Date published: 16 February, 2026
Date last updated: 16 February, 2026
Digital

FDP Data Governance Group – minutes and actions, 7 May 2025

Meeting date: Wednesday 7 May 2025
Venue details: online meeting (MS Teams)

In attendance

  • Head of Information Governance (IG), FDP Programme, NHS England (Chair)
  • Associate Delivery Manager, NHS England (Secretariat)
  • Advisory Group for Data (AGD) Representative, NHS England
  • Data Protection Officer Representative, NHS England
  • Head of IG, University Hospitals of Northamptonshire 
  • IG Senior Consultant attached to FDP, Strategic IG, NECS CSU
  • Senior IG Consultant, Midlands and Lancashire Commissioning Support Unit (CSU)
  • EMEA Associate Director, IQVIA
  • IG Lead, Moorfields Hospital
  • Associate Director, Caldicott Guardian, NHS England

Apologies

  • Head of IG, East of England Region
  • Head of IG, Kingston Hospital NHS Trust                          

1. Welcome and apologies

The Chair welcomed members to the meeting.

Apologies were noted.

No conflicts/declarations of interests raised.

2. Minutes from previous meeting

The group made verbal on the minutes from the previous meeting. The Chair agreed these would be updated and circulated as per members comments.

3. Document review: National data integration tenant (NDIT) DPIA, privacy notice and annex

NDIT is not a product in its own right; it provides a core capability, enabling the submission of identifiable data and non-identifiable data into NHS England from providers to support the development of products.

Opinion of the group

The Group welcomed the NDIT approach.

4. Healthcare operational data flows acute (HODF Acute) and healthcare operational data flows community (HODF Community) DPIA, privacy notice and annex

Product description and context

The HODF Acute and HODF Community products aim to create daily collections of patient data from acute care settings and community care settings respectively. They will pull data into NDIT from care providers.

A brief overview of the functionality of both products was provided to the group.

General opinion of the group

The group raised several queries which were clarified and resolved during the meeting. There were other questions raised which needed further clarification and further amendments to the DPIA.  

Further actions

  • Add a reference note explaining the relationship between the products and fast data flows.
  • Enlarge the data flow diagram to improve clarity and readability.
  • Provide additional detail on NIDCI, including a clear explanation of the recent name change.
  • Review the Legal Basis: Article 6(1)(e) is already referenced – consider also including Article 9(2)(h) where appropriate.
  • Clarify the risks associated with data leaving the system, including any mitigations.
  • Review Section 19 to ensure alignment with current FDP transparency information regarding national data opt‑outs, particularly where the policy may apply to specific collections.
  • Update the overarching FDP Privacy Notice and Governance Framework to incorporate NDIT.
  • Simplify the language used to describe Data Processors to improve accessibility and reduce ambiguity.
  • Provide clearer information on who will have access to data within NDIT, HODF Acute, and HODF Community products.
  • Strengthen the section on data subject rights, including how rights of access and objection are operationalised and evidenced.

All actions apply to NDIT, HODF Acute and HODF Community. Documents will be updated in response to advice and circulated for remote approval.

5. Document review: Getting It Right First Time (GIRFT) DPIA, privacy notice and annex

Product description and context

This product uses publicly available reports, relating to the GIRFT programme, in an AI tool.

Contributor email addresses and names may be used in the AI tool. However, the contributors are aware their names and email addresses are in these public reports.

Also, use of the Product will be restricted to GIRFT staff and FDP approved use cases.

General opinion of the group

The group had several queries which were clarified and resolved during the meeting. 

Based on the information presented, the group agreed that a full DPIA was not indicated.

Action

Undertake a screening questionnaire to determine if a DPIA is required.

6. Any other business

Privacy enhancing technology (PET)

Section 251 support has now been secured for use by local organisations. The group was informed that the associated privacy information will be updated, with a draft version to be circulated in the coming weeks.

Forward look

A list of DPIA screening questionnaires will be shared with the group next month.

7. Close

Date of next meeting: June 2025

Date published: 16 February, 2026
Date last updated: 16 February, 2026