Medical Records: Data Protection
(asked on 20th May 2026) - View Source
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what safeguards are in place to prevent identifiable NHS patient data being accessed by (a) foreign governments and (b) entities subject to foreign jurisdiction.
The NHS Federated Data Platform (NHS FDP) allows for the information in different National Health Service IT systems to be connected, in a single, safe, secure environment. This allows more effective management of the data, so care can be better co-ordinated. It allows for better use to be made of operating theatres, improves cancer pathways, so that patients get a quicker diagnosis, and allows for faster patient discharge from hospital.
To date, 24 integrated care board clusters and 168 NHS trusts have signed up to the NHS FDP, including the University Hospitals Dorset NHS Foundation Trust. NHS England publishes quarterly information on the benefits realised from the NHS FDP at the following link:
The NHS FDP has been designed with stringent safeguards to ensure that patient data is protected in full compliance with the UK General Data Protection Regulation and the Data Protection Act 2018.
Access to NHS data is tightly controlled. Only authorised users are granted access, and solely for approved purposes that benefit patient care or NHS operations. The supplier operates under the instruction of NHS England. They do not control the data, nor are they permitted to access, use, or share it for any independent purpose.
The platform operates within a robust contractual and governance framework, including strict requirements relating to data protection, confidentiality, and the lawful and proportionate use of data. This is supported by ongoing audit, monitoring, and reporting, as well as Data Protection Impact Assessments to assess and mitigate risks to individuals’ rights and freedoms.
Data held within the NHS FDP is hosted in United Kingdom based data centres and access to data and systems is subject to UK legal, regulatory, and contractual controls. These arrangements ensure that data is processed in line with UK law and NHS England requirements, and that access to identifiable patient data cannot be undertaken independently by external organisations or for purposes outside those authorised by NHS England.