A health minister has apologised to an independent data watchdog after NHS England provided incorrect information about the level of access the US technology firm Palantir has to patient data within the Federated Data Platform, a centralised NHS software system that has been the subject of sustained controversy since its procurement.

The minister, writing to the National Data Guardian, acknowledged that assurances previously given to the watchdog, that Palantir had no access to patient information held within the platform, were inaccurate. NHS England has since confirmed that the company does hold some degree of technical access to data within the system, albeit under contractual restrictions and with data pseudonymised in most operational contexts.

The Federated Data Platform was awarded to Palantir in a contract worth up to £330 million in 2023. The platform is designed to consolidate NHS data across trusts, enabling health organisations to coordinate care more effectively, reduce waiting lists, and manage workforce scheduling in near real time. Proponents argued it would bring operational coherence to a fragmented system. Critics, from the outset, raised concerns about placing sensitive health infrastructure in the hands of a company whose origins lie in defence and intelligence analytics work for agencies including the CIA and the US Department of Defense.

Those concerns fed a prolonged public debate about data commercialisation, corporate access to the health records of millions of patients, and whether the procurement process had been sufficiently transparent. Privacy advocates and some parliamentarians questioned whether the NHS was trading patient trust for operational efficiency.

Against that backdrop, the assurances given to the National Data Guardian carried particular weight. The watchdog exists specifically to oversee how health and social care data is used and protected, and representations made to it by NHS bodies are expected to be accurate. When NHS England told the Guardian that Palantir engineers had no visibility of patient information, it was understood to be providing a formal, verified account of the contractual and technical arrangements in place.

That account was incorrect. The firm does have a degree of technological closeness to the platform's data ecosystem that defies the categorical denial formerly supplied, even though the extent of the access seems to fall shy of Palantir workers being able to view identifiable patient information in a conventional sense. NHS England has not claimed the misstatement was deliberate, characterising it as an administrative error arising from internal miscommunication between teams responsible for contract oversight and those handling regulatory correspondence.

The minister's letter to the National Data Guardian expressed regret for the inaccuracy and stated that steps were being taken to audit the information previously provided to regulators. There is no current evidence that patient data has been misused or that any breach of the data-sharing terms has occurred. The error is one of misrepresentation to a regulator, not of confirmed data compromise.

The National Data Guardian acknowledged the apology and indicated that it would seek assurance that a comprehensive review of compliance information was conducted before any further representations were made. The watchdog is expected to request updated documentation setting out, precisely and technically, what access Palantir holds, under what conditions, and what audit trails exist to monitor that access.

Privacy and digital rights organisations have responded with considerable scepticism. Groups including medConfidential, which has monitored NHS data policy for more than a decade, argue that the episode confirms their longstanding position that the contractual safeguards around the FDP have never been subjected to sufficiently rigorous independent scrutiny. They have renewed calls for a full independent technical audit of the platform, conducted outside NHS England and Palantir's own reporting structures.

For NHS England, the immediate task is one of restoring credibility with oversight bodies whose function depends on receiving accurate information. The organisation has said it will implement a formal verification process for all future regulatory submissions relating to the FDP contract, requiring sign-off from both legal and technical leads before correspondence is sent to watchdogs.

The episode adds to a series of governance difficulties the NHS has faced in justifying its handling of large-scale commercial data partnerships, and will intensify parliamentary scrutiny of the FDP programme in the months ahead.