The NHS is granting staff from companies including Palantir ‘unlimited access’ to identifiable patient data while working on its federated data platform (FDP), the Financial Times (FT) reported.
The change, outlined in an internal briefing note seen by the FT, relates to the National Data Integration Tenant (NDIT), described as a “safe haven for data” before it is “pseudonymised” and shared with other systems, the report said.
NHS England will create an “admin” role, granting Palantir staff “unlimited access” to the NDIT and identifiable patient data, the FT added.
As well as Palantir employees, this could include staff from consultancy firms who have been drafted in to work on the FDP. The change marks a clear shift from the current practice, which requires any individual working with the NDIT to apply for clear data access for specific data sets.
An NHS England spokesperson told Digital Health News: “The NHS has strict policies in place for managing access to patient data and carries out regular audits to ensure compliance — including monitoring the work of engineers helping to set up the central data collection platform that will track NHS performance and help improve care for patients.
“Anyone external requiring access must have government security clearance and be approved by a member of NHS England staff at director level or above.”
The briefing document, written by a senior NHS data official in April 2026, acknowledges that granting enhanced permissions could mean there is a “risk of loss of public confidence” when it comes to “safeguarding patient data and ensuring appropriate use and access to it”.
While broad access was originally intended only for NHSE employees with security clearance, the FT reported that the briefing noted that external workers had requested the same permissions “as it is too inconvenient to apply for all of the necessary individual CDAs”.
A Palantir spokesperson told the FT: “To the NHS, and all our customers, we are designated by law as a ‘data processor’, with our customers “data controllers”.
“That means that Palantir software can only be used to process data precisely in line with the instruction of the customer.
“Using the data for anything else would not only be illegal but technically impossible due to granular access controls overseen by the NHS.”
“This is not only about Palantir, hence we have referred to non-NHSE staff, but there is currently considerable public interest and concern about how much access to patient data Palantir/Palantir staff have,” the briefing states.
The note recommends that a cap be placed on the number of external admins with access to the NDIT, which should also be time-limited and regularly reviewed.
Saif Abed, founding partner of cybersecurity advisory services at The AbedGraham Group, told Digital Health News: “I fear lessons have not been learnt from the recent UK Biobank incident which itself is a national scandal.
“Granting admin access should never be done lightly and certainly not at scale. We are one admin compromise, such as with an Infostealer malware, or insider threat away from a data breach of unseen proportions in terms of UK patient data.”
US data analytics firm Palantir signed a £330m contract in 2023 to provide the FDP, which connects data across NHS organisations.
The company’s involvement has been highly controversial, with ethical concerns around its links to the US Immigration and Customs Enforcement (ICE), leading to the government admitting that it could consider alternatives to Palantir’s FDP when the contract reaches its break clause.
