How we are protecting privacy and confidentiality

NHS England takes its responsibilities to handle health and care data proportionately, ethically and in confidence very seriously. We are committed to keeping patient information safe and being transparent about how it is used and explaining patient choice to opt out.

NHS Privacy Enhancing Technology (NHS-PET)

NHS England is committed to keeping patient information safe and being transparent about how it is used. NHS Privacy Enhancing Technology (NHS-PET) will provide robust protection and deliver a standard approach to support safe data access and use. The first use of the new NHS-PET will be for the Federated Data Platform Programme (FDP).

NHS-PET is a standalone service and will be used across various NHS data platforms, therefore, the successful supplier will be required to scale the use of the solution across the enterprise.

The 3-year NHS-PET contract will have an additional option to extend by 24 +12 + 12 months with a total estimated value of up to £35,000,000 over the contract period. The actual contract value will depend on the extent of the use of the service.

More information about the PET procurement can be found on the website.

Access to data within the Federated Data Platform

Access to data must have an explicit aim to benefit patients and/or the NHS in England. Access to NHS health and social care data within federated data platforms will be carefully controlled. Only authorised users will be granted access to data for approved purposes.

Separate ‘federated’ platforms will enable us to manage access to data and information securely and information within each platform will ultimately be determined by the individual NHS organisation, based on key challenges and priorities they need to address.

Where the appropriate data sharing agreements are in place, trust and ICS data platforms will be able to interact with one another – for example an ICS coordinating the discharge of patients from hospital to care settings within a geographical area.

Individual data platforms will also interact with a national NHS England data platform where appropriate, ie to understand in real time how many patients are in hospital, how long patients are waiting for critical treatments, and where pressure points are across the system.


All uses of data within federated data platforms must be ethical, for the public good, and comply with all existing law – not just data protection.

Data protection law will continue to apply. This means there must always be a valid lawful basis for the collection and processing of personal information (including special category information) within federated data platforms, as defined under data protection legislation.

Other laws we must adhere to include:

Each NHS organisation will be the data controller for their ‘federated’ platform instance. The use of the data will always remain under the full control and protection of the NHS. The software provider will not hold or have access to NHS data and data access must never be provided for marketing or insurance purposes.

Data made available for analysis in federated data platforms must protect patient confidentiality using techniques such as data minimisation and de-identification.

De-identification practices mean that personal identifiers are removed from datasets to protect patient confidentiality. This includes techniques such as aggregation, anonymisation, and pseudonymisation. The level of de-identification applied to data may vary based on user roles and requirements for accessing the data. This is in line with ICO (Information Commissioner’s Office) guidance.

Where the data being accessed is Confidential Patient Information, the requirements of the common law duty of confidentiality must also be met.

There are strict processes in place regarding data governance. This will include the completion of a Data Protection Impact Assessment (DPIA) and the creation of data sharing agreements and privacy notices. This process must be completed and approved prior to any data sharing commencing.

Personal data for direct care (i.e. to manage diagnosis, to schedule a treatment or appointment, and to manage a patients discharge from hospital) will be required to be held in identifiable form. This does not mean that a user of an individual platform (such as a clinician, bed manager or discharge coordinator) could access a full health record using the platform; each user will only see the data required to carry out a specific task relating to a patient’s direct care. In this instance, the data controller would be the NHS organisation responsible for providing the patients care i.e. a hospital. The data held for this purpose would be held within the trust instance of their federated data platform, as such the data could and would not be used for any other purpose or in any other instances of the federated data platform.

Where personal data is used for secondary purposes (this means that the use of the data is different to the purpose for which the data were originally collected) such as to plan and improve health and care services, de-identification techniques will be used to make it less identifiable. De-identification practices mean that some obvious personal identifiers like name or date of birth are removed from datasets to protect patient confidentiality, but the data remains personal data.

In some cases, NHS Bodies may need to link data to understand what factors are driving poor outcomes in different population groups. For example, local Population Health Management teams often link data to understand current health and care needs and predict what local people will need in the future. Health problems are complex, and, in many cases, a single health issue may be influenced by interrelated social, environmental, and economic factors. By linking data, local health and care services can then design new proactive models of care. In this instance the data controller would be a local integrated care board (ICB) or integrated care system (ICS) responsible for planning and commissioning services which meet the needs of their population.

National data opt out

The national data opt out applies to all data which is used for secondary use purposes. This means that the use of the data is secondary to the purpose the data was originally collected for (such as direct care). Some of the use cases for the federated data platform fall into this category, for example, population health and will need to demonstrate adherence to the national data opt out. If you don’t want your data to be used for reasons other than your individual care, you can opt out using the national data opt out.

For each individual use case, the purpose of the data access and the type of personal data required will be identified in the mandatory Data Protection Impact Assessment (DPIA), which will be published. A privacy notice will also be written and published which will detail the types of data used for each use case. These information governance (IG) documents will be required to be approved by participating organisations before personal data can be accessed.

Data protection law applies to all processing of personal data, and the data in the federated data platform will be personal data. This means there must always be a valid lawful basis for the collection and processing of personal information within federated data platforms, as defined under data protection legislation.

Further information