← Government App
F

NHS App

Fail
NHS Digital · 🇬🇧 United Kingdom
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: NHS App
Manufacturer: NHS Digital

⚠️ The bottom line

55 million patients' GP records — mental health, sexual health, substance abuse, everything — planned for extraction into a database accessible to pharmaceutical companies and researchers. Opt-out only, and most people had never heard of it. The backlash delayed it three times. Your doctor's notes, available to companies, unless you specifically said no to a scheme you probably never knew existed. The NHS gave Palantir — the company that helped ICE track immigrants and built predictive policing systems — a £330 million contract to handle patient data for 55 million Britons. Fast-tracked, minimal public consultation. The company that helps deport people now holds the health records of an entire nation. Your GP notes, in the hands of a US intelligence contractor.

Legal jurisdiction
🇬🇧 United Kingdom (headquarters)
Investigatory Powers Act read more →
Govt can bulk-intercept internet traffic and force companies to remove encryption
Online Safety Act read more →
Ofcom can require scanning of private messages for illegal content
Spying
3/4 HIGH
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
0/4 N/A
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
4Contradictions
2Critical
2High
0Medium
4Sources
Findings by concern
Spying 3/4 HIGH 1 finding
⚠️ criticalprivacy policy vs regulatory
55 million patients' GP records — mental health, sexual health, substance abuse, everything — planned for extraction into a database accessible to pharmaceutical companies and researchers. Opt-out only, and most people had never heard of it. The backlash delayed it three times. Your doctor's notes, available to companies, unless you specifically said no to a scheme you probably never knew existed.

What they claim: NHS App privacy policy states health data is used to provide direct care and improve NHS services

What we found: NHS Digital planned to extract GP records for 55 million patients into a centralised database (GPDPR) accessible to researchers, pharmaceutical companies, and third parties. After public outcry and media coverage, the scheme was delayed repeatedly. Patients had to actively opt out or their entire medical history — including mental health, sexual health, and substance abuse records — would be shared.

Data Sharing 2/4 MODERATE 2 findings
⚡ highmarketing vs regulatory
The NHS App was for booking GP appointments. Then overnight it became a passport — required to enter nightclubs, football matches, and leave the country. The government said the COVID Pass would be temporary. The infrastructure is still there. A health app became an access control system for daily life, and nobody voted for it.

What they claim: NHS App was promoted as a healthcare management tool for booking appointments and viewing records

What we found: During COVID-19, the NHS App was repurposed as a vaccine passport (COVID Pass) required for large events, nightclubs, and travel. The app transformed from a voluntary health tool into a mandatory access control system. Privacy campaigners warned this created infrastructure for a permanent digital ID system. The government denied this but the COVID Pass infrastructure remained operational after restrictions ended.

⚡ highprivacy policy vs third party research
To see your own GP records, the NHS App shares data with Experian — a credit reference agency. Adobe Analytics tracks which health services you browse. You wanted to check your blood test results. Adobe and Experian learned you did. The NHS is supposed to be free at the point of use. Your data is the hidden cost.

What they claim: NHS App states it follows strict data protection standards under UK GDPR

What we found: Privacy researchers found the NHS App integrated Adobe Analytics, which transmitted usage patterns — including which health services users browsed — to Adobe's servers. The NHS login system also used third-party identity verification (involving Experian credit data), meaning accessing your GP records required sharing data with a credit reference agency.

Honesty 3/4 HIGH 1 finding
⚠️ criticalprivacy policy vs regulatory
The NHS gave Palantir — the company that helped ICE track immigrants and built predictive policing systems — a £330 million contract to handle patient data for 55 million Britons. Fast-tracked, minimal public consultation. The company that helps deport people now holds the health records of an entire nation. Your GP notes, in the hands of a US intelligence contractor.

What they claim: NHS describes health data as protected under NHS data governance frameworks

What we found: NHS England awarded Palantir a £330 million contract to build the Federated Data Platform, giving the controversial US intelligence contractor access to NHS patient data at an unprecedented scale. openDemocracy revealed the contract was fast-tracked without adequate public consultation. Palantir's history includes work with US intelligence agencies, ICE immigration enforcement, and predictive policing.

Sources