Data guardian seeks clarification on Palantir patient data access
- 5 June 2026
- The National Data Guardian is seeking explanation from NHS England over Palantir staff access to identifiable patient data in the federated data platform (FDP)
- The watchdog says it was unaware external staff could access patient information despite Data Protection Impact Assessment (DPIA) assurances
- NHS England said it is working with the NDG to provide more information and implement their recommendations, including updating the DPIA
The National Data Guardian (NDG) has asked NHS England to explain how Palantir staff gained access to identifiable patient data in the federated data platform (FDP), something it says it was not aware of.
In a statement published on 3 June 2026, the NDG, Dr Nicola Byrne said many members of the public have contacted the office through the Not With My NHS Data campaign to raise their concerns about access to NHS patient data by external contractors working on the FDP and its National Data Integration Unit (NDIT).
The NDG said that when it reviewed the FDP programme’s Data Protection Impact Assessment (DPIA), the document stated that access to identifiable patient information would be limited to NHS staff with a legitimate need.
However, Byrne said “recent media reporting, and subsequent confirmation from the programme team, indicate that some external contractor staff also have access to identifiable patient information within the NDIT environment”.
“We were not aware of this,” she added.
The watchdog has now written to the programme team seeking clarification on what it described as an “inconsistency” between the information presented in the DPIA and the current position.
“We need to be confident that the positions presented to us are accurate, consistent, and clearly reflected in public-facing transparency materials,” the statement said.
An NHS England spokesperson told Digital Health News: “The NHS has strict policies in place for managing access to patient data, and we are committed to being transparent about its use.
“We are working with the NDG to provide additional information and implement their recommendations, including updating the DPIA.”
The FDP is being delivered by Palantir under a £330m contract awarded in November 2023.
Last month, Digital Health News reported that the NHS is granting staff from companies including Palantir ‘unlimited access’ to identifiable patient data while working on the FDP.
Louis Mosley, executive vice chair of Palantir UK, wrote on X in May: “The ‘unlimited’ access referred to in the technical design document… is a specific technical permission inside one staging environment – NHS England’s NDIT. It is not unlimited access to NHS patient data.”
Concerns were also raised by NHS staff in April that engineers working for Palantir had been issued NHS email accounts.
The NDG said it is not a regulator and does not have enforcement powers, but has provided advice to the Department of Health and Social Care and NHS England throughout the development of the FDP programme.
Byrne added that concerns raised through independent advisory groups have generally been taken seriously by NHSE and that she has seen a commitment within the organisation to responsible use of data.
The statement also sought to address questions about patient consent and opt-outs. The NDG said the national data opt-out does not currently apply to the FDP because the platform is being used to support care delivery and operational management of NHS services, rather than secondary uses such as research and planning.
As a result, patients cannot currently opt out of their information being used within the programme where it is being processed for direct care and service delivery purposes.
Byrne added that her office “will continue to scrutinise, advise and challenge the NHS FDP programme through the relevant independent advisory groups”.
