Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department for Work and Pensions:
To ask the Secretary of State for Work and Pensions, if he will make an assessment of the potential merits of introducing a statutory right to food for people in poverty.
Answered by Andrew Western - Parliamentary Under-Secretary (Department for Work and Pensions)
While the right to food is not codified in UK domestic law, the Government is taking action to improve access to good, nutritious food.
We have announced action to expand free school meals, support parents with the cost of healthy food in the school holidays with the Holidays and Activities and Food Programme and launched the Crisis and Resilience Fund, which enables local authorities to design schemes that address food poverty.
Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what assurance mechanisms are in place to safeguard patient-identifiable data within the Federated Data Platform (FDP) operating across NHS trusts and the Integrated Care Board in Cheshire and Merseyside; and what independent audit or verification processes are undertaken to ensure compliance with UK GDPR and the Data Protection Act 2018.
Answered by Zubir Ahmed
The NHS Federated Data Platform (NHS FDP) is built with robust security and privacy controls to ensure that access to National Health Service data is tightly governed and independently auditable.
The NHS FDP Information Governance Framework clearly lays out the roles and responsibilities relating to breach notification and management, defining organisations’ responsibilities in this area.
All user activity within the NHS FDP environment is logged for auditing purposes. These logs are monitored by both the suppliers platform team and the NHS Cyber Security Operations Centre to detect and respond to any malicious activity.
The NHS FDP contract includes audit provisions that allow NHS England to validate and confirm that contractual requirements are being met. These rights of audit are standard within NHS commercial agreements and provide assurance that the platform operates in accordance with NHS England’s expectations and legal obligations, including compliance with UK General Data Protection Regulation and the Data Protection Act 2018.
Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what contractual safeguards and sanctions are contained within the Federated Data Platform (FDP) agreement to address any breach of data protection obligations by the contracted technology provider or any subcontractor; and what mechanisms exist for independent external scrutiny of compliance.
Answered by Zubir Ahmed
The NHS Federated Data Platform (NHS FDP) is built with robust security and privacy controls to ensure that access to National Health Service data is tightly governed and independently auditable.
The NHS FDP Information Governance Framework clearly lays out the roles and responsibilities relating to breach notification and management, defining organisations’ responsibilities in this area.
All user activity within the NHS FDP environment is logged for auditing purposes. These logs are monitored by both the suppliers platform team and the NHS Cyber Security Operations Centre to detect and respond to any malicious activity.
The NHS FDP contract includes audit provisions that allow NHS England to validate and confirm that contractual requirements are being met. These rights of audit are standard within NHS commercial agreements and provide assurance that the platform operates in accordance with NHS England’s expectations and legal obligations, including compliance with UK General Data Protection Regulation and the Data Protection Act 2018.
Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what statutory and contractual reporting requirements apply where an information governance breach relating to the Federated Data Platform (FDP) occurs; what oversight arrangements ensure compliance with the 72-hour reporting requirement to the Information Commissioner’s Office; and what action is taken if that requirement is not met.
Answered by Zubir Ahmed
The Information Governance Framework for the NHS Federated Data Platform (NHS FDP) is published at the following link:
https://www.england.nhs.uk/long-read/federated-data-platform-information-governance-framework/
Data breaches are determined in line with the guidance from the Information Commissioner’s Office. In the event of an actual or suspected security breach or data loss incident (incident) in any instance of the NHS FDP or NHS Privacy Enhancing Technology (NHS-PET), any party who becomes aware of the incident will notify NHS England.
In the case of the platform contractor, such a notification will be made in accordance with its obligations under clause 20, which is regarding authority data and security requirements, clause 23, regarding protection of personal data, and/or Schedule 2.4, regarding security management, of the agreement, as well as clause 6 of the FDP Data Processing Agreement. In addition, in the case of the NHS-PET Contractor, such a notification will be made in accordance with its obligations under clause 17, regarding protection of personal data, Schedule 3, regarding cyber security and information governance, of the Contract, and/or clause 6 of the NHS-PET Data Processing Agreement.
The NHS FDP contractor will notify NHS England of all incidents. The NHS FDP Contractor and user organisations will co-operate with NHS England’s service bridge, cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.
The relevant controller will report any personal data breach to the Information Commissioner’s Office in line with its responsibilities under UK General Data Protection Regulation.
NHS England and the NHS FDP contractors will co-operate with the local NHS FDP user organisation’s cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.
Brief details of all personal data breaches, including their root cause, will be reported by NHS England, the NHS FDP contractor, or the local NHS FDP user organisation, depending on who the controller and processor is in relation to the personal data breach, to the Data Governance Group. Each party will co-operate with the other impacted parties in the production of the reports.
Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, whether a standardised definition of an information governance breach applies across all NHS trusts and Integrated Care Boards in relation to the Federated Data Platform (FDP); what criteria are used to classify breaches as serious or major; and who is responsible for determining that classification.
Answered by Zubir Ahmed
The Information Governance Framework for the NHS Federated Data Platform (NHS FDP) is published at the following link:
https://www.england.nhs.uk/long-read/federated-data-platform-information-governance-framework/
Data breaches are determined in line with the guidance from the Information Commissioner’s Office. In the event of an actual or suspected security breach or data loss incident (incident) in any instance of the NHS FDP or NHS Privacy Enhancing Technology (NHS-PET), any party who becomes aware of the incident will notify NHS England.
In the case of the platform contractor, such a notification will be made in accordance with its obligations under clause 20, which is regarding authority data and security requirements, clause 23, regarding protection of personal data, and/or Schedule 2.4, regarding security management, of the agreement, as well as clause 6 of the FDP Data Processing Agreement. In addition, in the case of the NHS-PET Contractor, such a notification will be made in accordance with its obligations under clause 17, regarding protection of personal data, Schedule 3, regarding cyber security and information governance, of the Contract, and/or clause 6 of the NHS-PET Data Processing Agreement.
The NHS FDP contractor will notify NHS England of all incidents. The NHS FDP Contractor and user organisations will co-operate with NHS England’s service bridge, cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.
The relevant controller will report any personal data breach to the Information Commissioner’s Office in line with its responsibilities under UK General Data Protection Regulation.
NHS England and the NHS FDP contractors will co-operate with the local NHS FDP user organisation’s cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.
Brief details of all personal data breaches, including their root cause, will be reported by NHS England, the NHS FDP contractor, or the local NHS FDP user organisation, depending on who the controller and processor is in relation to the personal data breach, to the Data Governance Group. Each party will co-operate with the other impacted parties in the production of the reports.
Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what role Senior Information Risk Owners and Caldicott Guardians play in overseeing data governance for the Federated Data Platform (FDP) within Integrated Care Boards and NHS trusts; and whether those roles are held by executive board members.
Answered by Zubir Ahmed
Every integrated care board and National Health Service trust board, who are data controllers for data held within their own individual instance of the NHS Federated Data Platform, has responsibility for data governance and managing risk.
Integrated care boards in the NHS are mandated to appoint both a senior information risk officer and a Caldicott Guardian. These roles are essential for ensuring compliance with patient data confidentiality, information governance, and the secure handling of information within the organisation.
Information on whether or not Caldicott Guardians are Executive Board members is not held centrally.
Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what metrics are being used to measure the success of the Palantir-powered Federated Data Platform (FDP); and whether any productivity gains or improvements to patient care have been attributed to the FDP thus far, as opposed to any other intervention.
Answered by Zubir Ahmed
During product development, the NHS Federated Data Platform (NHS FDP) team identified relevant usage and benefits measures for each specific product. These measures are related to the problem statement the product was designed to address and are co-developed with users.
Once a product has completed development and testing and becomes generally available, data on the usage and benefits measures at an aggregate level, across all organisations nationally, are published on the NHS FDP website. Over time, further products will become generally available on the NHS FDP, supporting the National Health Service areas of elective care, urgent and emergency care, cancer and diagnostics, operational management, and population health and neighbourhood care.
Information on the benefits derived from the NHS FDP is published each quarter by NHS England and is available at the following link:
In addition to the quantitative benefits, information from organisations on the benefits they are seeing from the NHS FDP from a qualitative perspective is collected in the form of case studies available at the following link:
https://www.england.nhs.uk/digitaltechnology/nhs-federated-data-platform/impact/case-studies/
Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what assessment his Department has made of concerns raised by the Science, Innovation and Technology Committee regarding the outsourcing of NHS data infrastructure to a single overseas technology provider; and what steps have been taken to mitigate systemic data security risks arising from that arrangement.
Answered by Zubir Ahmed
Data infrastructure in the National Health Service is not outsourced to a single provider, as the NHS makes use of a variety of technology providers, including hyper-scalers. Contracts include specific provisions to ensure the security of personal data.
Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, whether his Department carried out an equalities impact assessment of the Federated Data Platform (FDP) (a) prior to its rollout and (b) at any point since.
Answered by Zubir Ahmed
The NHS Federated Data Platform (NHS FDP) is a data platform rather than a clinical service in itself. NHS England does not require an Equality and Health Inequalities Impact Assessment (EHIA) by default for data platforms. As such, a determination was made in line with NHS England guidance that the NHS FDP did not meet the requirements for an EHIA.
Asked by: Ian Byrne (Labour - Liverpool West Derby)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, to give a detailed description of how procurement of the contract for the Federated Data Platform (FDP), after the current contract ending date of 15/02/2027, will proceed, including timeline, whether the incumbent contract holder Palantir is considered to be a preferred bidder, whether the NHS has a break clause in this contract with Palantir, whether the NHS is able to renew the contract automatically without hearing any competing bids, and any other relevant information relating to the terms of the contract.
Answered by Zubir Ahmed
The current contract for the NHS Federated Data Platform is for seven years, ending in 2030, with break clauses at three years, two years, and one year. No decisions have been made about any procurement after then end of the contract. The contact is published at the following link: