Introduction to the FDP and the Palantir Contract
In August 2023, NHS England commissioned and awarded a £330 million, seven-year contract to Palantir, a U.S.-based software company that specialises in large data set analysis, to build the Federated Data Platform (FDP), a data integration platform that allows real-time sharing of patient data between NHS organisations. The FDP is designed to improve care delivery and resource coordination by streamlining access to shared patient and operational data across NHS trusts and Integrated Care Systems (ICSs), which are regional NHS partnerships.
How the Federated Model Works
The FDP is federated, which means that each NHS organisation is the controller of its data. Every NHS trust and ICS will be able to access an ‘instance’ of the FDP, that is, its own dedicated area of the platform for data processing and storage. Shared tools, such as dashboards and reports, allow staff with the appropriate access to run queries across multiple instances and return aggregate results. Importantly, this leaves instances private and separate but provides for secure communication of answers only.
Data Protection Risks and GDPR Applicability
However, the scale and sensitivity of the data involved raises significant data protection and ethical concerns. The FDP processes pseudonymised data, which has been stripped of direct identifiers, but is still considered personal data due to the potential for reidentification of the data subject. Therefore, it is subject to the UK GDPR.
Role of Palantir and Public Scrutiny
Palantir, the systems integrator and platform provider, functions as a data processor and is subject to the instructions of the data controller, the NHS. It is prohibited from using NHS data for any purpose outside of this. However, many have publicly criticised and expressed concerns about Palantir’s transparency and compatibility. One example is the British Medical Association (BMA). In November, the BMA passed a motion calling for a review of the FDP, warning that the platform could undermine public trust if proper transparency and confidentiality are not maintained.
BMA’s Motion and Transparency Demands
The motion called for concern Palantir’s contracts with the U.S. military and intelligence agencies as conflicting with NHS and public service principles. It also called for greater transparency in procurement processes to allow for proper public and professional scrutiny. This includes full Data Protection Impact Assessments (DPIAs), which set out what data is used, why, the risks involved, and how safeguards are implemented. The BMA also requested the publication of information-sharing agreements between NHS organisations and external vendors, which set out how data is shared, under what legal basis, and with what limitations.
Legal Basis for Processing and Consent Under UK GDPR
Under the UK GDPR, data processing in public health settings does not always require consent. NHS currently relies on the lawful basis of public task (Article 6(1)(e)), along with Article 9(2)(h) for special category data, which allows processing for the provision of health or social care. Many patients are unaware of this.
National Data Opt-Out and the Case for Patient Engagement
There is a National Data Opt-Out that allows patients to prevent their confidential health data from being used beyond their direct care, such as in research. However, this does not apply to the operational and planning uses of the FDP, leading critics to argue that where there is no legally required consent, the NHS has a moral responsibility to consult patients, explain how their data is used, and offer opt-outs if available.
Conclusion: Current Status and Safeguards Implemented
As of mid-2025, the FDP is operational in over 80 NHS trusts and most ICSs, with early reports declaring improvements in discharge planning and system coordination. In response to concerns from organisations such as the BMA, NHS England has mandated Data Protection Impact Assessments for each FDP instance before implementation. In addition, Privacy-Enhancing Technology (PET), operated separately from Palantir, acts as a gatekeeper for incoming data and has been introduced to reduce re-identification risk while preserving analytical quality. Furthermore, access to controls has been made strictly role-based with full audit logging to ensure that only authorised staff can access data and that all actions are recorded.
