Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what contractual safeguards and sanctions are contained within the Federated Data Platform (FDP) agreement to address any breach of data protection obligations by the contracted technology provider or any subcontractor; and what mechanisms exist for independent external scrutiny of compliance.

The NHS Federated Data Platform (NHS FDP) is built with robust security and privacy controls to ensure that access to National Health Service data is tightly governed and independently auditable.

The NHS FDP Information Governance Framework clearly lays out the roles and responsibilities relating to breach notification and management, defining organisations’ responsibilities in this area.

All user activity within the NHS FDP environment is logged for auditing purposes. These logs are monitored by both the suppliers platform team and the NHS Cyber Security Operations Centre to detect and respond to any malicious activity.

The NHS FDP contract includes audit provisions that allow NHS England to validate and confirm that contractual requirements are being met. These rights of audit are standard within NHS commercial agreements and provide assurance that the platform operates in accordance with NHS England’s expectations and legal obligations, including compliance with UK General Data Protection Regulation and the Data Protection Act 2018.