Written questions by Byrne.

What metrics are being used to measure the success of the Palantir-powered Federated Data Platform (FDP); and whether any productivity gains or improvements to patient care have been attributed to the FDP thus far, as opposed to any other intervention.

During product development, the NHS Federated Data Platform (NHS FDP) team identified relevant usage and benefits measures for each specific product. These measures are related to the problem statement the product was designed to address and are co-developed with users.Once a product has completed development and testing and becomes generally available, data on the usage and benefits measures at an aggregate level, across all organisations nationally, are published on the NHS FDP website. Over time, further products will become generally available on the NHS FDP, supporting the National Health Service areas of elective care, urgent and emergency care, cancer and diagnostics, operational management, and population health and neighbourhood care.Information on the benefits derived from the NHS FDP is published each quarter by NHS England and is available at the following link:https://www.england.nhs.uk/digitaltechnology/nhs-federated-data-platform/impact/fdp-uptake-and-benefits/In addition to the quantitative benefits, information from organisations on the benefits they are seeing from the NHS FDP from a qualitative perspective is collected in the form of case studies available at the following link:https://www.england.nhs.uk/digitaltechnology/nhs-federated-data-platform/impact/case-studies/

To give a detailed description of how procurement of the contract for the Federated Data Platform (FDP), after the current contract ending date of 15/02/2027, will proceed, including timeline, whether the incumbent contract holder Palantir is considered to be a preferred bidder, whether the NHS has a break clause in this contract with Palantir, whether the NHS is able to renew the contract automatically without hearing any competing bids, and any other relevant information relating to the terms of the contract.

The current contract for the NHS Federated Data Platform is for seven years, ending in 2030, with break clauses at three years, two years, and one year. No decisions have been made about any procurement after then end of the contract. The contact is published at the following link: https://www.contractsfinder.service.gov.uk/notice/2e8c61c0-faab-4f99-ae69-b00df6bae165?origin=SearchResults&p=1

Whether his Department carried out an equalities impact assessment of the Federated Data Platform (FDP) (a) prior to its rollout and (b) at any point since.

The NHS Federated Data Platform (NHS FDP) is a data platform rather than a clinical service in itself. NHS England does not require an Equality and Health Inequalities Impact Assessment (EHIA) by default for data platforms. As such, a determination was made in line with NHS England guidance that the NHS FDP did not meet the requirements for an EHIA.

What role Senior Information Risk Owners and Caldicott Guardians play in overseeing data governance for the Federated Data Platform (FDP) within Integrated Care Boards and NHS trusts; and whether those roles are held by executive board members.

Every integrated care board and National Health Service trust board, who are data controllers for data held within their own individual instance of the NHS Federated Data Platform, has responsibility for data governance and managing risk.Integrated care boards in the NHS are mandated to appoint both a senior information risk officer and a Caldicott Guardian. These roles are essential for ensuring compliance with patient data confidentiality, information governance, and the secure handling of information within the organisation.Information on whether or not Caldicott Guardians are Executive Board members is not held centrally.

What assessment he has made of the potential impact of Palantir’s role supporting Immigration and Customs Enforcement in the US on the confidence of NHS patients to divulge medical information.

The NHS Federated Data Platform (NHS FDP) holds no information on the immigration or residency status of patients. NHS England has published extensive information on the NHS FDP, its contractual safeguards, and how it is designed solely for medical purposes. There is a web portal where people can find out more information about the NHS FDP and ask questions.

What assessment his Department has made of concerns raised by the Science, Innovation and Technology Committee regarding the outsourcing of NHS data infrastructure to a single overseas technology provider; and what steps have been taken to mitigate systemic data security risks arising from that arrangement.

Data infrastructure in the National Health Service is not outsourced to a single provider, as the NHS makes use of a variety of technology providers, including hyper-scalers. Contracts include specific provisions to ensure the security of personal data.

Whether a standardised definition of an information governance breach applies across all NHS trusts and Integrated Care Boards in relation to the Federated Data Platform (FDP); what criteria are used to classify breaches as serious or major; and who is responsible for determining that classification.

The Information Governance Framework for the NHS Federated Data Platform (NHS FDP) is published at the following link:https://www.england.nhs.uk/long-read/federated-data-platform-information-governance-framework/Data breaches are determined in line with the guidance from the Information Commissioner’s Office. In the event of an actual or suspected security breach or data loss incident (incident) in any instance of the NHS FDP or NHS Privacy Enhancing Technology (NHS-PET), any party who becomes aware of the incident will notify NHS England.In the case of the platform contractor, such a notification will be made in accordance with its obligations under clause 20, which is regarding authority data and security requirements, clause 23, regarding protection of personal data, and/or Schedule 2.4, regarding security management, of the agreement, as well as clause 6 of the FDP Data Processing Agreement. In addition, in the case of the NHS-PET Contractor, such a notification will be made in accordance with its obligations under clause 17, regarding protection of personal data, Schedule 3, regarding cyber security and information governance, of the Contract, and/or clause 6 of the NHS-PET Data Processing Agreement.The NHS FDP contractor will notify NHS England of all incidents. The NHS FDP Contractor and user organisations will co-operate with NHS England’s service bridge, cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.The relevant controller will report any personal data breach to the Information Commissioner’s Office in line with its responsibilities under UK General Data Protection Regulation.NHS England and the NHS FDP contractors will co-operate with the local NHS FDP user organisation’s cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.Brief details of all personal data breaches, including their root cause, will be reported by NHS England, the NHS FDP contractor, or the local NHS FDP user organisation, depending on who the controller and processor is in relation to the personal data breach, to the Data Governance Group. Each party will co-operate with the other impacted parties in the production of the reports.

What contractual safeguards and sanctions are contained within the Federated Data Platform (FDP) agreement to address any breach of data protection obligations by the contracted technology provider or any subcontractor; and what mechanisms exist for independent external scrutiny of compliance.

The NHS Federated Data Platform (NHS FDP) is built with robust security and privacy controls to ensure that access to National Health Service data is tightly governed and independently auditable.The NHS FDP Information Governance Framework clearly lays out the roles and responsibilities relating to breach notification and management, defining organisations’ responsibilities in this area.All user activity within the NHS FDP environment is logged for auditing purposes. These logs are monitored by both the suppliers platform team and the NHS Cyber Security Operations Centre to detect and respond to any malicious activity.The NHS FDP contract includes audit provisions that allow NHS England to validate and confirm that contractual requirements are being met. These rights of audit are standard within NHS commercial agreements and provide assurance that the platform operates in accordance with NHS England’s expectations and legal obligations, including compliance with UK General Data Protection Regulation and the Data Protection Act 2018.

What assurance mechanisms are in place to safeguard patient-identifiable data within the Federated Data Platform (FDP) operating across NHS trusts and the Integrated Care Board in Cheshire and Merseyside; and what independent audit or verification processes are undertaken to ensure compliance with UK GDPR and the Data Protection Act 2018.

The NHS Federated Data Platform (NHS FDP) is built with robust security and privacy controls to ensure that access to National Health Service data is tightly governed and independently auditable.The NHS FDP Information Governance Framework clearly lays out the roles and responsibilities relating to breach notification and management, defining organisations’ responsibilities in this area.All user activity within the NHS FDP environment is logged for auditing purposes. These logs are monitored by both the suppliers platform team and the NHS Cyber Security Operations Centre to detect and respond to any malicious activity.The NHS FDP contract includes audit provisions that allow NHS England to validate and confirm that contractual requirements are being met. These rights of audit are standard within NHS commercial agreements and provide assurance that the platform operates in accordance with NHS England’s expectations and legal obligations, including compliance with UK General Data Protection Regulation and the Data Protection Act 2018.

What statutory and contractual reporting requirements apply where an information governance breach relating to the Federated Data Platform (FDP) occurs; what oversight arrangements ensure compliance with the 72-hour reporting requirement to the Information Commissioner’s Office; and what action is taken if that requirement is not met.

The Information Governance Framework for the NHS Federated Data Platform (NHS FDP) is published at the following link:https://www.england.nhs.uk/long-read/federated-data-platform-information-governance-framework/Data breaches are determined in line with the guidance from the Information Commissioner’s Office. In the event of an actual or suspected security breach or data loss incident (incident) in any instance of the NHS FDP or NHS Privacy Enhancing Technology (NHS-PET), any party who becomes aware of the incident will notify NHS England.In the case of the platform contractor, such a notification will be made in accordance with its obligations under clause 20, which is regarding authority data and security requirements, clause 23, regarding protection of personal data, and/or Schedule 2.4, regarding security management, of the agreement, as well as clause 6 of the FDP Data Processing Agreement. In addition, in the case of the NHS-PET Contractor, such a notification will be made in accordance with its obligations under clause 17, regarding protection of personal data, Schedule 3, regarding cyber security and information governance, of the Contract, and/or clause 6 of the NHS-PET Data Processing Agreement.The NHS FDP contractor will notify NHS England of all incidents. The NHS FDP Contractor and user organisations will co-operate with NHS England’s service bridge, cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.The relevant controller will report any personal data breach to the Information Commissioner’s Office in line with its responsibilities under UK General Data Protection Regulation.NHS England and the NHS FDP contractors will co-operate with the local NHS FDP user organisation’s cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.Brief details of all personal data breaches, including their root cause, will be reported by NHS England, the NHS FDP contractor, or the local NHS FDP user organisation, depending on who the controller and processor is in relation to the personal data breach, to the Data Governance Group. Each party will co-operate with the other impacted parties in the production of the reports.

Food and Rural Affairs, what recent assessment her Department has made of the effectiveness of enforcement action taken against water and sewerage undertakers for breaches of environmental permits.

We will not let companies get away with illegal activity and where breaches are found, the Environment Agency (EA) will not hesitate to hold companies to account. The Water (Special Measures) Act has provided the most significant increase in enforcement powers to the regulators in a decade, giving existing regulators the teeth they need to take tougher action against water companies, including new powers for the EA to impose automatic penalties, and penalties to the lower, civil standard of proof. Over the past three years, the annual inspections requirement has risen from 1,000 to 4,000 with a target of 10,000 for 2025/26, reflecting a significant strengthening of regulatory oversight. By the end of February 2026, over 10,154 inspections had already been delivered. As a result of this strengthened regulatory presence, the EA has brought forward 19 legal proceedings, four prosecutions, and 19 civil sanctions so far this year, alongside increased warnings and further investigations into serious pollution incidents.

Food and Rural Affairs, if her Department will make an assessment of alternative governance for water utilities, including public ownership and mutual structures.

There are several different ownership models in the companies providing water in the United Kingdom.Where a company requests to transition to a new ownership model, we have committed in the White Paper that the regulator will develop a transparent process to assess whether the change should go ahead and ensure customer interests are properly reflected in the decision.

Food and Rural Affairs, how many inspections of wastewater treatment works and storm overflows were conducted by the Environment Agency in each of the last five years.

The Environment Agency has provided the following figures for inspections of wastewater treatment works and storm overflows in each of the last five financial years. Financial YearTotals2021-226392022-238782023-2414422024-2546722025-2610150 * 2025/26 data is year to date (as of 18 March). March 2026 data is also still to be completed.

Food and Rural Affairs, what safeguards are in place to prevent conflicts of interest arising between regulators of the water sector and the water and sewerage undertakers they regulate.

The Environment Agency (EA) and Ofwat have robust safeguards in place to prevent conflicts of interest between regulators and the water and sewerage companies they oversee. All EA employees, contractors and temporary workers must submit an annual declaration of interests, including a nil return where no interests are held. Declarations cover all aspects of an individual’s role and are reviewed by managers, who must identify any actual or potential conflicts and put appropriate mitigation measures in place where necessary. Ofwat’s conflict of interest arrangements are based on wider Civil Service standards. Staff must declare any actual or potential conflicts on appointment, annually, and as they arise, including during procurement and recruitment, with all declarations recorded in a central register. Conflicts are managed on a proportionate, case-by-case basis, supported by strict rules on financial interests, controls on confidential information, and senior management oversight. Business Appointment Rules may also apply when staff leave Ofwat.

Food and Rural Affairs, what steps her Department is taking to help improve coordination between Ofwat, the Environment Agency and the Drinking Water Inspectorate in regulating water and sewerage undertakers.

Defra is working closely with the existing regulators, including Ofwat, the Environment Agency and the Drinking Water Inspectorate, to strengthen coordination across the regulatory system. This includes supporting the regulators in their work to actively join up and improve coordination, championing a ‘one organisation’ approach on key areas of delivery ahead of establishment of the new single regulator. This will simplify the requirements of water companies, reduce duplication and deliver better regulation for improved outcomes across the entire water system.

Food and Rural Affairs what assessment her Department has made of the adequacy of current levels of investment in wastewater infrastructure.

A record £104 billion of private sector investment has been secured to accelerate the cleaning up of our rivers, lakes and seas. This includes over £10 billion to improve nearly 2,500 storm overflows in England over the next five years. We will move to a system where assets are properly maintained and develop forward-looking asset health metrics to ensure this critical infrastructure gets the funding it needs.

What assessment her Department has made of the potential impact of increased student loan balances on graduates’ access to mortgages and savings.

The size of one’s outstanding student loan is not a barrier to accessing a mortgage and savings. Student loan balances do not appear on borrower credit records, meaning the total size of the student loan debt is not considered in a borrower mortgage application. Monthly student loan repayments will be considered alongside other living costs as part of the affordability check for mortgage applications in the same way as any other fixed monthly outgoings, but monthly repayments are not linked to the size of the outstanding loan.Student loan repayments are linked to income, not to the amount borrowed or interest applied. Repayments are made at a constant rate of 9% above the earnings threshold. Borrowers earning under the earnings threshold, are not required to make repayments. Any outstanding loan including interest built up, is cancelled at the end of the loan term with no detriment to the borrower, and debt is never passed on to family members or descendants.The government appreciates that making student loan repayments has an impact on individuals, and this is why there are unique protections for borrowers and the finance system is heavily subsidised by taxpayers.

What assessment she has made of the potential impact of freezing the income repayment threshold for Plan 2 student loans on the level of disposable income of graduates earning between £29,000 and £40,000 per year.

Plan 2 student loans were designed and implemented by previous governments, and students in England starting degrees under this government have different arrangements. Threshold freezes have been introduced to protect taxpayers and students now, alongside future generations of learners and workers.Student loan repayments are linked to income, not to the amount borrowed or interest applied. As repayments remain income-contingent if a borrower’s salary remains the same, their monthly repayments will also stay the same.Repayments are made at a constant rate of 9% above the earnings threshold. Borrowers earning under the earnings threshold, are not required to make repayments. Any outstanding loan including interest built up, is cancelled at the end of the loan term with no detriment to the borrower, and debt is never passed on to family members or descendants.The government appreciates that making student loan repayments has an impact on individuals, and this is why there are unique protections for borrowers and the finance system is heavily subsidised by taxpayers.

What assessment her Department has made of the potential impact of interest rates applied to income-contingent student loans on the total level of graduate debt.

The department does not hold analysis on the impact of interest rates on total level of graduate debt.No Plan 5 borrower should see their loan balance grow in real terms without additional outlay, as the rate of interest for Plan 5 loans is applied at Retail Price Index (RPI) only.Plan 2 loan interest rates are applied at RPI only, then variable up to RPI+3% depending on earnings. Interest rates do not impact monthly repayments made by student loan borrowers, which stay at a constant rate of 9% above an earnings threshold to protect lower earners.Outstanding debt, including interest accrued, is cancelled at the end of the loan term with no detriment to the borrower, and debt is never passed on to family members or descendants. There are no commercial loans that offer this level of borrower protection. This is a deliberate government investment in students and the economy.

What estimate her Department has made of the proportion of borrowers on Plan 2 student loans whose outstanding balance is projected to increase for at least the first ten years of repayment due to interest accrual exceeding annual repayments.

The department does not hold analysis of the proportion of borrowers whose loan is projected to increase in their first ten years of repayment.Student loan repayments are linked to income, not to the amount borrowed or interest applied. As repayments remain income-contingent if a borrower’s salary remains the same, their monthly repayments will also stay the same. Repayments are made at a constant rate of 9% above the earnings threshold, and the 9% rate strikes a balance between affordability for graduates and fairness to taxpayers.Outstanding debt, including interest built up, is cancelled at the end of the loan term with no detriment to the borrower, and debt is never passed on to family members or descendants. This is a deliberate government investment in students and the economy.