Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps he has taken to ensure the NHS Federated Data Platform will follow data protection obligations.

Data processes and systems within the Federated Data Platform (FDP) will need to comply with the Technology Code of Practice, Government Digital Service standards, the Department’s guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018 and the United Kingdom’s General Data Protection Regulation, Information Commissioner’s Office guidance and associated regulations, standards and guidance.

To ensure that the FDP complies, the data sharing approach will consist of: a Data Protection Impact Assessment (DPIA) for the procurement of the FDP solution; overarching DPIA to articulate the data security and protection principles and lawful bases for deployment; purpose-specific DPIAs, which will be drafted for each use case and will go through the formal approval routes within NHS England prior to roll-out; and a legal mechanism for the sharing and processing of data, to be agreed in consultation with NHS England Information Governance and legal counsel.

The above activities will be concurrent and aligned with the procurement process to ensure data protection by design and default principles are embedded, and there is co-production of the final data sharing approach.  This will ensure that the lawful basis for the data sharing is identified, and Common Law Duty of Confidentiality is adhered to for all of the use cases.