Written questions by Wrigley.

Whether patients will be consulted on changes to purpose‑based access policies during the contract with Palantir.

The National Health Service is committed to maintaining public trust and transparency in the use of patient data and to ensuring that patients and the public are informed and engaged in decisions that affect how their data is used. This aligns with NHS England’s broader commitment to working in partnership with people and communities.The Federated Data Platform uses a Purpose-Based Access Control model. This ensures that access to data is strictly governed by the specific purposes approved by NHS England.Any change to the approved use cases, or new use cases, will require further engagement with patients and stakeholder advisory groups, including the Specialist Information Governance Advisory Group, and approval from the Data Governance Group. This engagement would be prior to, and inform any changes to, purpose-based access policies.

What proportion of Federated Data Platform development work is carried out by UK‑based engineers; and whether data processing beyond AWS input processes is off‑shored.

All NHS Federated Data Platform (FDP) development work is carried out by United Kingdom based engineers, therefore there is no offshoring. This is documented in the contract, Information Governance Framework, and Memorandum of Understanding. It is a contractual requirement that personal data stored in the FDP and National Health Service Privacy Enhancing Technology cannot be accessed by its provider’s personnel or contractors based outside the UK. These measures collectively ensure that NHS data remains under UK jurisdiction and that all processing of patient information will be within the UK only. This is a contractual requirement, and one of the key principles of the Federated Data Platform Information Governance Framework. Data cannot be accessed or processed by non-UK Government entities.Information on how data is protected, who can access it, and under what conditions, is available at the following link:https://www.england.nhs.uk/long-read/overarching-data-protection-impact-assessment-dpia-for-the-federated-data-platform-fdp/#18-in-which-country-territory-will-personal-data-be-stored-or-processed

Whether patients who are data controllers under the national data opt‑out can (a) review and (b) challenge how their records are processed within the Federated Data Platform.

The Federated Data Platform fully complies with the National Data Opt-Out policy. Confidential patient information is not used in the national instance, and only in a local instance for the purposes of direct care, and therefore the National Data Opt-Out does not apply. If this changes in the future, because a new product processes confidential patient information for a purpose other than direct care, the process for managing the opt out is laid out in the FDP Information Governance Framework, which can be found at the following link: https://www.england.nhs.uk/long-read/federated-data-platform-information-governance-framework/

What assessment he has made of the potential impact of Palantir's involvement on the NHS model of being free at the point of use.

The provision by Palantir Industries of the NHS Federated Data Platform (FDP) has no impact on National Health Service care being free at the point of use.Palantir is a technology supplier providing the underlying technology that supports the FDP. They do not influence NHS policy, funding models, or decisions about access to care. Their role is limited to delivering technical services under the direction and control of the NHS.

What milestones are included in the Federated Data Platform contract to (a) facilitate orderly off‑boarding and (b) data migration to an alternative provider.

The NHS Federated Data Platform Associated Services (FDP-AS) agreement has a comprehensive Exit Management Schedule which sets out the contract terms for exit, including the requirements on Palantir to support in re-procurement planning, exit, and transition assistance which would facilitate the migration to a future solution/state. Data migration is in the scope of the Exit Management provisions.The terms of the FDP-AS agreement, within the context of the potential total contract duration, sets out the timeframes and periods of assistance that NHS England may utilise to facilitate exit and migration.

Whether NHS England has stress‑tested the portability of (a) data schemas, (b) application programming interfaces and (c) dashboards for use on other vendor platforms.

NHS Federated Data Platform products are built using open-source technologies, for instance Python and Spark. End-user products can also be built using open market frameworks, for instance React, interfacing to the platform Application Programming Interfaces. The NHS Federated Data Platform has extensive integration capabilities. The platform has active integrations using alternative visualisation tools, for instance PowerBI. The NHS Federated Data Platform Data Schemas are published to GitHub.

Whether NHS‑funded analytics solutions created on the Federated Data Platform have been (a) patented and (b) registered by (i) Palantir Technologies and (ii) its subsidiaries.

Within the NHS Federated Data Platform (FDP), where the National Health Service commissions and funds the development of solutions, the intellectual property of these solutions remains with the NHS.Under the FDP-Associated Services Agreement between NHS England and Palantir, background intellectual property, prior to entering into the agreement, remains the property of the respective party.

What steps he is taking to support people with bladder and bowel control conditions in Devon.

All providers in Devon are asked to follow the formulary within the services they provide. The formulary provides information on continence care, with further information available at the following two links: https://southwest.devonformularyguidance.nhs.uk/formulary/chapters/18-continence https://northeast.devonformularyguidance.nhs.uk/formulary/chapters/18-continence As part of focused work in gynaecology, NHS Devon is in a project development phase to design and implement improved pathways for women with stress urinary incontinence and overactive bladder conditions. Livewell Southwest provides a continence service, offering assessments to adults, those aged 17.5 years old and above, living in Plymouth, West Devon, and South Hams. Livewell provides a holistic continence assessment, including routine observations, bladder scans, and skin integrity checks, as well as reviewing past medical history, medication, mobility, carer support, and diet and fluid. They offer ongoing support and products for any bowel and/or bladder issues that are identified and may refer patients to specialist nurses for further support or district nurses for ongoing care. Conservative advice is always given as first line management options during assessments, such as pelvic floor exercises for stress urinary incontinence, or bladder training and fluid intake advice for an overactive bladder. Livewell also liaises with general practices to request medication and to request ongoing referrals to secondary care specialists if needed. Livewell works closely with the other community teams. All patients are offered an annual reassessment. For children and young people, there is a team of specialist children’s nurses and specialist nursery nurses who provide assessment, treatment, support, and advice for children and young people with bladder and/or bowel difficulties. They provide continence promotion, and healthy bladder and bowel advice for children with additional needs. They see and assess children who are eligible for continence products because of a learning or physical disability.Devon has commissioned a paediatric integrated community nurse led bladder and bowel service for children and young people up to the age of 19 years old, to improve quality of life, to support effective self-management where appropriate, and to prevent chronic conditions developing and needing treatment or surgery in secondary care where possible.

What contracts their Department has with Palantir.

Details of Government contracts above £12,000 for procurements commenced before 24 February 2025 are published on Contracts Finder. Contracts procured under the Procurement Act 2023, which came into force on 24 February 2025, are published on the Central Digital Platform’s Find a Tender service.

If he will take steps to make (a) the NHS Accessible Information Standard and (b) deaf awareness training mandatory for NHS staff.

The revised Accessible Information Standard (AIS) was published on 1 July, and is available at the following link:https://www.england.nhs.uk/accessible-information-standard/NHS England is working to support implementation of the AIS with awareness raising, communication and engagement, and a review of the current e-learning modules on the AIS. The intention is to ensure that staff and organisations in the National Health Service are aware of the AIS and the importance of meeting the information and communication needs of disabled people using services.Since 2016, all NHS organisations and publicly funded social care providers are expected to meet the AIS, which details the recommended approach to supporting the information and communication support needs of patients and carers with a disability, impairment, or sensory loss.The responsibility for monitoring compliance with the AIS sits with the commissioner of the service.The revised standard requires those staff in relevant communication and information roles to be adequately trained. The AIS conformance criteria, published in 2016 and updated in June 2025, set out how organisations should comply with the AIS. NHS England is leading a system wide review of mandatory training which will include a new governance framework and a table of statutory obligations as well as a new competency framework setting out all nationally mandated subjects and learning outcomes.Following the commencement of regulations made under the Health and Care Act 2022, mandatory information standards will be introduced in a staged process. NHS England will consider the case for developing a mandatory AIS standard, and the timing for this, along with the other existing standards.

If he will bring forward legislative proposals to make the NHS Accessible Information Standard legally enforceable.

The revised Accessible Information Standard (AIS) was published on 1 July, and is available at the following link:https://www.england.nhs.uk/accessible-information-standard/NHS England is working to support implementation of the AIS with awareness raising, communication and engagement, and a review of the current e-learning modules on the AIS. The intention is to ensure that staff and organisations in the National Health Service are aware of the AIS and the importance of meeting the information and communication needs of disabled people using services.Since 2016, all NHS organisations and publicly funded social care providers are expected to meet the AIS, which details the recommended approach to supporting the information and communication support needs of patients and carers with a disability, impairment, or sensory loss.The responsibility for monitoring compliance with the AIS sits with the commissioner of the service.The revised standard requires those staff in relevant communication and information roles to be adequately trained. The AIS conformance criteria, published in 2016 and updated in June 2025, set out how organisations should comply with the AIS. NHS England is leading a system wide review of mandatory training which will include a new governance framework and a table of statutory obligations as well as a new competency framework setting out all nationally mandated subjects and learning outcomes.Following the commencement of regulations made under the Health and Care Act 2022, mandatory information standards will be introduced in a staged process. NHS England will consider the case for developing a mandatory AIS standard, and the timing for this, along with the other existing standards.

If he will take steps to ensure that the NHS Accessible Information Standard is (a) prioritised and (b) fully implemented.

The revised Accessible Information Standard (AIS) was published on 1 July, and is available at the following link:https://www.england.nhs.uk/accessible-information-standard/NHS England is working to support implementation of the AIS with awareness raising, communication and engagement, and a review of the current e-learning modules on the AIS. The intention is to ensure that staff and organisations in the National Health Service are aware of the AIS and the importance of meeting the information and communication needs of disabled people using services.Since 2016, all NHS organisations and publicly funded social care providers are expected to meet the AIS, which details the recommended approach to supporting the information and communication support needs of patients and carers with a disability, impairment, or sensory loss.The responsibility for monitoring compliance with the AIS sits with the commissioner of the service.The revised standard requires those staff in relevant communication and information roles to be adequately trained. The AIS conformance criteria, published in 2016 and updated in June 2025, set out how organisations should comply with the AIS. NHS England is leading a system wide review of mandatory training which will include a new governance framework and a table of statutory obligations as well as a new competency framework setting out all nationally mandated subjects and learning outcomes.Following the commencement of regulations made under the Health and Care Act 2022, mandatory information standards will be introduced in a staged process. NHS England will consider the case for developing a mandatory AIS standard, and the timing for this, along with the other existing standards.

Whether his Department has considered mandating UK-based technology providers for the management of NHS data.

In accordance with United Kingdom procurement law, legally established and eligible suppliers cannot be excluded from bidding in a procurement to deliver a contract. Contracts may specify arrangements for how and where data can be stored. The Procurement Act 2023 has introduced a power for the Government to exclude suppliers from public sector contracts if they pose a national security risk.

Pursuant to the Answer of 8 January 2025 to Question 21470 on Hospices: Charitable Donations, what recent assessment he has made of the adequacy of the proposed funding increase for hospice care.

We are supporting the hospice sector with a £100 million capital funding boost for adult and children’s hospices in England to ensure they have the best physical environment for care. The funding will help hospices to provide the best end of life care to patients and their families in a supportive and dignified physical environment.We are also providing £26 million of revenue funding to support children and young people’s hospices for 2025/26. This is a continuation of the funding which until recently was known as the children and young people’s hospice grant.Most hospices are charitable, independent organisations which receive some statutory funding from integrated care boards (ICBs) for providing National Health Services. The amount of funding each charitable hospice receives varies both within and between ICB areas. This will vary depending on demand in that ICB area, but will also be dependent on the totality and type of palliative care and end of life care provision from both NHS and non-NHS services, including charitable hospices, within each ICB area.We are also working to make sure the palliative and end of life care sector is sustainable in the long term and are determined to shift more healthcare out of hospitals and into the community through our 10-Year Health Plan.

What due diligence steps his Department takes to assess national security risks before awarding public health data contracts to firms with links to (a) foreign intelligence or (b) military operations.

In awarding the contract for the NHS Federated Data Platform (FDP), NHS England made an assessment of the cyber risk and the protections offered by each bidder. The FDP has extensive security arrangements in place to manage cyber risk, including: strong network security, such as firewalls and intrusion detection systems to monitor all network traffic to and from the platform, which helps to block unauthorised access and detect suspicious activity;data encryption, as all data stored on the platform is encrypted, both when it’s being transferred, or in transit, and when it’s at rest, or stored on servers; andregular security testing, as the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security. It is a contractual requirement that personal data stored in the FDP and its associated services (FDP-AS), including the NHS-Privacy Enhancing Technology, cannot be accessed by the provider’s own personnel or contractors from outside the United Kingdom. The FDP-AS contract stipulates that all data must be held within the UK and is subject to UK Data Protection Law, including the UK General Data Protection Regulation. All FDP data processes and systems need to comply with the Technology Code of Practice, Government Data Standards, the Department’s Guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018, and the UK General Data Protection Regulation, the Information Commissioner's Office’s guidance, and associated regulations, standards, and guidance.The contract was awarded in conformance with public sector procurement law, as required. The National Health Service ran an independent procurement exercise. The choice of preferred supplier was not made by a single person, as it was the result of assessment by many different individuals. NHS England has a duty to treat all suppliers the same regardless of the public perception of any organisation, or the opinions held by any of their shareholders.NHS England cannot exclude any supplier that is lawfully established and able to bid from participating in the procurement. The procurement process received external validation from multiple Government departments, as well as independent evaluations by Infrastructure and Projects Authority reviewers. There were no identified security concerns in relation to the contract awarded for the NHS FDP.The Procurement Act 2023 has introduced new powers to exclude and debar suppliers from public sector contracts if they pose a national security risk. Cabinet Office has established the new National Security Unit for Procurement, which is responsible for investigating suppliers on national security grounds, both within the Government supply chain and for the wider public sector.

What assessment he has made of the security implications of awarding NHS data management contracts to (a) Palantir Technologies Inc. and (b) other companies with significant overseas (i) defence and (ii) intelligence clients.

In awarding the contract for the NHS Federated Data Platform (FDP), NHS England made an assessment of the cyber risk and the protections offered by each bidder. The FDP has extensive security arrangements in place to manage cyber risk, including: strong network security, such as firewalls and intrusion detection systems to monitor all network traffic to and from the platform, which helps to block unauthorised access and detect suspicious activity;data encryption, as all data stored on the platform is encrypted, both when it’s being transferred, or in transit, and when it’s at rest, or stored on servers; andregular security testing, as the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security. It is a contractual requirement that personal data stored in the FDP and its associated services (FDP-AS), including the NHS-Privacy Enhancing Technology, cannot be accessed by the provider’s own personnel or contractors from outside the United Kingdom. The FDP-AS contract stipulates that all data must be held within the UK and is subject to UK Data Protection Law, including the UK General Data Protection Regulation. All FDP data processes and systems need to comply with the Technology Code of Practice, Government Data Standards, the Department’s Guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018, and the UK General Data Protection Regulation, the Information Commissioner's Office’s guidance, and associated regulations, standards, and guidance.The contract was awarded in conformance with public sector procurement law, as required. The National Health Service ran an independent procurement exercise. The choice of preferred supplier was not made by a single person, as it was the result of assessment by many different individuals. NHS England has a duty to treat all suppliers the same regardless of the public perception of any organisation, or the opinions held by any of their shareholders.NHS England cannot exclude any supplier that is lawfully established and able to bid from participating in the procurement. The procurement process received external validation from multiple Government departments, as well as independent evaluations by Infrastructure and Projects Authority reviewers. There were no identified security concerns in relation to the contract awarded for the NHS FDP.The Procurement Act 2023 has introduced new powers to exclude and debar suppliers from public sector contracts if they pose a national security risk. Cabinet Office has established the new National Security Unit for Procurement, which is responsible for investigating suppliers on national security grounds, both within the Government supply chain and for the wider public sector.

Whether contracts awarded to Palantir Technologies Inc. for NHS data infrastructure permit cross-border data sharing without UK regulatory approval.

In awarding the contract for the NHS Federated Data Platform (FDP), NHS England made an assessment of the cyber risk and the protections offered by each bidder. The FDP has extensive security arrangements in place to manage cyber risk, including: strong network security, such as firewalls and intrusion detection systems to monitor all network traffic to and from the platform, which helps to block unauthorised access and detect suspicious activity;data encryption, as all data stored on the platform is encrypted, both when it’s being transferred, or in transit, and when it’s at rest, or stored on servers; andregular security testing, as the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security. It is a contractual requirement that personal data stored in the FDP and its associated services (FDP-AS), including the NHS-Privacy Enhancing Technology, cannot be accessed by the provider’s own personnel or contractors from outside the United Kingdom. The FDP-AS contract stipulates that all data must be held within the UK and is subject to UK Data Protection Law, including the UK General Data Protection Regulation. All FDP data processes and systems need to comply with the Technology Code of Practice, Government Data Standards, the Department’s Guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018, and the UK General Data Protection Regulation, the Information Commissioner's Office’s guidance, and associated regulations, standards, and guidance.The contract was awarded in conformance with public sector procurement law, as required. The National Health Service ran an independent procurement exercise. The choice of preferred supplier was not made by a single person, as it was the result of assessment by many different individuals. NHS England has a duty to treat all suppliers the same regardless of the public perception of any organisation, or the opinions held by any of their shareholders.NHS England cannot exclude any supplier that is lawfully established and able to bid from participating in the procurement. The procurement process received external validation from multiple Government departments, as well as independent evaluations by Infrastructure and Projects Authority reviewers. There were no identified security concerns in relation to the contract awarded for the NHS FDP.The Procurement Act 2023 has introduced new powers to exclude and debar suppliers from public sector contracts if they pose a national security risk. Cabinet Office has established the new National Security Unit for Procurement, which is responsible for investigating suppliers on national security grounds, both within the Government supply chain and for the wider public sector.

Whether his Department has made a cyber risk assessment of the use of Palantir’s software in centralised NHS data platforms.

In awarding the contract for the NHS Federated Data Platform (FDP), NHS England made an assessment of the cyber risk and the protections offered by each bidder. The FDP has extensive security arrangements in place to manage cyber risk, including: strong network security, such as firewalls and intrusion detection systems to monitor all network traffic to and from the platform, which helps to block unauthorised access and detect suspicious activity;data encryption, as all data stored on the platform is encrypted, both when it’s being transferred, or in transit, and when it’s at rest, or stored on servers; andregular security testing, as the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security. It is a contractual requirement that personal data stored in the FDP and its associated services (FDP-AS), including the NHS-Privacy Enhancing Technology, cannot be accessed by the provider’s own personnel or contractors from outside the United Kingdom. The FDP-AS contract stipulates that all data must be held within the UK and is subject to UK Data Protection Law, including the UK General Data Protection Regulation. All FDP data processes and systems need to comply with the Technology Code of Practice, Government Data Standards, the Department’s Guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018, and the UK General Data Protection Regulation, the Information Commissioner's Office’s guidance, and associated regulations, standards, and guidance.The contract was awarded in conformance with public sector procurement law, as required. The National Health Service ran an independent procurement exercise. The choice of preferred supplier was not made by a single person, as it was the result of assessment by many different individuals. NHS England has a duty to treat all suppliers the same regardless of the public perception of any organisation, or the opinions held by any of their shareholders.NHS England cannot exclude any supplier that is lawfully established and able to bid from participating in the procurement. The procurement process received external validation from multiple Government departments, as well as independent evaluations by Infrastructure and Projects Authority reviewers. There were no identified security concerns in relation to the contract awarded for the NHS FDP.The Procurement Act 2023 has introduced new powers to exclude and debar suppliers from public sector contracts if they pose a national security risk. Cabinet Office has established the new National Security Unit for Procurement, which is responsible for investigating suppliers on national security grounds, both within the Government supply chain and for the wider public sector.

Whether his Department has consulted UK defence and intelligence agencies on awarding NHS data platform contracts to foreign-owned companies with defence-sector operations.

NHS England conducted an independent and transparent procurement exercise in full compliance with public contract regulations. The selection of the preferred supplier was not determined by a single individual but was the result of a rigorous assessment process involving multiple stakeholders. Consulting the United Kingdom’s defence and intelligence agencies before awarding data contracts is not a usual part of NHS England’s procurement process. NHS England did work with the National Cyber Security Centre for this procurement. In accordance with procurement regulations, NHS England cannot exclude any legally established and eligible supplier from participating in the bidding process.

What steps he has taken to ensure that NHS data handled by Palantir Technologies cannot be accessed or processed by non-UK government entities.

The NHS Federated Data Platform (FDP) has been designed with stringent safeguards to ensure that patient data is protected in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.Access to National Health Service health and social care data within the FDP is tightly controlled. Only authorised users are granted access, and solely for approved purposes that demonstrably benefit patient care or NHS operations. Palantir Technologies, as the software provider, operates strictly under the instruction of NHS England. They do not control the data, nor are they permitted to access, use, or share it for any independent purpose. To further strengthen data protection, the FDP incorporates advanced Privacy Enhancing Technology (NHS-PET), which has been procured from a separate supplier to ensure independence and to mitigate any potential conflicts of interest. This technology ensures that data is processed in a secure and privacy-preserving manner. The contract with Palantir Technologies includes robust confidentiality clauses and is governed by a comprehensive oversight framework. This framework includes regular audits, monitoring, and reporting to ensure compliance with legal and ethical standards. Data Protection Impact Assessments have been conducted to assess and mitigate any risks to individual rights and freedoms.It is a contractual requirement that personal data stored in the FDP and NHS-PET cannot be accessed by its provider’s personnel or contractors based outside the United Kingdom. In accordance with GDPR principles of transparency and accountability, NHS England has published details which outline how data is protected, who can access it, and under what conditions. Further information is available at the following link:https://www.england.nhs.uk/long-read/overarching-data-protection-impact-assessment-dpia-for-the-federated-data-platform-fdp/#18-in-which-country-territory-will-personal-data-be-stored-or-processedThese measures collectively ensure that NHS data remains under UK jurisdiction and all processing of patient information will be within the UK only. This is a contractual requirement, and one of the key principles of the FDP Information Governance Framework. Data cannot be accessed or processed by non-UK government entities.