🎧 Prefer to listen? Audio version below — approximately 5 minutes.
Last week, a journalist was shown impressive software running on synthetic data. Applications built on a powerful analytics platform, aggregating databases that would otherwise sit in silos, making complex clinical pathways manageable. The demonstration was polished. The technology was clearly capable. Nobody in the room asked the obvious question.
Synthetic data is not patient data. The demo environment is not the production environment. And the production environment is processing the medical records of tens of millions of people.
That is not a capabilities question. That is an Article 35 question.
Under UK GDPR, a Data Protection Impact Assessment is not optional when processing is likely to result in high risk to individuals. The criteria are unambiguous: large scale processing of special category data, systematic processing, processing that significantly affects individuals. Any one of these triggers the obligation. NHS patient records satisfy all three simultaneously.
A DPIA is not a formality. It is a structured accountability mechanism. It must identify the specific risks of the processing, not the capabilities of the platform. It must address the cross-border sub-processor chain -- where data travels, under what legal frameworks, subject to what foreign jurisdiction. It must assess residual risks that cannot be contracted away. It must establish audit rights over the systems through which the data is transformed and interpreted.
It must be done before processing begins at scale. Not after 120 trusts are live.
There are questions sitting unanswered in the public record. Was a DPIA completed prior to go-live? Was it published? Did the ICO review it? As the contract scope expanded, was the DPIA reviewed and updated? Who signed off on the residual risks?
One detail from the weekend’s coverage is instructive. Critics describe the platform’s core data dictionary -- the semantic layer that determines what the data actually means -- as opaque. If the ontology is opaque, the transformation logic is opaque. If the transformation logic is opaque, meaningful audit is impossible. A DPIA that cannot account for what happens to data inside the system it assesses is a contradiction in terms.
There is a further question the capabilities conversation consistently displaces. Tens of thousands of patients have been removed from waiting lists through a process described, in the platform’s own terminology, as “patient-led validation.” That is a processing activity. It has direct legal consequences for identifiable individuals. It should be in scope.
This is not an argument about whether the technology works. By most accounts it does. It is not an argument about whether the NHS needed better data infrastructure. It plainly did.
It is a much simpler question. Special category health data belonging to tens of millions of people is being processed at scale by a US-headquartered company, on infrastructure subject to foreign jurisdiction, through a semantic layer that independent experts describe as opaque.
The regulation requires a published, reviewable accountability mechanism before that processing begins.
Where is it?
The NHS is not alone in asking innovators to demonstrate capability before governance catches up. Closer to home, sixteen health-tech vendors are right now working inside Manx Care infrastructure as part of the 2026 Innovation Challenge. The Isle of Man already has robust data protection legislation -- the Data Protection Act 2018 mirrors the UK GDPR framework. What is missing is the specific governance architecture for this initiative, which has not yet received Royal Assent. Every one of the sixteen finalists runs on AWS, Azure, or GCP. Every one is therefore subject to US jurisdiction under the CLOUD Act and FISA 702. Same special category data. Same missing DPIA. Same question.
We covered the detail in May: The Missing Clutch.
Editor's note, 17 May 2026: A reader correctly pointed out that NHS England has published a redacted overarching DPIA for the FDP programme, v3.0, dated August 2025, along with a suite of product-level DPIAs. Article 35 does not mandate publication -- the ICO encourages it as good practice. The questions this piece raises are about adequacy, timing, and whether the specific residual risks -- CLOUD Act exposure, sub-processor chain, ontology opacity -- are addressed. The IoM Innovation Challenge question remains entirely open: no equivalent document has been published for that programme.
The Sovereign Auditor covers digital sovereignty, cybersecurity governance, and data protection policy -- with a particular focus on Isle of Man jurisdiction and Crown Dependency issues.
Payments via PayPal. Credentials delivered by email. No Substack. No Stripe. No middlemen.
