Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, pursuant to the Answer of 1 July 2025 to Question 60619, what assessment his Department has made of the necessity of granting elevated “admin-level” access to identifiable patient data to external contractors within the National Data Integration Tenant of the Federated Data Platform.

NHS England has undertaken a detailed assessment of the access requirements necessary to safely operate and maintain the NHS Federated Data Platform (NHS FDP), including within the National Data Integration Tenant, through the procurement process and supporting information governance framework and documentation. This assessment concluded that a limited level of controlled administrative access is necessary to ensure the platform can operate safely, securely, and effectively.

Any elevated system-level access granted to contracted suppliers is limited to what is strictly necessary for defined platform functions, such as system administration, operational support, maintenance, and resilience, including out-of-hours support.

A small number of authorised supplier personnel may be granted controlled administrative access where required to deliver these functions, acting under the instruction of National Health Service organisations as data controllers. This does not provide unrestricted use of identifiable patient data, and suppliers are not permitted to access or use data for their own purposes.

All such access is governed by strict contractual requirements and is supported by technical and organisational controls, including role-based permissions, monitoring, and full audit logging. These arrangements are set out in the NHS FDP contractual terms and supporting Data Protection Impact Assessments.

Data access is further constrained by the NHS FDP’s information governance framework, system design, and contractual controls, under which NHS organisations retain control over the data held within their specific NHS FDP instances and determine how it is used.

All access arrangements are subject to United Kingdom data protection law, including the UK General Data Protection Regulation and the Data Protection Act 2018, and must comply with NHS England’s information governance and security standards.