Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what assurance mechanisms are in place to safeguard patient-identifiable data within the Federated Data Platform (FDP) operating across NHS trusts and the Integrated Care Board in Cheshire and Merseyside; and what independent audit or verification processes are undertaken to ensure compliance with UK GDPR and the Data Protection Act 2018.

The NHS Federated Data Platform (NHS FDP) is built with robust security and privacy controls to ensure that access to National Health Service data is tightly governed and independently auditable.

The NHS FDP Information Governance Framework clearly lays out the roles and responsibilities relating to breach notification and management, defining organisations’ responsibilities in this area.

All user activity within the NHS FDP environment is logged for auditing purposes. These logs are monitored by both the suppliers platform team and the NHS Cyber Security Operations Centre to detect and respond to any malicious activity.

The NHS FDP contract includes audit provisions that allow NHS England to validate and confirm that contractual requirements are being met. These rights of audit are standard within NHS commercial agreements and provide assurance that the platform operates in accordance with NHS England’s expectations and legal obligations, including compliance with UK General Data Protection Regulation and the Data Protection Act 2018.