Buried in the Health Bill's explanatory notes is a sentence that hasn't got nearly enough attention.
The Single Patient Record, it says, will, like other NHS data, "have the potential to be approved for sharing with public and private researchers."
That's a big deal. The government isn't just building a centralised patient record. It's signalling that it intends for that record to become a research and AI asset. And if you work anywhere near health AI, the implications are enormous in both directions.
To understand why, you have to start with the problem the SPR is trying to solve.
Right now, NHS data seems to be a mess. A patient's GP record lives in one system. Their hospital history is in another. Mental health notes somewhere else. Social care records, if you can get them at all, are in yet another silo. Nobody has the full picture. Clinicians make decisions with incomplete information.
This isn't just a clinical problem. It makes meaningful health AI almost impossible. A diagnostic model trained on incomplete data doesn't just underperform; it can actively mislead. A population health algorithm built on a partial view of a community will miss the people who most need intervention.
The SPR, done properly, changes all of that. A longitudinal, whole-population record that follows a patient across every care setting would be an extraordinary foundation for AI. Predictive diagnostics that flag deterioration before it becomes an emergency. Population health tools that can actually see the link between deprivation, housing and long-term disease. Early intervention systems that catch people falling through the gaps before it's too late.
None of this is theoretical. Teams across the NHS are already attempting versions of it with the fragmented data they have. The SPR would make it work properly.
Here's where it gets complicated.
Before we even get to new AI applications, there's an existing AI question the bill completely ignores: the Federated Data Platform.
The FDP, built by a Palantir-led consortium and now live across all NHS trusts, is already using AI to bring together patient data from separate systems. It's also the most politically toxic technology contract in the NHS right now. MPs have called Palantir's access to identifiable patient data "dangerous." ¹ The Times reported in March that ministers were considering scrapping the contract altogether. ² A Guardian investigation raised serious questions about re-identification risk from data the contract treats as anonymised. ³
Now the Health Bill is building a Single Patient Record to sit alongside it and doesn't mention the FDP once. Peers in the Lords flagged this directly on 20 May: the bill "lacks clarity" on how the SPR and the FDP will interact. ⁴ That's putting it mildly.
If you're deploying AI on NHS data today, as a supplier, a trust, or a commissioner, you need to know where your data sits, how it touches the FDP, and what changes when the SPR arrives. Right now, the bill doesn't help you answer any of those questions.
Re-identification is probably the most underappreciated risk here. Health data is notoriously hard to truly anonymise. Researchers have shown repeatedly that combining just a handful of data points, age, postcode, a rare condition, a treatment date, can be enough to identify an individual from a dataset that looks anonymous on the surface.
The SPR will be the richest health dataset ever assembled for each patient in England. When that data gets shared with researchers in "anonymised" form, the re-identification risk doesn't disappear. It gets bigger. The bill says nothing about how this will be managed.
Then there's the less-discussed but very real threat of model poisoning. As AI systems trained on NHS data start making clinical recommendations, they become valuable targets. An attacker who can corrupt what goes into the SPR can potentially corrupt what comes out of any AI system built on top of it. That's not a fringe concern. It's a logical extension of threats we already see against high-value datasets, applied to a context where a bad recommendation can hurt or kill someone.
And then there's bias. AI learns from data, which means it learns from the gaps and inequalities in that data too. The NHS data landscape already under-represents certain communities, a reflection of decades of unequal access to services. If the SPR inherits those gaps, any AI trained on it will bake in those same inequalities. Whether that gets corrected depends entirely on how much care goes into building the SPR in the first place. The bill doesn't require any of that care.
Possibly the most troubling part of all this is something the bill quietly removes.
Schedule 7, which deals with how NHS data functions transfer from NHS England to the Secretary of State, does not replicate NHSE's existing duty to report to Parliament on data governance. The Nuffield Trust has flagged this specifically: the statutory guidance that bound NHSE, requiring it to minimise conflicts of interest, consult advisory groups, and maintain rigorous processes for data access, simply won't carry over. ⁵
So at the precise moment the NHS is building its most powerful and sensitive data asset, it's simultaneously removing some of the accountability structures that governed the previous one. Nobody has satisfactorily explained why.
Who scrutinises the algorithms running on SPR data? Who assesses re-identification risk before a dataset gets shared with a private researcher? Who is accountable when an AI system makes a harmful recommendation based on data that turns out to be wrong? The bill doesn't answer any of that.
There's a practical upside to all this uncertainty. Organisations that build proper AI governance frameworks now, before the SPR exists and before the regulations land, will be in a far stronger position than those who wait.
That means understanding your data before you train on it. Which populations are missing? What biases are baked in? How will the SPR change your training set, and what will that do to your model's outputs?
It means taking re-identification seriously, not just checking a box against ICO guidance ⁶ but genuinely stress-testing whether your anonymised data actually is. It means having an honest answer to the question of what happens when your AI gets it wrong. Who decides? Who gets told? What's the escalation path?
None of this is glamorous. But it's the difference between a health AI programme that survives regulatory scrutiny and one that doesn't.
The SPR could be one of the most significant things the NHS has done in a generation for health research and AI. That's not hype. The data foundation it creates is genuinely transformative.
But the bill that enables it has left a trail of unanswered questions around governance, accountability, re-identification risk, and the unresolved Palantir situation. Those aren't details to sort out later. They're the questions that will determine whether the SPR becomes a world-class health AI asset or the NHS's most expensive data governance failure yet.
Parliament still has time to get this right. So do the organisations that need to operate in this landscape.
The governance gaps in the Health Bill won't stay gaps for long. Secondary legislation, ICO scrutiny, and evolving NHS procurement standards will all raise the bar for AI deployed in health settings. Organisations that haven't mapped their AI estate against frameworks like the EU AI Act and ISO 42001 will find themselves scrambling to catch up.
Periculo's AI Assurance Workshop is a free, focused session with Harrison Mussell, CEO of Periculo, at your office, on your timeline. In a single day, we map your AI estate against the regulatory and security standards your customers, board and regulators now expect.
Spaces are limited each quarter, and we pre-screen every request to make sure the session is useful from the moment we walk in.
Apply for a slot at periculo.co.uk/ai-assurance-workshop
References
¹ The Guardian, 'Palantir's access to identifiable NHS England patient data is "dangerous", MPs say', 11 May 2026
² The Times, 'Ministers seek advice on scrapping Palantir NHS data contract', 30 March 2026
³ House of Commons Library, Health Bill 2026-27, CBP-10845, 27 May 2026, Section 8.3, footnote 173
⁴ HL Deb 20 May 2026; House of Commons Library, Health Bill 2026-27, CBP-10845, 27 May 2026, Section 8.3
⁵ Nuffield Trust, 'What's in the Bill? Nuffield Trust briefing on the 2026 Health Bill', 18 May 2026, p.10
⁶ Information Commissioner's Office, Anonymisation, pseudonymisation and privacy enhancing technologies guidance, ico.org.uk