Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, with reference to the Answer of 17 November 2025 to Question 88027, whether the Data Protection Impact Assessment for the Federated Data Platform has been updated to reflect broader access roles for non-NHS users.

Data Protection Impact Assessments (DPIAs) for the NHS Federated Data Platform, including those relating to the National Data Integration Tenant (NDIT), have been developed and maintained to reflect the platform’s design, operation and access controls, including the role-based and purpose-based access arrangements required to support delivery.

DPIAs account for the limited and controlled use of administrative access by authorised personnel acting under the instruction of the Data Controller, including where supplier support is required to configure, operate and maintain the platform. There has not been a broadening of access roles for non-National Health Service users, this reflects established operational requirements.

DPIAs are reviewed and updated on a regular basis, and where there are material changes to processing or risks, they are revised and republished as appropriate. The NDIT DPIA is currently undergoing a review and will be published in due course.

All access arrangements remain subject to strict contractual requirements, technical and organisational controls, and ongoing audit and oversight, in accordance with United Kingdom data protection law and NHS England’s information governance standards.