Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, pursuant to the Answer of 15 July to Question 65984 on NHS Databases, what assessment he has made of the challenges of hosting the NHS Federated Data Platform on cloud services.

The NHS Federated Data Platform (FDP) Programme Team in NHS England have conducted a comprehensive assessment of the technical, operational, regulatory, and public trust considerations associated with hosting the platform on cloud services.

It is a contractual requirement that all processing and storage of patient information take place within the United Kingdom. Data within the FDP and NHS Privacy Enhancing Technology cannot be accessed by provider personnel or contractors based outside the UK. This is stipulated in the overarching FDP Data Protection Impact Assessment and enforced through technical controls. All data is protected through strong encryption, access controls, and audit trails, in compliance with the UK General Data Protection Regulation and the Data Protection Act 2018. These measures ensure that National Health Service data remains fully under UK jurisdiction.

Robust security measures are in place, including firewalls, intrusion detection and prevention systems, regular penetration testing, and vulnerability scanning. Live service teams continuously monitor the platform to identify and address any issues promptly.

The FDP has been designed to be modular and standards-based, enabling integration with multiple systems and avoiding over-reliance on any single cloud provider.

Following national guidance from the National Cyber Security Centre, the NHS has adopted the 14 cloud security principles as its core means of aligning of cloud and internet security throughout the NHS and healthcare providers. All NHS data stored on cloud services in the UK is encrypted, at rest and in transit, using the highest encryption standards.