Breaking · National Data Guardian confirms she was NOT told contractors had access · NDG has written to NHS England · Keep the pressure on ·Breaking · National Data Guardian confirms she was NOT told contractors had access · NDG has written to NHS England · Keep the pressure on ·Breaking · National Data Guardian confirms she was NOT told contractors had access · NDG has written to NHS England · Keep the pressure on ·Breaking · National Data Guardian confirms she was NOT told contractors had access · NDG has written to NHS England · Keep the pressure on ·Breaking · National Data Guardian confirms she was NOT told contractors had access · NDG has written to NHS England · Keep the pressure on ·Breaking · National Data Guardian confirms she was NOT told contractors had access · NDG has written to NHS England · Keep the pressure on ·
Not With My NHS Data
DonateSend my letters now
···people supported to take action
···letters generated
Open Letter Signatures···
This issue is part of a wider challenge with the NHS. Read more in my book Hard Reset — How to build an NHS that isn't a patch on the old one

A citizens' tool · UK · 2026

Palantir and its consultancy friends now have access to your identifiable NHS records.

They didn't ask. You didn't agree. It's really risky. Let's fix that.

Breaking · 3 June 2026

It worked.

The National Data Guardian has issued a public statement in response to the Not With My NHS Data campaign. Dr Nicola Byrne confirms the Data Protection Impact Assessment she reviewed said access to identifiable patient data in the NDIT would be limited to NHS staff — and that her office was not told external contractors had been granted access. She has now written to NHS England demanding clarification.

This is exactly what thousands of letters were for. It's not over — NHS England still has to answer, the law still has to change, and the opt-out still doesn't exist. Keep writing.

Read the NDG statement Send my 5 letters

Open letter

But we still have questions.

The opt-out question is not closed. The NDG's statement said the national data opt-out doesn't apply to the FDP because the platform "is currently used solely to support care delivery", citing the Caldicott Principles. But the Caldicott Principles govern how data is handled, not which uses count as direct care — that line is set by the National Data Opt-Out Directions.

Two of the five FDP use cases — population health management and supply chain management — look on their face like secondary uses, not direct care. If they are, the opt-out should apply. We've written an open letter asking the NDG to address this.

people have signed so far

Read & sign the open letter

What's actually happening

A quiet handover of the nation's medical history.

The headline product — NHS England's Federated Data Platform (FDP) — is mostly pseudonymised. That's the part NHS England points to when it answers questions in public. The problem sits one layer underneath, in the National Data Integration Tenant (NDIT): the area where trusts, ICBs and other NHS bodies hand over the raw national data submissions in fully identifiable form, before any pseudonymisation happens.

According to a leaked internal briefing, staff from Palantir and other external contractors hired onto the FDP programme have been granted broad access to that identifiable data inside the NDIT — names, NHS numbers, dates of birth, addresses, conditions — in order to build and run the platform. You were never asked. There was no public vote, no opt-in. The National Data Opt-Out doesn't apply here.

That is a serious risk. Identifiable records held by private contractors can be re-linked, mishandled, or potentially subject to legal regimes our Parliament doesn't control, including US law. Medical confidentiality is the foundation of trust between patient and clinician — once it goes, it doesn't come back.

This is the moment to push back. Not with a tweet — with a letter that the ICO and NHS England are legally required to respond to, and that your MP cannot ignore. It takes two minutes. Thousands of us doing it together is what changes the calculation.

Add my name

What gets sent

  1. 01

    Letter to your MP

    Demands a statutory NDIT opt-out and a parliamentary answer.

  2. 02

    Article 21 objection to NHS England

    Formal UK GDPR objection sent to england.dpo@nhs.net.

  3. 03

    Secretary of State for Health

    The FDP runs under a Secretary of State direction. Demands a public statement of the lawful basis.

  4. 04

    Health Select Committee

    Asks Parliament's scrutiny committee to take evidence on contractor access to identifiable records.

  5. 05

    NHS England FDP team

    Direct request to the programme team for transparency and exclusion pending a statutory opt-out.

Step one

Three details.
That's it.

Your name, address and postcode are used only to write the letters and to find your MP. We store a single anonymous count of letters sent — no name, no address, no email — so we can show momentum.

Letters open in your email client. Nothing is sent on your behalf without you pressing send.

By continuing you confirm the details are your own. We do not store them.

Why this matters

The opt-out doesn't cover this.

The National Data Opt-Out only stops your data being used for research and planning. NHS England classifies the NDIT as supporting direct care, so the standard opt-out doesn't apply. Identifiable patient data is sitting in a centralised platform, accessible to staff at private contractors, before any pseudonymisation happens.

You cannot legally compel them to delete you. You can file an Article 21 objection, force a written response, file an ICO complaint that tests their legal basis, and put your MP on the record. Do all three at once and you create a paper trail that journalists, regulators and Parliament can be pointed at.

Sources: nhs.uk · ico.org.uk · members-api.parliament.uk · medConfidential