NHS Federated Data Platform privacy notice

This privacy notice provides information about the processing of personal data in the NHS Federated Data Platform (FDP).

For more information about the FDP, please see the dedicated webpages about FDP and the frequently asked questions.

This privacy notice provides answers to the following questions about the processing of personal data in the FDP:

  1. What is the NHS Federated Data Platform (“FDP”)?
  2. When will the FDP start being used?
  3. What type of data is processed in the FDP?
  4. Who is responsible for processing data in the FDP
  5. What are the purposes for processing Personal Data in the FDP?
  6. Where does the data processed in the FDP come from?
  7. Who has access to data in the FDP?
  8. How is data protected in the FDP?
  9. How long will the data in the FDP be kept for?
  10. Where is data held in the FDP stored?
  11. What are my data protection rights in relation to Personal Data processed in the FDP?
  12. What are the legal grounds to process Personal Data in the FDP under data protection law?
  13. Do opt-outs apply to data processed in the FDP?
  14. Questions, feedback, concerns and your right to make a complaint
  15. Changes to this Privacy Notice

1. What is the NHS Federated Data Platform (“FDP”)?

Data is a core part of how the NHS delivers care, it’s at the heart of transforming services and improving outcomes for patients; using it well saves lives.

The NHS Long Term Plan highlights the importance of technology in the future NHS; setting out the critical priorities that will support digital transformation and provide a step change in the way the NHS cares for citizens.

People, data and technology are crucial to the ongoing evolution of the NHS. Working together in these key areas will support and enable local NHS organisations to:

  • work in more efficient ways,
  • improve diagnosis and treatment,
  • improve services.

A key enabler for this is the roll-out of the NHS Federated Data Platform.

The NHS uses data every day to manage patient care and plan services. Historically, it’s been held in different systems that don’t always speak to each other, creating burden for staff and delays to patient care. The Federated Data Platform is a solution to that problem. The FDP brings data together from existing IT systems to enable staff in an NHS organisation to access the information that their own IT systems already hold in a single, safe and secure place.

The NHS Federated Data Platform

The NHS Federated Data Platform is made up of a number of separate independent data platforms, each of which is called an “Instance” alongside transparency and privacy enhancing technology, which is called “PET”. Together, we call the different Instances and PET the “FDP” in this Privacy Notice.

Some Instances are operated by NHS England and are called “National Instances”. There are also separate Instances which are operated by an NHS trust or an integrated care board in a local area, which we call “Local Instances”.

We call each of these organisations “User Organisations” in this privacy notice.

Privacy Enhancing Technology or PET

The National and Local Instances work alongside PET. PET is transparency and privacy enhancing technology which has two functions:

  1. Registering data flows – PET creates records of the types and uses of data which are used in every Instance of FDP. We call this “registering” the data. PET does not process the Personal Data to do this. From March 2024 when the FDP starts to be rolled out, PET will be integrated into all Instances and will register all data being used in the FDP.
  2. Treating Personal Data – PET can also be used to de-identify Personal Data. This involves processing Personal Data. PET will not initially process Personal Data to de-identify it. This will however start to be done in phases from Summer 2024.

Products

Each Instance of the FDP uses the same underlying technology and software and has the same basic technical functionality. However, the FDP uses the technology, software and functionality in different ways for different purposes in specific “Products”.

Some Products are only designed to be used in the National Instances, some are only designed for the Local Instances, and some are designed to be used in both types of Instance.

A Product is a software solution for a particular NHS need. Each Product will process only the data which is the minimum necessary to meet that NHS need. Most Products that will be used in Local Instances will be designed to help clinicians to provide care and treatment to their patients. This means that information that identifies their patients who are receiving care and treatment will be used in the Local Instances.

Most Products that will be used in the National Instances will be designed to help NHS England, NHS Trusts and Integrated Care Boards to understand how the NHS is operating and to plan and manage how they deliver healthcare services safely and effectively. Where a Product that is used in the National Instances is also to be used by an NHS Trust or Integrated Care Board, then it will also be available in their Local Instance. Most Products in the National Instances will only need to use data that does not identify individuals, because NHS England doesn’t usually need data that identifies specific patients to help plan, commission and manage health care.

Although each Instance of the FDP is separate from other Instances, where it is agreed that data can be shared across Instances, the Products used in FDP can provide a safe and secure way to share relevant information. This is known as federation.

Sharing data across Instances will only happen within a Product where this is necessary for organisations to work together to provide care directly to patients or to manage and plan how care is delivered to patients. Data will only ever be shared where it is allowed under data protection laws. There is more about how data is shared in Section 7 below.

Back to top

2. When will the FDP start being used?

The FDP is being rolled out to User Organisations in implementation Phases.

Transition Phase: March 2024 – May 2024

The first Phase is the “Transition Phase”, which involves NHS England, NHS Trusts and Integrated Care Boards who currently use Products, moving their existing Products onto the new version of the software that is in FDP. There is no change to the data that is being processed, the purposes for which it is processed or the User Organisations who are processing the data during the Transition Phase.

The Transition Phase will start in March 2024 and is expected to run until May 2024. It will consist of 5 Waves, starting with Wave 0 and finishing with Wave 4. Each Wave will consist of a number of existing User Organisations and existing Products which will transition to FDP. This is organised in Waves to manage the transition process.

Delivery Phase: May 2024 – March 2027

The Delivery Phase is expected to start in May 2024 and run through to March 2027. Following a successful transition of existing User Organisations and Products to FDP, FDP will be rolled out more widely in the NHS. This will involve rolling out:

  • Existing local Products to new User Organisations in Waves.
  • The use of PET to process Personal Data to de-identify it and to replace legacy NHS de-identification solutions.
    • PET will be used to support Products which require Personal Data to be de-identified for them to be used for the purpose of the Product. This will apply to National Products. Currently there are no Local Products which require Personal Data to be de-identified for them to be used.
    • This will be a staged process and is expected to commence from summer 2024 and continue until 2026.
  • New Products to User Organisations

During the implementation of FDP, this Privacy Notice and the Product Privacy Notices will be regularly updated to list the Products and User Organisations who are using FDP and also when PET starts to process Personal Data.

Back to top

3. What type of data is processed in the FDP?

Types of data

Data means items of information. There are two main types of data that are processed in the FDP:

1. Personal Data

Personal Data is defined in data protection law and is information relating to a living individual that can directly or indirectly identify them. Personal Data can be either:

  • Directly Identifiable Data – this is Personal Data that can directly identify an individual, for example, a name.
  • De-Identified Data – this is Personal Data that has been de-identified, so that an individual can no longer be directly or indirectly identified in the data, but where the organisation holding the data does still have the means to identify the individual.

Individuals have a number of rights under data protection law in relation to their Personal Data. Please see Section 11 below.

Categories of Personal Data

Personal Data that is processed in the FDP will include information that identifies an individual, including basic information about such as a name, address, date of birth and contact details, and information about the individual’s health and treatment.

The items of Personal Data that may be processed vary depending on the Product and the purposes for which they are being processed. Each Product will process only the data which is the minimum necessary to meet the NHS need. There is more information about the categories of information that may be processed.

Personal Data will only be processed in FDP where it is strictly necessary for the specific purpose it is being used for. NHS staff who are using FDP are subject to strict confidentiality rules and FDP will only allow them to see the items of Personal Data which they need to see for the purposes for which they are using the data. Where they don’t need to know who an individual is, FDP will restrict their access to De-Identified Data or Anonymous Data (which is defined in the section below).

Each organisation using FDP will decide which members of staff can see specific types of information in line with data protection requirements, by using access control rules that are implemented within the FDP to strictly minimise access to only data that is necessary for a particular purpose.

2. Anonymous Data

This is data that does not relate directly to individuals. It can be either:

  • Anonymised Data – this is data which may have been Personal Data, but that has been de-identified so it no longer directly or indirectly identifies an individual. Data is anonymous when it is not reasonably possible for the organisation or the person using the data to re-identify the individual.
  • Aggregated Data and Operational Data – this is data that does not relate directly or indirectly to specific individuals.
For example, statistics about groups of individuals where no one can identify any specific individuals from the statistics eg, numbers describing the stocks of medicine, or the number of beds in a hospital.

Data protection law does not apply to Anonymous Data.

The type of data and categories of Personal Data that are processed in FDP vary in relation to each Product used on FDP. More information about each Product and the data that is processed in them is available in Section 5 below.

Back to top

4. Who is responsible for processing data in the FDP?

NHS England, and a number of NHS Trusts and Integrated Care Boards, are using the FDP and each has their own data protection responsibilities for the data they process in FDP.  Each of these organisations is a User Organisation.

What are the responsibilities of User Organisations under data protection law?

Under data protection law, each User Organisation is the ‘Controller’ for the Personal Data it processes in its Instance.  As a Controller, each User Organisation makes decisions about how to use the FDP, which Products it wants to use in its own Instance, and what Personal Data it  needs to put into the FDP, to use those Products.

NHS England is the Controller for the Personal Data which is processed within the National Instances.

Each NHS Trust or Integrated Care Board is the Controller of the Personal Data which is processed within its Local Instances.

NHS England, and each NHS Trust or Integrated Care Board, are also joint Controllers for some aspects of how the FDP operates. There is more about this here: NHS England » Joint controllers

Back to top

5. What are the purposes for processing Personal Data in the FDP?

At present, all User Organisations have agreed only to use FDP for purposes that fall within five broad NHS priority purposes, which we call “Use Cases”. All Products which are used by the FDP therefore must also fall within one of these Use Cases. The five current Use Cases are:

  • Population Health and Person Insight – to help integrated care systems proactively plan services that meet the needs of their population
  • Vaccination and Immunisation – to continue to support the vaccination and immunisation of vulnerable people whilst ensuring fair and equal access and uptake across different communities
  • Elective Recovery – to address the backlog of people waiting for appointments or treatments which has resulted from the COVID-19 pandemic alongside Winter pressures on the NHS
  • Care Coordination – to enable the effective coordination of care between local health and care organisations and services, reducing the number of long stays in hospital
  • Supply Chain – to help the NHS put resources where they are need most and buy smarter so that we get the best value for money
  • Population Health and Person Insight – to help integrated care systems proactively plan services that meet the needs of their population

In future User Organisations may agree that FDP can be used to meet other Use Cases. NHS England has agreed to consult with patient groups and other organisations, including the National Data Guardian and the Information Commissioner’s Office, before any other Use Cases are agreed.

For example, one of the Products which will be used by NHS Trusts in Local Instances of the data platform from Wave 1 is called The Optimised Patient Tracking and Intelligent Choices Application (OPTICA).

The Product is integrated with a hospital’s electronic patient records and, combined with other local health and social care data systems, ensures that relevant information related to patient discharges is available to clinical teams and leaders, in one place, as a single version of the truth.

This is a Product that tracks all admitted patients and the tasks and blockages relating to their discharge in real-time through their hospital journey. The Product is helping ensure that patients who no longer need to be in hospital can go home, or into appropriate community services with relevant support, as quickly as possible.

This Product falls within the Care Co-ordination Use Case.

There is a video which provides more information about the benefits of using this Product for patients and staff.

Back to top

6. Where does the data processed in the FDP come from?

The Personal Data processed in the FDP is Personal Data that is already held in local IT systems or is shared back with local IT systems and is processed by each User Organisation in accordance with data protection laws.

In the case of NHS Trusts, the Personal Data that is brought into the FDP will be Personal Data taken from other hospital systems, such as theatre scheduling systems and electronic patient record systems. In some cases, the Product will generate some new information, for example a hospital discharge summary, and that information will be shared back into the electronic patient record system by the local NHS Trust.

In the case of NHS England, the Personal Data processed in the FDP will be Personal Data that NHS England has already collected from NHS Trusts and currently processes in other NHS England data platforms, including the COVID-19 data platform.

Back to top

7. Who has access to the data in the FDP?

Staff in a User Organisation

Staff who work for a User Organisation will only have access to the data in the FDP that they need to perform their specific job. In Local Instances, this will include doctors, nurses, administration staff supporting them, and administration staff and managers running the hospital.

Staff in other organisations

So that a hospital can provide you with the best care, it may need to share data about you that is processed in the FDP with other organisations. NHS England may also want to share Aggregated Data with your hospital or local Integrated Care Board to help them to plan and manage care they provide to their patients.

Any Personal Data that is shared with other organisations will be the minimum amount necessary. Individuals will only be identified if this is necessary for the purposes for which it is shared. For example, in a Product used in a Local Instance information about an individual may need to be shared with another organisation for the purposes of the individual’s care. Personal Data can only ever be shared if there are legal grounds under the data protection laws that allow this.

Where possible, if data needs to be shared, this will be done within the FDP. Data will be shared with other User Organisations through the FDP by providing members of staff from other User Organisations with access to the data across Instances of the FDP.

For some Products, including in the National Instances, dashboards are produced which may be viewed by other organisations, including NHS Trusts and the Department for Health and Social Care, who are not User Organisations. Providing access to these dashboards through FDP will help keep the data secure.

In some cases, data may need to be shared outside of FDP. If this happens, logs of the data sharing will be kept by the FDP. These logs will register who the data was shared with and for what purposes. Only certain authorised users in a User Organisation will be able to approve data sharing with other organisations.

If the data is not being shared for individual care, and is Personal Data or Confidential Data, the User Organisations will only share data or provide access to view it, where there is a data sharing agreement in place.

Information about how data is kept secure in FDP, and when it is shared, is in Section 8 below.

Processors – FDP Contractors

There are two companies that together provide the software for the FDP and who operate and maintain this software for each User Organisation. NHS England appointed these two companies following a public procurement. Together we call these companies the “FDP Contractors”.

They are:

  • Data Platform – Palantir Technologies UK, LTD.
  • PET – IQVIA LTD.

The FDP Contractors only process Personal Data in the FDP where it is necessary for them to operate and maintain the FDP (which we call “FDP Services”) for User Organisations. Under data protection law they are called “Processors”. This means that they can only process Personal Data on behalf of a User Organisation and for the purposes of providing these FDP Services. They must only act on the written instructions of the User Organisation. These written instructions are given under a data processing agreement between the FDP Contractor and each User Organisation for each Product that a User Organisation chooses to use.

If a Processor breaches the terms of its data processing agreement, or processes Personal Data outside of the instructions given by a Controller, this may breach data protection laws. This may lead to the Information Commissioner taking regulatory action, including issuing a fine to a Processor who has broken the law.

The FDP Contractors are not allowed to appoint other contractors (“Sub-processors”) to work for them to process Personal Data to provide the FDP Services unless those Sub-processors have first been approved by User Organisations. A list of Sub-Processors that have been approved by User Organisations is here: NHS England » Sub-processors

The FDP Contractors and their Sub-processors are not allowed to use any Personal Data in the FDP for their own purposes, except some limited data, such as contact details, concerning User Organisation’s staff which they need to provide the FDP Services.

Back to top

8. How is data protected in the FDP?

The FDP has been developed with privacy at the centre of its design, ensuring that the protection and privacy of Personal Data has been considered through the design of FPD, into the implementation of the Products and in relation to the governance approach to using FPD.

Data is protected in a number of ways including:

  • Separation of Control – The FDP is designed to work as separate Instances controlled by each User Organisation. Governance and technical controls are in place to ensure that no individual organisation or user has access to all data. NHS user roles are separated to ensure no individual has access to all data.
  • Separation of the Data Platform from PET – PET is provided by a separate contractor from the supplier of the data platform. This means that where only De-Identified Data is needed for a particular Product, no Directly Identifiable Data needs to be shared into an Instance. It will be processed by the PET Contractor to remove identifiers before it is shared into the Instance. This service is expected to start from Summer 2024.
  • Role based access controls – NHS user roles are defined and separated to ensure that staff are only able to access data they need to do their work.
  • Staff training – All staff are required to complete mandatory data protection and security training in the NHS. In addition, staff will undergo training in the use of each Product, ensuring data is used appropriately and securely.
  • Data minimisation – The FDP will only process the minimum data that is necessary for the purposes of a Product. This is assessed as part of a Data Protection Impact Assessment (DPIA) which is required under data protection laws where Personal Data is processed within FDP and is carried out as part of a User Organisation deciding to use a Product.
  • Transparency of data access and use – PET will create records of all data entering and leaving the platform and its approved purposes of use.
  • Audit Logs – All access and use of data in the FDP will be logged so that User Organisations can audit and review who has accessed what data in their Instance.
  • User authentication – All user access to the FDP must be authenticated using multi-factor authentication.
  • Technical Security – All data stored in the FDP will be protected via industry good practice layers of protection, including encryption of data stored in FDP and in transit (when it comes to FPD and leaves FDP), regular penetration testing, firewalls, anti-virus and intrusion protection.
  • Security Monitoring – Cyber and security threats in FDP will be monitored by the FDP Contractors and by NHS England’s Cyber Security Operations Centre.
  • Privacy Treatment – PET will provide tools to de-identify Personal Data where Personal Data needs to be de-identified before it is used in a Product.

Back to top

9. How long will the data in the FDP be kept for?

Data will be kept in the FDP for as long as it is necessary for a User Organisation to process it. This will depend on the Product the data is used in and the purposes for which the data is processed. The processing of all Personal Data, including the periods of time that data is kept, will be in accordance with the NHS Records Management Code of Practice 2021.

Back to top

10. Where is data held in the FDP stored?

All data held in the FDP is securely stored on servers in the United Kingdom (UK).

Back to top

11. What are my data protection rights in relation to Personal Data processed in the FDP?

Under data protection law, you have the following rights over your Personal Data:

  • Your right to be informed about how your Personal Data is used– You have the right to be told how and why a User Organisation is processing your Personal Data. This Privacy Notice has been published to explain how your Personal Data is being processed by all User Organisations. (“Right to be informed”)
  • Your right to get copies of your Personal Data – You have the right to ask a User Organisation that is processing your Personal Data in FDP for copies of your Personal Data (called a “Right of access”).
  • Your right to get your Personal Data corrected – You have the right to ask a User Organisation that is processing your Personal Data in FDP to correct (“Right to rectify”) your Personal Data if you think it is inaccurate or incomplete.
  • Your right to get your Personal Data deleted – You have a right to ask a User Organisation that is processing your Personal Data in FDP to delete (“Right to erase”) your Personal Data in certain circumstances.
  • Your right to restrict how your Personal Data is used – You have the right to ask a User Organisation that is processing your Personal Data in FDP to limit the way they use it (restrict processing) in certain circumstances (“Right to restrict”).
  • Your right to object to how your Personal Data is used – You have the right to object to a User Organisation about how your Personal Data is used in FDP in certain circumstances (“Right to object“).
  • Your right of data portability – You have the right to ask a User Organisation that is processing your Personal Data in FDP to transfer your Personal Data to another organisation or give it to you in certain very limited circumstances (“Right of data portability”).
  • Your right to not have ‘automated’ decisions made about you by a User Organisation, including profiling – You have the right not to have automated decisions made about you, including profiling, if the decision affects your legal rights or it has other significant effects on you.

To exercise your data protection rights, you should contact the Data Protection Officer for the User Organisation who is processing your Personal Data. A list of Data Protection Officer contact details for all FDP User Organisations is here.

You can find out which specific data protection rights apply in relation to Personal Data processed in each Product in the Product Privacy Notices.

Back to top

12. What are the legal grounds to process Personal Data in the FDP under data protection law?

User Organisations must have legal grounds under data protection law before they can use your data in FDP.

The Privacy Notices for each Product provide specific information about the legal grounds that apply to the processing of data in each Product which you can access here: NHS England » FDP products and product privacy notices

Personal Data

In general, User Organisations will rely on one or more of the following legal grounds to process Personal Data in the FDP under data protection law:

  • Legal obligation – Article 6(1)(c) of UK GDPR.
  • Public task – Article 6(1)(e) of UK GDPR

Special Category Personal Data

User Organisations also need an additional legal ground to process special categories of Personal Data under data protection laws. “Special Category Data” is:

  • Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,
  • the processing of genetic data,
  • biometric data for the purpose of uniquely identifying a natural person,
  • data concerning health, or
  • data concerning an individual’s sex life or sexual orientation.

The legal grounds for processing Special Category Data under data protection law include:

  • Substantial public interest – Article 9(2)(g) of UK GDPR, plus Schedule 1, Part 2, Paragraph 6 “statutory etc and government purposes” of the Data Protection Act 2018 (“DPA 2018”)
  • Health or social care – Article 9(2)(h) of UK GDPR, plus Schedule 1, Part 1, Paragraph 2 “Health or social care purposes” of DPA 2018
  • Public health – Article 9(2)(i) of UK GDPR, plus Schedule 1, Part 1, Paragraph 3 “Public health” of DPA 2018
  • Statistical purposes – Article 9(2)(j) of UK GDPR, plus Schedule 1, Part 1, Paragraph 4 “Research etc” of DPA 2018

Confidential Data

Personal information about an individual which has been provided in circumstances of confidence is called “Confidential Data”. This includes information that directly or indirectly identifies an individual and information about the health care and treatment of an identifiable individual. Additional rules apply when Confidential Data is processed by a User Organisation in the FDP and additional legal grounds will apply. More information about these rules and the legal grounds is here: NHS England » Legal grounds for processing confidential data

Back to top

13. Do Opt-outs apply to data processed in the FDP?

Type 1 opt-outs – Do not currently apply to Products used in the FDP

A Type 1 opt-out registered with a GP Practice prevents an individual’s confidential patient information from being shared outside of their GP Practice except when it is being used for the purposes of their individual care.

Type 1 opt-outs do not apply to data processed in the FDP because:

  • No confidential patient information that has come from a GP Practice is being processed by a Product in the National Instances of FDP.
  • Confidential patient information that has come from a GP Practice which is being used in the FDP in a Product in a Local Instance is only being used for the purposes of individual care.

If this changes in the future because a new Product processes confidential patient information in a way which would mean that the Type 1 opt-out would apply, the relevant User Organisation would be responsible for ensuring that the Type 1 opt-out was applied and this Privacy Notice will be updated to make this clear.

National Data Opt-Out – Does not currently apply to Products used in the FDP

The National Data Opt-Out provides an individual with a right to opt out of their confidential patient information being used for purposes beyond their direct care, unless an exemption applies. More information about exemptions is available here: https://www.nhs.uk/your-nhs-data-matters/where-your-choice-does-not-apply/

The National Data Opt-Out does not apply to data processed in the FDP because:

  • National Instances – No confidential patient information is being processed by a Product in the National Instances of FDP to which the National Data Opt-Out would apply.
  • Local Instances – Confidential patient information that is being used in the FDP in a Product in a Local Instance is only being used for the purposes of direct care and therefore the National Data Opt-Out does not apply.

More information about why the National Data Opt-Out does not apply is set out in each Product Privacy Notice.

You can find out more about and register a National Data Opt-Out or change your choice on nhs.uk/your-nhs-data-matters

Local opt-outs

NHS Trusts and Integrated Care Boards may have provided their patients with the right to opt out of their Confidential Data or Personal Data being used for specific purposes within their local area, eg within local shared patient record systems, for particular purposes.

More information about those local rights to opt-out will be provided in the relevant NHS Trust or Integrated Care Board Privacy Notices, which should be available on their websites. It is the responsibility of the NHS Trust and Integrated Care Board to ensure that local opt-outs are implemented within the data that is shared into and processed in FDP where they apply.

Back to top

14. Questions, feedback, concerns and your right to make a complaint

A lot of information is published about FDP on the NHS England website.

If you have any questions about the FDP that you can’t find the answer to on the website, or you want to leave feedback about any aspect of FDP, or you would like to register to take part in future FDP engagement activity, you can do this through the FDP Engagement Portal.

If you have any concerns about how a User Organisation is using your Personal Data, please contact its data protection officer. Details for each User Organisation’s data protection officer is here: NHS England » FDP User Organisations data protection officer

If you are not happy with the response from the data protection officer, you have the right to make a complaint about how your Personal Data is being used in the FDP to the Information Commissioner’s Office (“ICO”). You can do this by:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow
Cheshire, SK9 5AF

Back to top

15. Changes to this Privacy Notice

We will make changes to this notice to reflect the roll out of the FDP across the NHS and as new Products are made available through FDP. When we do, the ‘last edited’ date on this page will also change. Any changes to this notice will apply immediately from the date of any change.

Last edited 12.16 25 March 2024

Back to top