Greater Manchester ICB Reaffirms Decision to Reject NHS Federated Data Platform

Regulatory action

The NHS Federated Data Platform (FDP) was created under a £330 million procurement awarded to Palantir in November 2023. The contract runs for seven years and gives Palantir direct access to patient‑level data across England. Under the UK Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR) as retained in UK law, any processor must demonstrate a lawful basis for processing, implement appropriate technical and organisational safeguards, and provide transparent information to data subjects.

What it requires

1. Lawful processing justification – Palantir must rely on either public task or legitimate interests, and must document the assessment that the public interest outweighs the privacy risk.
2. Data subject rights – patients retain the right to access, rectify, and erase their data. The FDP must include mechanisms for rapid response to such requests.
3. Security controls – encryption at rest and in transit, strict access‑control logs, and regular independent penetration testing are mandatory under the NHS Data Security and Protection Toolkit.
4. Governance and oversight – a clear contractual clause must require Palantir to submit audit reports to NHS England and to the relevant Integrated Care Board (ICB) on a quarterly basis.
5. Transparency – the ICB must publish a summary of the data sharing arrangement, the categories of data involved, and the purposes for which the data will be used.

Compliance timeline for the FDP

Milestone	Deadline	Required action
Initial Data Protection Impact Assessment (DPIA)	30 June 2024	Palantir and NHS England must complete a DPIA covering all processing activities and submit it to the Information Commissioner’s Office (ICO).
Publication of Transparency Notice	31 July 2024	The ICB must publish a concise notice on its website explaining the FDP, the role of Palantir, and patient rights.
Security Certification	31 December 2024	Palantir must obtain ISO/IEC 27001 certification and provide evidence of compliance with the NHS Data Security and Protection Toolkit.
Quarterly Audit Reports	Every 3 months starting 31 March 2025	Palantir must deliver audit logs, breach notifications, and DPIA updates to NHS England and the ICB.
Review of Contractual Break Clause	30 June 2025	NHS England and the Department of Health must assess whether the break clause can be triggered if Palantir fails to meet the above obligations.

Greater Manchester’s position

The Greater Manchester Integrated Care Board (ICB) manages health services for 2.8 million residents. In May 2025 the board recorded that NHS England had not provided satisfactory responses to the ICB’s risk concerns, particularly around:

• Third‑party access – Palantir staff would be able to view patient records, raising questions under the Data Protection Act.
• Ownership of outputs – The ICB highlighted that the contract does not grant it ownership of any analytical models or software developed on NHS data.
• Evidence of benefit – Independent evaluations of the FDP’s impact on elective‑care backlogs remain unpublished.

The ICB previously deferred its decision in 2024, stating that its own analytics capability exceeded what the FDP currently offers. A Freedom‑of‑Information request in early 2026 confirmed that the planned review paper has not been produced because public concerns have intensified rather than receded.

Why this matters for compliance officers

1. Risk of non‑compliance – Joining a platform that does not meet the DPIA or security certification requirements exposes an ICB to ICO enforcement action, including fines up to £17.5 million.
2. Contractual leverage – The break‑clause discussion signals that NHS England may be willing to renegotiate or terminate the Palantir agreement if compliance thresholds are not met.
3. Local capability – Greater Manchester’s claim of superior analytics suggests that ICBs can develop in‑house solutions that remain fully under NHS governance, avoiding the need to share data with an external US‑based processor.

Next steps for other ICBs

• Conduct an independent DPIA for any planned participation in the FDP.
• Verify that the vendor’s security certifications are current and that audit logs are accessible.
• Negotiate contract terms that secure data‑subject rights, ownership of derived models, and a clear exit strategy.
• Monitor the outcome of the break‑clause review, as it may set a precedent for future procurement.

For further details on the NHS Federated Data Platform and the Palantir contract, see the official NHS England announcement here and the ICO guidance on data‑processing agreements here.