Minister Apologises Over NHS Data Misinformation Blunder

The Minister for Health Innovation and Safety, Preet Kaur Gill, has apologised after NHS England supplied incorrect information to the National Data Guardian about who can access identifiable patient data through the Federated Data Platform. Appearing before the Health and Social Care Committee on 16 June, Gill told MPs she was "very sorry" for the error, which she described as a documentation failure rather than a breach of the platform's security or technical safeguards.

The mistake centred on how NHS England had characterised access to identifiable patient records within the FDP when reporting to the watchdog. Gill was at pains to separate the paperwork error from the underlying system, insisting that the access controls governing the platform had not been altered and that no patient data had been exposed as a result of the inaccurate reporting.

Pressed by committee members on the substance of the error, Gill repeated that the issue lay in how the information had been documented and communicated to the National Data Guardian, not in how the platform itself operates. She told MPs that the NHS remains the controller of the data in question, noting that the records involved already existed across separate systems before being drawn together under the FDP. She added that public trust in the programme mattered greatly, and said she wanted to assure people that their data is secure because the NHS, rather than any contractor, holds formal responsibility as data controller.

The FDP was introduced to address a long-standing problem in NHS technology: hospitals, trusts and other bodies have historically kept patient and operational data in disconnected systems that do not easily talk to one another. The platform is meant to link these systems so that staff can manage waiting lists, theatre scheduling and other operational tasks more efficiently, while still keeping data under NHS control. The National Data Guardian exists precisely to provide independent oversight of how patient confidentiality is protected as initiatives like this expand, and depends on NHS bodies giving it accurate information about who can see what.

That dependency is what makes the misreporting significant, even though ministers insist no actual harm occurred. The FDP is being delivered under a contract worth £330 million awarded to the data analytics firm Palantir in November 2023, and the company's involvement has drawn sustained criticism from privacy campaigners since the deal was signed. Last month it emerged that NHS England had changed its policy to allow some Palantir staff an "admin" role giving them access to identifiable patient data, a move that prompted concern when reported. Palantir's UK executive vice chair, Louis Mosley, pushed back publicly, arguing the access in question had been mischaracterised.

Campaigners involved in the Not With My NHS Data campaign have already raised concerns directly with the National Data Guardian about external contractors' access to the platform, and the watchdog has issued a public statement addressing the matter. Against that backdrop, an episode in which NHS England itself gave the regulator inaccurate information is likely to feed existing unease, regardless of how narrowly ministers frame the error. Patients in England cannot currently opt out of having their data processed through the FDP for direct care purposes, though individual trusts retain the choice of whether to use the platform at all, and the National Data Opt-Out does not apply to most FDP functions for that reason.

The government is due to decide later this year whether to extend Palantir's contract beyond its scheduled expiry in February 2027. Gill told the committee the programme had received a green rating from the National Infrastructure and Service Transformation Authority, a status reserved for a small minority of major government projects, which she said indicated the FDP was on track. Whether that assessment satisfies MPs and campaigners following the reporting error to the National Data Guardian remains to be seen.