Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, whether his Department has made an assessment of the potential risks of cross‑contamination risk when data from multiple NHS trusts are ingested into a single cloud environment.

In order to assess the risk and impact to data privacy, all Federated Data Platform (FDP) installations are required to complete a Data Privacy Impact Assessment (DPIA). An overarching DPIA for the FDP was also undertaken.

Each FDP Tenant is a logically separated instance of the Foundry Platform. Each tenant has separate administrators, and independent control of all data ingress and egress. User access is controlled by a combination of Role Based Access Controls and Purpose Based Access Controls to ensure that access to data is only available to users with a documented and auditable reason for access.

All changes to the product or platform go through a careful process of development, testing, quality assurance, and change management before they are released. This helps to prevent errors and problems. The FDP has several measures in place to keep data safe. These include:

• ¾strong network security, namely firewalls and intrusion detection systems that monitor all network traffic to and from the platform, to block unauthorised access and detect suspicious activity;
• data encryption of all data stored on the platform, both when transferred, or in transit, and when stored on servers;
• purpose based access, as users only have access to the data they need to do their jobs. This helps to minimise the risk of unauthorised access to sensitive information;
• detailed logging and monitoring, as all user activity on the platform is logged and monitored for suspicious activity. This helps to identify potential security breaches quickly and maintains a full audit trail. Security logs are encrypted and stored securely;
• regular security testing, with the platform undergoing regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security;
• development lifecycle, with all changes to the product or platform going through a careful process of development, testing, quality assurance, and change management before they are released. This helps to prevent errors and problems; and
• monitoring, as live services teams constantly monitor the product or platform 24 hours a day, seven days a week to quickly identify and fix any issues that may arise.