The Health Bill 2026-27 passed its second reading in Parliament yesterday. Most headlines focused on the abolition of NHS England. But the provision that will have the deepest long-term implications for digital health security and governance is buried in Clause 47: the Single Patient Record.
If enacted, it will be the most significant change to NHS data infrastructure in a generation. It will create an enormous opportunity. It will also create risk on a scale the NHS has never had to manage before, and the bill, as it stands, leaves some of the most important questions unanswered...
The Single Patient Record (SPR) would create a centralised summary of every patient's health information, pulling together data from GPs, hospitals, community services, mental health providers, social care, and making it accessible to both patients and the clinicians treating them.
On its face, this is the right ambition. Fragmented records are one of the most persistent failures of NHS care delivery. Patients retell their histories at every appointment. Referrals get lost. Medications prescribed in one setting contradict those prescribed in another. A joined-up record has the potential to fix all of that.
But Clause 47 doesn't just enable data sharing, it mandates it. The Secretary of State would have the power to legally require all NHS providers, including GPs, to disclose patient data. Organisations that fail to comply face financial penalties. Secondary regulations will determine the details, including who can impose fines, what counts as non-compliance, and how access is governed.
The bill also explicitly allows SPR data to be used for secondary purposes, research, planning, and service development under existing data legislation. That means patient data in the SPR, like other NHS data, could be approved for sharing with public and private researchers.
Under current arrangements, GPs are data controllers for their patients' records. GP data is often the most complete health record a person has, and GPs carry legal responsibility for its privacy and security.
The bill gives the Secretary of State new powers over primary care data. But it does not remove those powers from GPs. That leaves a live ambiguity: if a GP is legally compelled to share data with the SPR, and another provider inputs an error, who is liable? If there is a breach, who is the data controller?
The BMA has raised this concern directly without clarity. GPs and other providers face an uncomfortable position: mandatory disclosure, with unclear liability.
The bill states that existing data protection legislation, UK GDPR, and the Data Protection Act 2018 will remain in force. That's reassuring in principle. But the practical interaction between those frameworks and the SPR is unresolved.
The common law duty of confidentiality can be lifted by secondary regulations where sharing is for the purpose of establishing and operating the SPR. The conditions under which that applies and the safeguards that will sit around it are left to secondary legislation that doesn't yet exist.
For NHS organisations, the question isn't whether GDPR applies. It's whether the governance structures around the SPR will be mature enough to demonstrate compliance when regulators come knocking.
The Health Foundation published survey data in December 2024 showing that around two-thirds of the public trust the NHS to handle their health data. Only one in three trusts the government with that same data.
The bill moves governance of NHS data, including the SPR, from NHS England into the Department of Health and Social Care. In other words, it shifts data governance from the institution that the public broadly trusts to the institution that it broadly doesn't.
That's not a political observation, it's a delivery risk. Digital health initiatives fail when the public withdraws consent. The NHS has been there before.
The Association of Optometrists put it plainly in its briefing on the bill: there have been multiple systems "previously heralded as the solution to siloed patient records," the Local Shared Care Records, the National Care Records Service, the Summary Care Record and "each time they have failed to deliver."
What we do know from those past failures is that they often had little to do with the technology itself. They failed because of inadequate public engagement, poor data governance, unclear accountability, and insufficient security design. The SPR will face all the same pressures on a far larger scale.
The SPR will be rolled out in phases, with secondary regulations setting the timetable. But preparation should start now. Organisations that wait for the regulations to land will be behind.
For NHS trusts, ICBs and GP practices:
For health technology suppliers:
The Single Patient Record could improve patient care, reduce avoidable harm, and unlock research and AI applications that transform health outcomes. That's a significant "could." The history of NHS technology programmes is littered with initiatives that promised the same thing and didn't deliver.
What separates success from failure isn't the ambition, it's the execution. And right now, the bill creates the power to build the SPR without creating the governance, security, and accountability framework needed to make it work safely.
If the security design is bolted on after the fact, the SPR will be a liability. If data governance is left to secondary regulations with no parliamentary oversight, public trust will erode before the system is even live. If the data controller question isn't resolved, providers will face compulsory disclosure and unclear liability, a combination that breeds either non-compliance or legal exposure.
Parliament has the opportunity to fix this during the bill's remaining stages. The Nuffield Trust has suggested MPs consider "new safeguards, such as a public interest test for sharing data, or bringing back requirements to report to parliament." Those are sensible starting points, but the security provisions need to go further.
Done right, the SPR is genuinely transformative. Done wrong, it becomes the largest and most damaging data governance failure the NHS has ever seen. The difference lies in what happens in the next few months, in Parliament, in DHSC, and in the organisations that will have to live with the consequences.
Refrences
Health Bill 2026-27 (Bill 009 2026-27), Second Reading, House of Commons, 1 June 2026
UK GDPR and Data Protection Act 2018 preserved Department of Health and Social Care, Health Bill Explanatory Notes, 15 May 2026, p.16
Common law duty of confidentiality being liftable by secondary regulations — UK Caldicott Guardian Council, The common law duty of confidentiality
Health Foundation survey — two-thirds trust NHS, one in three trust government The Health Foundation, 'How does the public feel about health technologies and data?', 3 December 2024
Association of Optometrists quote on past failures, Association of Optometrists, Policy briefing: Health Bill, May 2026
Clause 48 — Secretary of State sharing data with IT suppliers Health Bill 2026-27, Clause 48; Health Bill Explanatory Notes, 15 May 2026