The Policy Change That Reshaped Access Rules
A quiet but significant shift in data governance has taken place within England’s public health system. The National Health Service has confirmed that employees of Palantir, the US-based technology firm, can now access patient data under a newly created administrative role. This marks a departure from earlier agreements that restricted how external engineers interacted with sensitive medical information.
The change relates to the Federated Data Platform (FDP), a system Palantir built under a contract worth roughly 330 million British pounds. The platform was designed to improve how data flows across NHS trusts and to help address the enormous backlog of care that accumulated during the pandemic. Until recently, Palantir staff could only enter the National Data Integration Tenant (NDIT) if they submitted a formal request for specific datasets. That barrier has now been lowered.
A briefing document, reviewed by the Financial Times and confirmed by The Register, spells out the new arrangement. Palantir personnel can now hold an “admin” role that grants them entry to the NDIT, which contains identifiable patient information. Other consultants working on the FDP will receive similar credentials. The document itself acknowledges a potential downside: this broader access could weaken public trust in the NHS’s commitment to safeguarding personal health data.
Understanding the National Data Integration Tenant
The NDIT functions as a holding area for patient data before it moves into the pseudonymized analytics system. Pseudonymization strips away direct identifiers such as names, addresses, and NHS numbers, replacing them with coded tokens. The NDIT, by contrast, still holds that identifying information. That distinction matters because it determines what any person viewing the data can learn about individual patients.
Under the original rules, accessing the NDIT required a specific application for each dataset. That process created a paper trail and an approval step. The new admin role bypasses that step for a small group of engineers who maintain the central data collection platform used to monitor NHS performance. According to The Register, the change affects only a limited number of people. But the scope of what they can see has expanded.
For context, the FDP itself connects dozens of NHS trusts across England. Each trust feeds data into the system with the goal of improving operational planning, reducing wait times, and allocating resources more effectively. The NDIT sits at the center of that architecture, making it a critical node in the data pipeline.
Why Identifiable Data Matters in This Context
Identifiable data includes details that can be traced back to a specific person. A name combined with a date of birth or a postal code is enough to identify someone. Medical records attached to that information reveal diagnoses, treatments, medications, and appointment histories. For someone managing a chronic condition or seeking treatment for a sensitive illness, the idea that an external engineer could view that information feels unsettling.
The distinction between pseudonymized and identifiable data is not just a technical nuance. It carries legal and emotional weight. Under UK data protection law, identifiable data receives the highest level of protection. Organizations that process it must demonstrate a lawful basis, a clear purpose, and robust security measures. Any expansion of access to identifiable data therefore invites scrutiny.
The Transparency Gap That Leaked Into Public View
The most troubling aspect of this story for many observers is not the access itself but how it became known. NHS England did not announce the policy change proactively. A briefing document was obtained and reported by the press. That leak-driven disclosure has fueled perceptions that the health service is not being candid about its data-sharing arrangements.
Sam Smith, coordinator at the health privacy campaign group medConfidential, framed the issue in stark terms. He compared it to telling a civil servant they can read their own email while forgetting to mention that freedom of information laws also apply. The problem, he argued, is not necessarily that Palantir staff now have broader access. It is that the public learned about it through a leak rather than through a transparent policy announcement.
Smith also noted that Palantir and other consultants already had access to patient data in other parts of the FDP, sometimes in pseudonymized form. The current controversy, he suggested, stems from a pattern of poor communication. When the NHS fails to explain changes clearly, it leaves room for suspicion and misinformation to fill the gap.
What Earlier Contracts Reveal About the Relationship
Palantir’s involvement with the NHS did not begin with the FDP contract. During the pandemic, the company secured a series of deals worth a combined 60 million pounds without competitive tendering. Those emergency contracts allowed Palantir to build data dashboards that helped the NHS track hospital capacity, vaccine distribution, and infection rates. The FDP contract, awarded in 2023, formalized and expanded that relationship.
The lack of competition in those earlier awards drew criticism from transparency advocates and rival technology firms. Critics argued that emergency procurement should not become a permanent gateway for a single vendor. Supporters countered that speed was essential during a public health crisis and that Palantir delivered working systems under extreme pressure.
That history adds context to the current debate. For some observers, the admin role change looks like another incremental expansion of access by a vendor that has steadily deepened its footprint in UK health infrastructure. For others, it is a practical adjustment needed to keep the platform running efficiently.
The Data Security Record That Raises Questions
Concerns about the FDP extend beyond who can access the NDIT. In March 2025, the Health Service Journal reported that nearly a third of NHS trusts connected to the platform were not meeting data security standards. That statistic raises an uncomfortable question: if local trusts are struggling with basic security requirements, how confident can anyone be about the broader data governance framework?
An NHS England spokesperson told the publication that the FDP was built with data protection and cyber security at its core. The spokesperson added that the NHS had worked with local organizations to ensure they met required standards and had introduced strengthened measures where appropriate. Still, the figure of roughly 30 percent non-compliance among connected trusts suggests that the gap between policy and practice remains significant.
For a patient whose data flows through one of those non-compliant trusts, the promise of strong central safeguards may offer little reassurance. The chain of data protection is only as strong as its weakest link. If local trust security is below standard, the data traveling through the FDP could be exposed at multiple points before it ever reaches Palantir’s systems.
What Security Standards Apply to the FDP
NHS trusts that connect to the FDP must meet several requirements. These include completing the Data Security and Protection Toolkit, implementing role-based access controls, conducting staff training on data handling, and maintaining audit logs. The toolkit assesses compliance across ten standards, including encryption, incident reporting, and third-party supplier management.
Trusts that fail to meet these standards are expected to implement improvement plans. But enforcement can be uneven. Some trusts operate with legacy IT systems that make compliance harder. Others face staffing shortages that leave data protection roles unfilled or handled by non-specialists. The result is a patchwork of security postures across the health service.
Official Safeguards and Regulatory Promises
NHS England has emphasized that multiple layers of protection remain in place. A spokesperson stated that anyone external requiring access must hold government security clearance and receive approval from an NHS England staff member at director level or above. Regular audits monitor compliance and track how data is used. The number of people granted the new admin role is expected to remain small.
Zubir Ahmed, the minister responsible for the FDP, addressed Parliament last month with a clear message. He stated that NHS England and NHS organizations retain full control as data controllers. Palantir does not own the data, the products, or the intellectual property. The company cannot use NHS data for its own purposes. All access is tightly governed, and information can be used only for agreed purposes that benefit patients.
Those assurances carry legal weight, but they also depend on enforcement. Data controller status means the NHS makes the final decisions about who can access data and for what reason. The question is whether the NHS has the resources, expertise, and political will to exercise that control effectively when a large vendor is involved.
The Distinction Between Ownership and Access
A point that often gets confused in public debate is the difference between data ownership and data access. Palantir does not own the patient data. The NHS retains that ownership. But ownership alone does not determine risk. What matters is who can view, copy, or extract the data. If an engineer with admin privileges can browse identifiable records, the practical effect may feel similar to ownership from a privacy perspective, even if the legal distinction remains intact.
This is where the concept of data stewardship becomes important. The NHS acts as a steward of patient information, holding it in trust for the people it serves. Any decision to grant broader access must balance the operational benefits of that access against the fiduciary duty to protect patient confidentiality. The admin role change tilts that balance, at least incrementally.
You may also enjoy reading: AI Agents Show They Create Exploits: 7 Shocking Cases.
Practical Questions Patients May Be Asking
For the average person in England, news reports about data access can feel abstract until they imagine their own medical records being viewed by someone outside the clinical team. Several specific questions arise from this policy change.
Can Palantir Staff See My Personal Medical Records Without Consent?
The new admin role grants access to the NDIT, which holds identifiable patient data. That means a Palantir engineer with this role could technically view records that include names, addresses, and clinical details. However, NHS England states that access is limited to those working on the central data collection platform used for performance monitoring. It is not a blanket authorization for all Palantir employees to browse patient data at will.
The distinction between technical capability and authorized use is important. Having access does not mean using that access for unauthorized purposes. Audit logs track who viewed what and when. Still, the possibility remains that a person who does not treat or care for a patient could see their information without the patient’s knowledge or explicit consent.
How Can I Find Out Whether My Data Is Held in the NDIT?
The NDIT contains data from NHS trusts that have connected to the FDP. If your local trust is among those using the platform, your data may be included. You can check whether your trust participates by reviewing its data sharing notices, which are typically published on the trust’s website. These notices explain what data is collected, why it is shared, and with whom.
You also have the right to submit a subject access request to your trust asking specifically about data shared with the FDP. The trust must respond within one month and provide details about what information is held and who has accessed it. This right is enshrined in UK data protection law and applies regardless of the platform in use.
For a broader view, the NHS Digital website publishes transparency information about the FDP, including data protection impact assessments and privacy notices. These documents describe the legal basis for processing and the safeguards in place.
Why Does NHS England Need to Give External Engineers Access to Identifiable Data?
The stated reason is operational necessity. The central data collection platform that monitors NHS performance relies on the NDIT. Engineers need to set up, maintain, and troubleshoot that platform. Ensuring that the system functions correctly requires them to view the data it processes. Working with pseudonymized data alone would not be sufficient for all maintenance tasks, especially when diagnosing data quality issues or testing new features.
Critics argue that this justification could apply to almost any external contractor. If the system were designed differently, engineers might be able to perform their tasks using synthetic or de-identified test data. The fact that the current architecture requires identifiable access reflects design choices made by the vendor and accepted by the NHS. Those choices could be revisited.
Broader Implications for Public Health Infrastructure
The Palantir-NHS relationship is not happening in a vacuum. Governments around the world are turning to large technology firms to modernize public services. Healthcare, with its vast datasets and complex operational challenges, is a natural target for digital transformation. But the sensitivity of health data makes these partnerships uniquely consequential.
When a government contracts with a firm that also works with intelligence agencies and military organizations, the optics are unavoidably different than with a conventional health IT vendor. Palantir’s history includes high-profile work with US immigration enforcement, defense agencies, and law enforcement. That background means public scrutiny of its NHS contract is likely to remain intense.
The broader lesson for health systems considering similar partnerships is that transparency must be built into the contract from the start. If policy changes are handled through internal briefing documents rather than public announcements, trust erodes. If data security compliance among participating trusts is uneven, confidence falters. If the rationale for expanded access is not clearly communicated, suspicion fills the void.
What This Means for the Future of NHS Data Governance
The Labour government has announced plans to disband NHS England as a separate quango and run the health service directly from the Department of Health and Social Care. That structural change could alter how data governance decisions are made. Centralizing authority might improve accountability, or it could concentrate power in a way that reduces local oversight. Either way, the FDP contract and its access policies will be part of that transition.
For now, the key takeaway is that the admin role change exists. It has been confirmed. It applies to a small number of people. It carries acknowledged risks to public confidence. And it was disclosed through a leak, not through proactive communication. Those facts together create a picture of a system that is struggling to balance innovation, efficiency, and trust.
The NHS remains the data controller. Palantir operates under strict contractual terms. Audits happen. Security clearances are required. But governance is not just about rules on paper. It is about how those rules are communicated, enforced, and perceived by the people whose data is at stake. On that front, the current episode leaves room for improvement.
For patients who want to stay informed, the most practical step is to read the privacy notices published by their local NHS trust and by NHS England regarding the FDP. These documents are not always easy reading, but they contain the specific details that matter. Asking questions at trust board meetings or through patient representative groups can also push for greater clarity. When transparency requires a leak to surface, the responsibility falls on the public to demand better.
