Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps he has taken to ensure that NHS data handled by Palantir Technologies cannot be accessed or processed by non-UK government entities.

The NHS Federated Data Platform (FDP) has been designed with stringent safeguards to ensure that patient data is protected in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Access to National Health Service health and social care data within the FDP is tightly controlled. Only authorised users are granted access, and solely for approved purposes that demonstrably benefit patient care or NHS operations. Palantir Technologies, as the software provider, operates strictly under the instruction of NHS England. They do not control the data, nor are they permitted to access, use, or share it for any independent purpose. To further strengthen data protection, the FDP incorporates advanced Privacy Enhancing Technology (NHS-PET), which has been procured from a separate supplier to ensure independence and to mitigate any potential conflicts of interest. This technology ensures that data is processed in a secure and privacy-preserving manner. The contract with Palantir Technologies includes robust confidentiality clauses and is governed by a comprehensive oversight framework. This framework includes regular audits, monitoring, and reporting to ensure compliance with legal and ethical standards. Data Protection Impact Assessments have been conducted to assess and mitigate any risks to individual rights and freedoms.

It is a contractual requirement that personal data stored in the FDP and NHS-PET cannot be accessed by its provider’s personnel or contractors based outside the United Kingdom. In accordance with GDPR principles of transparency and accountability, NHS England has published details which outline how data is protected, who can access it, and under what conditions. Further information is available at the following link:

https://www.england.nhs.uk/long-read/overarching-data-protection-impact-assessment-dpia-for-the-federated-data-platform-fdp/#18-in-which-country-territory-will-personal-data-be-stored-or-processed

These measures collectively ensure that NHS data remains under UK jurisdiction and all processing of patient information will be within the UK only. This is a contractual requirement, and one of the key principles of the FDP Information Governance Framework. Data cannot be accessed or processed by non-UK government entities.