Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, whether his Department has made a cyber risk assessment of the use of Palantir’s software in centralised NHS data platforms.

In awarding the contract for the NHS Federated Data Platform (FDP), NHS England made an assessment of the cyber risk and the protections offered by each bidder. The FDP has extensive security arrangements in place to manage cyber risk, including:

• strong network security, such as firewalls and intrusion detection systems to monitor all network traffic to and from the platform, which helps to block unauthorised access and detect suspicious activity;
• data encryption, as all data stored on the platform is encrypted, both when it’s being transferred, or in transit, and when it’s at rest, or stored on servers; and
• regular security testing, as the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security.

It is a contractual requirement that personal data stored in the FDP and its associated services (FDP-AS), including the NHS-Privacy Enhancing Technology, cannot be accessed by the provider’s own personnel or contractors from outside the United Kingdom. The FDP-AS contract stipulates that all data must be held within the UK and is subject to UK Data Protection Law, including the UK General Data Protection Regulation.

All FDP data processes and systems need to comply with the Technology Code of Practice, Government Data Standards, the Department’s Guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018, and the UK General Data Protection Regulation, the Information Commissioner's Office’s guidance, and associated regulations, standards, and guidance.

The contract was awarded in conformance with public sector procurement law, as required. The National Health Service ran an independent procurement exercise. The choice of preferred supplier was not made by a single person, as it was the result of assessment by many different individuals. NHS England has a duty to treat all suppliers the same regardless of the public perception of any organisation, or the opinions held by any of their shareholders.

NHS England cannot exclude any supplier that is lawfully established and able to bid from participating in the procurement. The procurement process received external validation from multiple Government departments, as well as independent evaluations by Infrastructure and Projects Authority reviewers. There were no identified security concerns in relation to the contract awarded for the NHS FDP.

The Procurement Act 2023 has introduced new powers to exclude and debar suppliers from public sector contracts if they pose a national security risk. Cabinet Office has established the new National Security Unit for Procurement, which is responsible for investigating suppliers on national security grounds, both within the Government supply chain and for the wider public sector.