NHS: Palantir

(asked on 16th June 2026) - View Source

Question to the Department of Health and Social Care:

To ask His Majesty's Government, further to the Written Answer by Baroness Merron on 16 June (HL696), why internal departmental governance and audit systems failed to detect that the National Data Integration Tenant Data Protection Impact Assessment inaccurately described Palantir's data access permissions for over two years, until the discrepancy was raised by external campaigns.


Answered by
Baroness Merron Portrait
Baroness Merron
Parliamentary Under-Secretary (Department of Health and Social Care)
This question was answered on 1st July 2026

The NHS Federated Data Platform (NHS FDP) safely connects information from different systems across the National Health Service into a single, secure environment. This allows staff to co-ordinate care better to improve outcomes for patients.

The NHS FDP is delivering for the National Health Service, helping people get the care they need quicker and more efficiently. Since March 2024, more than 100,000 additional patients have been supported to undergo procedures in theatres partly by increasing theatre utilisation. Nearly 94,000 people have been supported on their cancer journey, with 7% seeing a reduction in the time it took to diagnose their cancer. There has been a 14% decrease in delays discharging patients staying in hospital for more than seven days, freeing up beds for those who need them most. NHS England publishes quarterly information on benefits realised from the FDP, which is available on the NHS website in an online-only format.

The NHS FDP, including the National Data Integration Tenant (NDIT), is subject to robust governance, audit and assurance arrangements, including Data Protection Impact Assessments (DPIA), contractual controls and ongoing monitoring.

Following engagement with the National Data Guardian, NHS England identified that aspects of the published DPIA did not accurately describe certain limited access arrangements.

The NDIT DPIA, published in August 2025, described access arrangements at a high level and used wording that was not sufficiently explicit about the involvement of authorised supplier personnel.

Internal governance and audit processes, while effective in overseeing how access was controlled, approved and monitored, did not identify this because the underlying access arrangements were already subject to established controls, approvals and audit. The issue therefore related to the clarity and completeness of published wording, rather than any change in access, a control weakness, or non‑compliance with those safeguards.

The underlying technical and contractual controls on supplier access have remained consistent. NHS England is the data controller for the NHS FDP at the national level, and suppliers act only as processors under NHS instruction. They do not control the data and are not permitted to access, use or share it for their own purposes. Access is tightly governed, role‑based and fully audited.

DPIAs and associated materials are kept under regular review and updated where appropriate. NHS England has established governance and oversight arrangements, including internal assurance and external scrutiny, to ensure data is handled lawfully, securely and transparently.

Reticulating Splines