Tom Bartlett, Founder, Bartlett Data Ltd 

The Financial Times reported this week that NHS England has granted Palantir contractors "unlimited access" to patient data. The story has since been picked up by Reuters and run globally. These headlines have fed social media outrage and given MPs more fodder for their campaigns against the NHS's Federated Data Platform. Staff inside NHSE who are working hard to deliver this platform will be dismayed at the reporting.

The headline is alarming: “NHS to grant Palantir contractors ‘unlimited access’ to patient data”. The Guardian picked it up, spoke to MPs and campaign groups and now their headline is “Palantir’s access to identifiable NHS England patient data is ‘dangerous’, MPs say”. But the reality is more mundane, and I can say that with some authority: the NHSE engineering team I led built the National Data Integration Tenant (NDIT), and I sat on the leadership group overseeing its development. I know how it works.

Reading these headlines, one might think that Palantir engineers can now see everyone's full patient record. This is completely false.

What NDIT actually is

The NDIT is a staging environment. Aspirationally, it is the place where data from all NHS Trusts is brought together, cleaned, integrated, and pseudonymised before being moved to other parts of the Federated Data Platform. It is not a patient record system, nor an analytical system. Nobody logs into NDIT to look up a patient or view a report. The data is not held in a readily analysable form and analytical tools have not been configured on it. Access is closely monitored and staff actions are audited. The specialised Palantir technology for making data available to FDP apps is not in use there. It is just plumbing.

Figure 1: diagram of NDIT in context - source: public NDIT DPIA July 25

At the time I left NHSE in March, NDIT housed only one or two minor data streams such as Faster Data Flows and the Virtual Wards Minimum Data Set. The volume and sensitivity of data flowing through it was minimal. The next candidates for plumbing in were the Diagnostic Imaging Data Set and the Lung Cancer Screening Dataset, both small and mundane data flows. The breathless reporting of "unlimited access to patient data" does not match the reality of what NDIT is.

When it becomes more mature, more national datasets will be processed on NDIT through data pipelines and the amount of data will increase. However, the system is not geared towards querying it. None of the data enrichment or platform capabilities that would allow any sort of analysis is applied within NDIT. Having admin access to this environment is not the same as being able to browse or analyse patient records. It is like having the keys to a warehouse where the goods are still in sealed, unlabelled boxes.

The majority of the work engineers did when I was at NHS England was to configure the platform, for example, connecting it to other capabilities within the NHSE data estate such as the Message Exchange for Social Care and Health (MESH). Many work tickets did not involve any need to look at clear patient data at all. Where they did, such as in an ongoing migration of pipelines from legacy platforms to NDIT, engineers built reams of test data with which to build the pipelines. Most of them had years of experience handling data sensitively and safely, many having lived through failed projects such as care.data and GPDPR, which had given them a solid understanding of the sensitivities around clear data.

Why the access model changed

Are there cases when engineers need to see the clear data? Sometimes there are. You cannot build, test, configure, and deploy a national data integration platform without seeing the data that flows through it. That is true of every data system in every industry. The question has never been whether engineers have access. It is how that access is governed.

When starting a new project, engineers apply for individual access to each specific dataset they need to work with through a Clear Data Access agreement (CDA). Each application requires sign-off from an information asset owner who might be off sick, on holiday, busy, or about to be made redundant. On paper it sounds rigorous, but at scale it is costly and wasteful and does not respect the taxpayer or the patient.

The admin role reported in the FT is not a wholesale replacement of the CDA process. It appears to be a workaround for one specific situation: the fact that all data will eventually be integrated in a single instance of FDP within NDIT, making it impractical to apply the old case-by-case access model to an environment where the data is by definition combined. That is a practical engineering reality, not a cavalier attitude to patient data.

The non-NHSE engineers working on NDIT were invited in as data processors. NHSE, the data controller, asked them to help deploy the system. When that happens the priority is to get staff building, not wading through weeks of archaic paperwork that predates the security architecture of the platform they are hired to deliver. These are security-vetted professionals, approved at director level, contractually bound to work only as the NHS directs. As the FT article itself states, it is not possible to deviate from NHSE instructions and misuse data because "it would not only be illegal but technically impossible due to granular access controls overseen by the NHS."

There is a broader context that the coverage missed entirely. NHS England is being reduced by 50%. The organisation is losing thousands of staff, including engineers who build and maintain the platform. External contractors with security clearance and contractual obligations are filling the gaps. This is not unique to FDP or to Palantir, it is the reality of UK national infrastructure delivery. When I worked at NHS Digital, before it was merged into NHSE, the director of one of the key platform teams was a contractor. Nobody wrote news articles about that, because that is how the public sector operates. There are thousands of contractors on the government's own Public Sector Resourcing framework alone, working across the UK government at any one time, including in the most sensitive national security roles. What is unusual is not the NHS relying on contractors for specialist delivery work. What is unusual is the level of scrutiny applied to this particular programme because of the politics around the supplier. 

Why the reaction is disproportionate

The internal briefing note describes a "risk of loss of public confidence." That is a perception risk, not a data security risk. Nobody has accessed data inappropriately. No data has been lost or compromised. 

The people who wrote that briefing are conditioned by care.data and GPDPR. But these projects did not fail because the public rejected them. They failed because politicians abandoned a technically sound programme the moment the pressure became uncomfortable. The lesson the NHS took from care.data was to be cautious about perception. The lesson it should have taken was to be bolder about making the case. The same pattern is playing out now with FDP: vested interests are using trust as a weapon to stop progress in the NHS, whilst NHSE holds back on communicating effectively.

Laura Hughes at the FT broke the story in a reasonably balanced article, with NHSE stating the substance of their case clearly. The balance came from Martin Wrigley, the MP who led the recent Westminster Hall debate, whose remarks were disparaging and vacuous. Rob Booth at the Guardian went further, sourcing quotes from MPs including Rachael Maskell, who reached for emotive language ("dangerous", "claws”) and made baseless claims of "opening [NHS Data] up to greater private interest." He quotes Foxglove: "once again Palantir fails the trust test." Both articles sought balance by quoting FDP opponents whose remarks contained no substance, only emotion.

This is a pattern I have watched for years, and it needs to be called out. Journalists surface a governance detail. They seek quotes not from engineers, clinicians, or data professionals who can contextualise it, but from campaigners and politicians who will dramatise it. The quotes get the headline. The headline gets the clicks. MPs cite the headline in Parliament. Patients read the headline and are frightened. The consequences are real: more sign-ups to the national data opt-out, more hesitancy from Trust Boards, more drag on health tech innovation. It is worth noting that the national data opt-out prevents data flowing to researchers, the people trying to cure diseases and improve treatments, but does not prevent data flowing into FDP. The people opting out in response to these headlines are not protecting themselves from the thing they are worried about. They are cutting off the researchers. Newspapers make money. Patients take the hit.

If NHSE has got the governance wrong on this particular point, it can change course. The admin role can be reviewed, capped, time-limited, or revoked. That is a governance fix. It is not a reason to cancel a £330m national programme and send 137 Trusts back to spreadsheets and whiteboards. The campaigners and MPs using this story to argue for triggering the break clause are not proposing a proportionate response to a governance question. They are using it as ammunition in a campaign that predates this story and would continue regardless of whether the access issue was resolved tomorrow.

What this debate needs

The real question this story raises is not about Palantir's access to data. It is about whether the NHS can modernise its data governance at the same pace it is modernising its data infrastructure. The CDA framework is not fit for purpose. The people inside NHSE are working to fix that under enormous pressure, with a shrinking workforce, in a political environment where every operational decision gets turned into a scare story.

What the debate needs, and what patients deserve, is adult scrutiny: journalists who contextualise as well as dramatise, MPs who interrogate proportionately and help shape real solutions rather than perform outrage, and campaigners who propose alternatives rather than simply obstruct. The classroom dynamic, where one group points out the studious and productive kid - in this case the NHS staff heroically building FDP - so the bully boys can take a swipe, is not scrutiny. It is not holding power to account. It is ritual, and it is hurting patients.

The people building this platform deserve better. More importantly, the patients who will benefit from it deserve better.