Data guardian seeks clarification on Palantir patient data access
- 5 June 2026
- The National Data Guardian is seeking explanation from NHS England over Palantir staff access to identifiable patient data in the federated data platform (FDP)
- The watchdog says it was unaware external staff could access patient information despite Data Protection Impact Assessment (DPIA) assurances
- NHS England said it is working with the NDG to provide more information and implement their recommendations, including updating the DPIA
The National Data Guardian (NDG) has asked NHS England to explain how Palantir staff gained access to identifiable patient data in the federated data platform (FDP), something it says it was not aware of.
In a statement published on 3 June 2026, the NDG, Dr Nicola Byrne said many members of the public have contacted the office through the Not With My NHS Data campaign to raise their concerns about access to NHS patient data by external contractors working on the FDP and its National Data Integration Unit (NDIT).
The NDG said that when it reviewed the FDP programme’s Data Protection Impact Assessment (DPIA), the document stated that access to identifiable patient information would be limited to NHS staff with a legitimate need.
However, Byrne said “recent media reporting, and subsequent confirmation from the programme team, indicate that some external contractor staff also have access to identifiable patient information within the NDIT environment”.
“We were not aware of this,” she added.
The watchdog has now written to the programme team seeking clarification on what it described as an “inconsistency” between the information presented in the DPIA and the current position.
“We need to be confident that the positions presented to us are accurate, consistent, and clearly reflected in public-facing transparency materials,” the statement said.
An NHS England spokesperson told Digital Health News: “The NHS has strict policies in place for managing access to patient data, and we are committed to being transparent about its use.
“We are working with the NDG to provide additional information and implement their recommendations, including updating the DPIA.”
The FDP is being delivered by Palantir under a £330m contract awarded in November 2023.
Last month, Digital Health News reported that the NHS is granting staff from companies including Palantir ‘unlimited access’ to identifiable patient data while working on the FDP.
Louis Mosley, executive vice chair of Palantir UK, wrote on X in May: “The ‘unlimited’ access referred to in the technical design document… is a specific technical permission inside one staging environment – NHS England’s NDIT. It is not unlimited access to NHS patient data.”
Concerns were also raised by NHS staff in April that engineers working for Palantir had been issued NHS email accounts.
The NDG said it is not a regulator and does not have enforcement powers, but has provided advice to the Department of Health and Social Care and NHS England throughout the development of the FDP programme.
Byrne added that concerns raised through independent advisory groups have generally been taken seriously by NHSE and that she has seen a commitment within the organisation to responsible use of data.
The statement also sought to address questions about patient consent and opt-outs. The NDG said the national data opt-out does not currently apply to the FDP because the platform is being used to support care delivery and operational management of NHS services, rather than secondary uses such as research and planning.
As a result, patients cannot currently opt out of their information being used within the programme where it is being processed for direct care and service delivery purposes.
Byrne added that her office “will continue to scrutinise, advise and challenge the NHS FDP programme through the relevant independent advisory groups”.
1 Comments
Let’s be perfectly clear: the National Data Guardian (NDG) was created, I believe in 2015, when the Care.data programme was running into trouble, because it was being seen for what it actually was rather than what the DHSC had hoped to sell it as. The NDG was created as another attempted con. As the title suggests, the NDG was intended to be seen as the champion of patients, looking after their interests in an advisory way. In reality the NDG is and always has been the champion of the DHSC/NHS, posing as the champion of patients The intervention by the NDG described in this article is a clear example of exactly how this works. The NDG is here apparently intervening to look after the rights of patients that are being abused by NHS England. This is supposed to create the confidence that “it” will use soft diplomacy to put things right. The ground is prepared by “it” declaring that “it” is not a regulator, so cannot be looked to for legal dispute resolution. This is supposed to induce a state of mind in the public that is non confrontational, and to make the public more malleable. The NDG then appears to be holding NHS England to account, but what is really happening is that the NDG will try to use public trust in its role (if any of that exists) to allow the issue to be resolved in favour of NHS England. The outcome is supposed to be that NHS England is held to account and “forced” to give an explanation. The explanation resolves nothing, but the NDG accepts the explanation and reassures everyone that they can put down their weapons and relax. The NDG says everything is fine, so everything must be fine, and NHS England can go on doing whatever they please with patient data. So everything in the garden is lovely. . . except that it is not.
In fact nothing is lovely but what in particular is certainly not lovely is:
1). The NDG is seeking clarification on what it described as an “inconsistency” between the information presented in the DPIA and the current position”, and NHS England has declared its intention of “updating the DPIA” to remove the inconsistency. This implies that the “current position” will be accepted. This is the wrong way round. It is the “current position” that is unacceptable but the NDG will fix it so that the “current position” is declared acceptable, in line with the NDG’s role of managing public perception so the DHSC/NHS England can get away with yet more abuse.
2) according to the NDG, “concerns raised through independent advisory groups have generally been taken seriously by NHSE and . . . she has seen a commitment within the organisation to responsible use of data.” If this is what the NDG has seen, there is an “inconsistency” between the NDG’s view and all other evidence relating to NHS England’s alleged “commitment . . . to responsible use of data”.
3) The NDG is trying to sell us the idea that we cannot opt out of having our data processed by the FDP because the National Data Opt-out does not apply to data use for the purpose of direct care. Who gives a toss about NHS opt-outs? They are all arbitrary, have no legal status and can be ignored by the NHS with complete impunity. The real issue is why NHSE think that our right to confidentiality and the right of object do not apply to data use for direct care. That idea is patently absurd, especially given what is now claimed to be use of data for direct care. NHS England behaves exactly like Humpty Dumpty and we know what Humpty Dumpty’s said, “The only question is, who is master – that’s all”