National Data Integration Tenant (NDIT) Federated Data Platform (FDP) product privacy notice

Product description

The National Data Integration Tenant (NDIT) is used by NHS England to allow NHS organisations (trusts and integrated care boards [ICBs] etc) to submit the data that they legally required to provide. This includes the data they hold in both personal identifiable form and non-identifiable form to NHS England. The National Data Integration Tenant is an area within the Federated Data Platform (FDP) that allows this data to be shared in a simple, clear, secure and ordered way. The NDIT supports the national data collections and helps to make sure that your personal confidential data is managed securely. 

What are the purposes for processing my personal data?

NDIT processes personal information (called ‘personal data’ under data protection laws) about patients’ that NHS England are legally required to manage. This allows NHS England to make sure that the wider NHS operations are being appropriately managed by the NHS organisations. The personal information will be arranged to make sure that it is in the right order before being used.

The data will be treated, which means that you can’t be identified from the data in the dashboard because all identifiers such as your name, NHS number, full address and full date of birth have been removed from the data which is used. This is called de-identification. Your data is de-identified by NHS England before it is transferred into FDP. The de-identified data is then processed by other products within FDP, this includes:

  • Healthcare Operational Data Flow (HODF) Community
  • Healthcare Operational Data Flow (HODF) Acute
  • Patient Level Information and Costing Systems (PLICS) Local Costing Collection
  • Virtual Wards
  • Cancer Waiting Times
  • NHS App
  • National Digital Channels (NDC)
  • Diagnostic Imaging Dataset (DIDS) version 2.0

Each of the above products have their own privacy notices that can be located on the NHS England website.

What personal data about me is processed?

Personal data which directly identifies you (we call this directly identifiable data) will be collected by NHS England about patients who have received treatment from an NHS organisation, for the purposes above. Data that is processed NDIT may include a patient’s:

  • name
  • address including postcode
  • date of birth and age
  • sex and gender
  • marital status
  • living habits
  • physical description
  • NHS number
  • contact number
  • online identifier (IP address/event logs) and location data relating to travel
  • physical/mental health condition/diagnosis/treatment
  • racial/ethnic origin
  • religion or other beliefs
  • genetic data

The above personal data will be de-identified (we call this pseudonymised data) before being processed by NHS England teams for the purposes of monitoring the operation of the NHS organisation workings.

IQVIA will act as a data processor in relation to ‘treating data so that a person can no longer be identified. IQVIA teams will not have access to the identifiable data processed.

Who is my personal data shared with?

The information will be shared with NHS England by NHS organisations (Trusts and Integrated Care Boards etc) as they are legally required to. This information will not be shared further in identifiable form.

IQVIA will act as a data processor in relation to ‘treating data so that a person can no longer be identified. IQVIA teams will not have access to the identifiable data processed.

Once the data has been de-identified this will be used by NHS England to perform the analysis and assessment of the services provided by NHS organisations.

Before making data available, it will be de-identified to ensure individuals cannot be identified within the data.

UK General Data Protection Regulation (GDPR) Information

Controllers of your personal data

Under data protection law NHS England are the legal controllers of your de-identified personal data. 

Legal grounds for processing your personal data

The processing of de-identified personal data by NHS England for the purposes explained above is permitted under the following legal grounds under data protection law (this is UK GDPR and the Data Protection Act 2018 (DPA2018)):

  • Legal obligation – Article 6(1)(c)… ‘the processing is necessary for compliance with a legal obligation’. This applies where NHS England is directed under section 254 of the Health and Social Care Act 2012 to collect and analyse personal data for the purpose of producing the dashboards.
  • Public task – Article 6(1)(e) … ‘the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller by virtue of the statutory functions referred to above, where NHS England processes and shares Personal Data through the dashboard with other organisations in reliance of its statutory powers above. 

Also, in the discharge of its duty under section 13E of the NHS Act 2006:

    • securing continuous improvement in quality of services provided to individuals for or in connection with
    • the prevention, diagnosis or treatment of illness, or
    • the protection or improvement of public health
  • Substantial public interest – Article 9(2)(g) ‘processing is necessary for reasons of substantial public interest’ together with the legal ground in schedule 1, part 2, paragraph 6 of the Data Protection Act 2018 (“DPA 2018”) “statutory etc and government purposes”. This applies where NHS England processes de-identified personal data under legal obligation above.

Processor acting on behalf of NHS England

The data platform contractor, Palantir Technologies UK LTD is a processor acting on behalf of NHS England. They provide the data platform and the technology that the product uses and only act on the instructions of NHS England to process the de-identified data to store it and make it available to NHS England in the platform for the product.

IQVIA will act as a data processor in relation to ‘treating data so that a person can no longer be identified. IQVIA teams will not have access to the identifiable data processed.

Your rights under UK GDPR

You have the following rights under UK GDPR in relation to the processing of your personal data by NHS England for the purposes above:

  • right to be informed
  • right of access
  • right to rectify
  • right to object

Further information about these rights is in the NHS Federated Data Platform Privacy Notice.

You can contact NHS England’s data protection officer at england.dpo@nhs.net

Does the National Data Opt Out or any other opt out apply?

The National Data Opt Out does not apply to the processing of this personal data by NHS England in this product. This is because NHS England is required by law under the legal direction to process the data to create the dashboards. The National Data Opt Out does not apply in these circumstances. The National Data Opt Out also does not apply to the data that is made available through the dashboards as information that can identify you has been removed.

More information about when the National Data Opt Out does not apply is available on the nhs.uk website.

Type one opt outs do not apply to this product as no confidential patient information obtained from GP practices is used in this product.

More information

For more information about how personal data is processed within the Federated Data Platform please see the NHS Federated Data Platform Privacy Notice.

Last updated date: 18 July 2025