No Surprises: The Caldicott Principles and the Gap NHS England Admitted on 15 June

In support of the National Data Guardian’s intervention on the Federated Data Platform

Before you commit to a route, you read the topo. The guidebook tells you where the protection is, how exposed the crux will feel, where the belays are. You trust it, because the whole point of beta is that you plan your safety around it before you leave the ground. The day the rock doesn’t match the page, when the pitch marked “well protected” turns out to be a runout slab, you haven’t found a small inaccuracy. You’ve found that the thing your safety was built on was wrong.

A Data Protection Impact Assessment is the NHS’s topo for our most confidential information. It tells the public, and the regulator, where the protection is. On 15 June 2026, in its formal response to the National Data Guardian, NHS England admitted that the topo for one of its most exposed pitches did not match the rock.

This is not a piece about whether the Federated Data Platform earns its keep. It is about the distance between what an assurance said and what NHS England has now conceded was true, and about why that distance is a Caldicott problem rather than a presentational one. The eight Caldicott Principles give us the precise vocabulary for it. Dr Nicola Byrne read the page against the rock, which is exactly what a good guardian, and a good climbing partner, is for.

The promise, and the admission

The National Data Integration Tenant (NDIT) is the part of the platform where identifiable patient data is collected and prepared before it is de-identified. It holds a small set of collections that NHS England needs in identifiable form (virtual wards, cancer waiting times), which makes it the most exposed point in the whole pipeline. The crux.

The published DPIA for that environment stated that access to directly identifiable patient information within the NDIT would be limited to NHS England staff. That sentence was the protection bolt. It was the assurance the National Data Guardian, the Information Commissioner’s Office and the public were entitled to clip into.

On 15 June, NHS England acknowledged the DPIA “contained an error” in how it described supplier access, and apologised for the confusion. The corrected picture is this: three engineers employed by Palantir hold administrative-level access to the NDIT, around the clock, every day of the year, managing platform-wide settings, security and configuration. As of that date, a further 33 engineers from a range of suppliers held more limited, project-specific access. And within the NDIT, NHS England now confirms, engineers operating under its instruction could access identifiable patient data, though it says such data is not routinely accessed.

So the assurance was categorical: NHS England staff only. The reality was a standing, supplier-held capability over an identifiable-data environment. And it reached the public not because NHS England disclosed it, but because the Not With My NHS Data campaign and the press surfaced it, confirmed only once the regulator asked the question.

Why this is a Caldicott failure, principle by principle

Principle 6, comply with the law. The topo is load-bearing. Under UK GDPR, a DPIA is the instrument by which an organisation demonstrates, before high-risk processing begins, that it has identified the risks and the people exposed to them. Its accuracy is what makes the lawful basis legible to anyone outside the organisation. A DPIA that misstates who can reach identifiable data is not a typo to be patched with a later footnote; it is a defect in the evidence of lawfulness itself. A topo that is only accurate after someone has fallen is not protection. The sixth principle is not satisfied by a document that became true only once it was challenged.

Principle 1, justify the purpose. Every belay was clipped to the same page. The first principle requires every use of confidential information to be defined, scrutinised, documented and reviewed by an appropriate guardian. The DPIA is where that justification lives. If the description of who accesses identifiable data was wrong at source, then every downstream assurance built on top of it inherits the error. You cannot scrutinise a hazard you have been told does not exist.

Principle 4, strict need-to-know. Trust is not a brake hand. This is the principle the admission most directly offends, and the defence concedes it rather than answering it. To say identifiable data “is not routinely accessed” describes behaviour. Principle 4 governs permission. Administrative-level access, held continuously, is a standing capability over identifiable records however rarely it is used. “Could access but generally doesn’t” is climbing with a belayer who has promised to pay attention, rather than one whose brake hand is locked off. In the mountains you do not protect yourself with good intentions; you protect yourself by removing the capability to fall far. A capability you must trust not to be used is not need-to-know access. It is access.

Principle 8, no surprises. In the mountains, surprises are the thing you train to eliminate. The eighth principle was added in the 2020 review for one reason: no surprises for patients about how their confidential information is handled. Everything in mountain safety is the same instinct: the avalanche bulletin, the forecast, the topo, the knot check before you both commit. You earn the right to leave the ground by removing surprises one at a time. The eighth principle is that discipline written into law, and its test is not what the organisation intended but what the patient would reasonably have expected. Here the gap was not disclosed; it was discovered, an unmarked crevasse found by stepping into it. By the principle’s own standard, a use that has to be uncovered is precisely the surprise the principle exists to prevent.

Principles 5 and 7 sit quietly behind all of this. You cannot brief your party on a hazard you have not mapped (the fifth). And confidentiality was never the obstacle to good care; it is the rope that makes the climbing possible at all (the seventh).

One vendor, every anchor, one bolt

The topo problem sharpens when you notice who is holding the other end of the rope, and how much else they are holding. Palantir is not only in the NHS. Foundry, the platform underneath the FDP, runs across the British state. The Nerve’s January 2026 investigation found at least 34 past and present Palantir contracts spanning at least ten government departments. The Ministry of Defence signed a £240.6m enterprise agreement in December 2025, awarded without competitive tender and confirmed on the government’s own procurement portal. Add the Cabinet Office, the Home Office, DEFRA, Highways England, police forces, and, from March 2026, the Financial Conduct Authority. The strategy has a name its own people use: land and expand. The NHS in 2020, policing in 2024, the military in 2025, financial services in 2026, one vendor and one platform laid across health, defence, borders, policing and financial-crime data.

In climbing terms, that is every anchor on the route clipped into a single bolt. The first rule of building an anchor is redundancy: never trust one point, because one point is one failure away from the ground. Concentrating a nation’s most sensitive datasets on a single foreign-controlled platform is a single point of failure with no backup, and it is being built deliberately, pitch by pitch, while everyone admires the view.

Why the architecture is a strategic asset, and why that is the real exposure

The point does not stay where the data physically sits. Palantir’s UK arm is a subsidiary of a US-headquartered company with deep roots in American defence and intelligence, seeded in its early days by the CIA’s venture fund. Under US law (the CLOUD Act and FISA Section 702), US authorities can in principle compel a US-controlled provider to hand over data regardless of where the servers stand, and can attach a gag order that forbids the provider from saying so. A coalition of NHS clinicians has warned in an open letter that those obligations could reach FDP data. Take that legal capability and lay it across the full footprint (health records, defence operations, border flows, policing, financial crime) and you are no longer describing a procurement. You are describing a single, queryable picture of how a country runs, held by a company answerable, in the last resort, to another government’s law.

From a US national-security standpoint, that is not a liability to be managed. It is a strategic asset. An internal Swiss Army report is understood to have raised exactly this fear, that Palantir might pass confidential data to US agencies, which Palantir denies. But the denial, and the question of whether any disclosure ever actually happens, miss the structural point. The architecture creates the capability. And capability, as the fourth Caldicott Principle keeps reminding us, is the thing that counts. You do not reassure a climbing partner by promising the loose flake probably won’t pull. You build an anchor that does not depend on the promise.

Why this supports the National Data Guardian

The system did work here, but only because Dr Nicola Byrne asked. She is the experienced second at the base of the route who checks the knot and the harness before anyone commits to the wall. Her intervention is the mechanism functioning exactly as designed: an independent statutory guardian noticing that a published assurance did not match practice, and requiring an answer.

The right response to that is not to treat her concern as closed by an apology and a corrected document. When your partner finds your knot half-tied, you do not say “noted.” You retie it, and then you check the whole system, because if the knot was wrong you no longer trust the rest by default. The correction is not an embarrassment to move past; it is the proof that the question was necessary.

The standard the Caldicott Principles set is not “accurate once a regulator forces the issue.” It is “accurate because patients were promised it would be.” NHS England has corrected the DPIA, updated the privacy notice and says it is reviewing supplier access. Those are the right first moves on the rock. They are not, on their own, restoration. Restoration means the burden now sits with NHS England, not with the National Data Guardian, to rebuild the assurance to the standard, and it means the corrected DPIA, the access review, the still-redacted contract, the cross-government footprint and the jurisdiction question are all tested by someone independent, not self-certified by the party that got the topo wrong the first time.

The throughline is the eighth principle and the oldest rule in the mountains. The promise was no surprises. The admission was a surprise. You earn the right to commit by removing surprises one at a time before you leave the ground, and the repair is not finished when the page is fixed. It is finished when patients can trust what they are told without a campaign having to climb up and check the rock for them.

Fab

---

Primary and corroborating sources: NHS England, “Response to the National Data Guardian’s request for clarification” (15 June 2026); National Data Guardian statement on the NHS Federated Data Platform in response to the Not With My NHS Data campaign (3 June 2026); the National Data Guardian’s eight Caldicott Principles (revised 2020); UK find-a-tender notice for the MoD Palantir Enterprise Agreement, £240.6m (17 December 2025); The Nerve, The Lowdown and Medact briefings on Palantir’s UK public-sector contracts (January to March 2026); Hansard, Ministry of Defence: Palantir Contracts debate (10 February 2026).