Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what safeguards are in place within the NHS Federated Data Platform to help ensure that external contractors and third-party suppliers are not able to access identifiable patient data.
The NHS Federated Data Platform (NHS FDP) safely connects information from different systems across the National Health Service into a single, secure environment. This allows staff to co-ordinate care better to improve outcomes for patients.
The NHS FDP is delivering for the NHS, helping people get the care they need quicker and more efficiently. Since March 2024, more than 100,000 additional patients have been supported to undergo procedures in theatres partly by increasing theatre utilisation. Nearly 94,000 people have been supported on their cancer journey, with 7% seeing a reduction in the time it took to diagnose their cancer. There has been a 14% decrease in delays discharging patients staying in hospital for more than seven days, freeing up beds for those who need them most. NHS England publishes quarterly information on benefits realised from the FDP, which is available at the following link:
To date, 24 integrated care board clusters and 168 NHS trusts have signed up to the NHS FDP, including the Frimley Health NHS Foundation Trust.
The NHS FDP is underpinned by the Federated Data Platform Information Governance Framework which sets out the roles, responsibilities, and controls governing how data is accessed and used. Access to data within the National Data Integration Tenant (NDIT) and NHS FDP is tightly controlled.
All access is role-based, purpose-specific, time-limited where appropriate, and fully audited. Activity is subject to continuous monitoring, audit logging, and formal review processes. Individuals, including external suppliers, must meet Government security vetting requirements proportionate to their role.
Each product and use case within the platform is required to undergo appropriate information governance assessment and approval processes prior to deployment, with oversight provided through established governance arrangements, including the Federated Data Platform Data Governance Group.
NHS England has undertaken an urgent review of the current Data Protection Impact Assessment (DPIA) for the NDIT and identified that it did not fully reflect operational arrangements, including wording that referred to NHS staff rather than authorised users and support staff more broadly.
NHS England is updating the NDIT DPIA and associated documentation to ensure full alignment with current practice, alongside strengthening permissions, audit controls, and governance processes.
There is no requirement for NHS England to proactively disclose these to Parliament or its committees, although NHS England published the Information Governance framework at the following link:
NHS England will be reviewing the NHS FDP contract this year, in line with standard contract management processes to inform a decision on whether to exercise the optional two-year extension.
This will consider all relevant evidence, including the report of the Science, Innovation and Technology Committee.