice includes:
NHS FHIR services generally recommend a consistent set of HTTP headers (Accept, Content-Type, and conditional request headers), alongside correlation headers. Treat any returned error OperationOutcome as part of your audit record: capture the code, message, and response time, and link these details to your correlation IDs. This provides invaluable insight during fault analysis and service reviews.
It is also helpful to predefine a mapping between PDS-specific operations and your audit schema. Each core operation—searching for patients, retrieving patient details, updating demographics, or verifying an NHS number—should have a template AuditEvent structure. For example, when verifying an NHS number, log the submitted identifier in a masked or hashed form, the verification result, and any match confidence scores if available. This level of discipline ensures consistency and prevents developers from taking divergent approaches that could weaken traceability.
Audit logs only provide value when they are operationally usable. Start by defining retention policies that meet the requirements of the NHS DSPT and your information governance framework—long enough to support incident response and subject access requests, but aligned with the NHS Standard Contract and local data-processing agreements. Balance necessity with minimisation, and enforce your policy technically through lifecycle management rules, immutable storage periods, and automated deletion after expiry.
For subject access requests (SARs), prepare standardised queries and export mechanisms to answer key questions swiftly: which of your systems accessed or changed this person’s demographics, when, under whose authority, and what was the outcome? Correlation IDs allow you to pull supporting evidence from application and gateway logs without exhaustive manual searching. For incidents, create a “timeline kit”: dashboards and forensic queries keyed on correlation IDs, request IDs, and error codes, enabling engineers and governance teams to investigate confidently under pressure.
A strong assurance posture requires documentation of your audit design. Maintain a living specification that describes your audit schema, how it maps to the FHIR AuditEvent, what identifiers are used, and how tamper-evidence is maintained. When NHS onboarding or service reviews occur, you can then demonstrate that your logs are trustworthy, queryable, and aligned to national patterns. This transparency builds confidence with clinical safety officers, information governance leads, and NHS assurance teams.
Designing audit for PDS integrations is ultimately about creating a consistent, provable narrative for every interaction with patient identity data. The blueprint below distils the practices discussed into an actionable framework for delivery teams.
Start with your data model. Define a canonical audit event schema across your organisation—ideally JSON-based and compatible with FHIR AuditEvent. Include fields for transaction metadata, authorisation context, patient identifiers (pseudonymised where possible), operation type, response details, and business intent. Make correlation fields mandatory: always generate an X-Correlation-ID at the start of a process, propagate it throughout, and capture any X-Request-ID from the platform. With this, deterministic cross-system tracing becomes possible.
Establish collection and integrity controls. Applications should log structured events (not free text) and transmit them securely over TLS to a central pipeline. Use append-only or immutable storage and, for higher assurance, implement digital signatures or checksum chaining. Access to historical audit records must be strictly limited and monitored.
Incorporate privacy by design. Do not store full PDS payloads unless necessary; instead, record summaries or structured diffs. Hash or tokenise patient identifiers, and maintain a clear separation between operational logs and audit logs. Define and document your minimisation strategy, and have it formally approved by your information governance function.
Build tooling for investigations and SARs. Develop dashboards that allow authorised teams to filter logs by correlation ID, hashed NHS number, or internal patient key. Implement “one-click” exports that assemble a complete transaction history—requests, responses, outcomes, and relevant user information—into a human-readable format for governance or clinical review. Regularly rehearse incident response so teams know how to use these tools efficiently.
Integrate governance and assurance into your development lifecycle. Treat audit as a living product that evolves with your service and NHS standards. Assign clear ownership, review schema changes alongside API updates, and run periodic data-quality checks on the audit store. Map controls explicitly to DSPT assertions and any programme-level assurance criteria. This preparation ensures that when audits or service reviews arise, you already have the evidence ready.
Finally, align with NHS conventions even where optional. PDS FHIR may differ slightly from other APIs, but by adhering to shared principles—standard headers, JWT-backed identity, correlation identifiers, and FHIR-based audit structures—you gain interoperability and easier collaboration. When incidents involve multiple NHS services, consistency in audit data shortens investigations and strengthens collective trust.
Is your team looking for help with NHS PDS integration? Click the button below.
Get in touch