National Data Guardian seeks clarification over non-NHS FDP data access reports

The National Data Guardian (NDG), Dr Nicola Byrne, has issued a statement responding to public concerns raised via the Not With My NHS Data campaign regarding external contractors accessing identifiable patient information. The correspondence followed media reports and subsequent confirmation from the NHS Federated Data Platform (FDP) team that some external contractor staff have access to identifiable patient data within the National Data Integration Tenant (NDIT) environment.

Dr Byrne noted that such access would directly contradict the DPIA previously reviewed by her office and the Information Commissioner's Office (ICO), which stated access would be restricted strictly to NHS staff with a legitimate need. Dr Byrne was unaware of this change and has written to the programme seeking clarification on the inconsistency.

The statement also clarified the rules regarding patient consent and data opt-outs. Dr Byrne stressed that in the NHS, data sharing for direct care delivery does not require explicit consent each time. While a national data opt-out exists, it applies only to secondary purposes such as research and planning. Because the FDP is currently used to support direct care delivery, the national data opt-out does not apply at this time.

Training announcement: Freevacy provides comprehensive training for new and existing practitioners on the changes introduced by the DUA Act to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy and Electronic Communications Regulations 2003 (PEC-Regulations). Our courses are always up to date and provide a forum for learning and discussing how to ensure your data protection processes remain compliant. Find out more.