Sokratis Papafloratos, chief executive and founder of Numan, explains what open banking teaches us about health data ownership.
The UK is rapidly digitising healthcare without modernising the rules that govern health data. We are building a 21st-Century digital health system on 20th-Century data infrastructure. This gap is becoming a serious constraint on care quality, safety and innovation.
Millions of patients now move between NHS services, private providers and digital platforms, generating clinically valuable data at every step. Yet that data remains fragmented, hard to access, and largely out of patients’ control. The result is duplication, inefficiency and risk – not because care is digital, but because data governance has failed to keep pace.
The debate is often framed around whether health data should be shared. That is the wrong question. Data already flows – the problem is that this happens imperfectly, inconsistently, and without clear accountability. This is why we need to start questioning who controls access, under what conditions, and with what safeguards.
Other sectors have faced this challenge before
Financial services, specifically banking, offer one of the clearest examples of how to resolve it.
Before the rise of fintech in the mid-2010s, financial data was locked inside institutions. Consumers had little visibility, limited portability, and no practical way to authorise third-party access. PSD2 and Open Banking changed this, establishing clear rules for consent, interoperability, and liability across financial services.
And while much may be said of the growth of Open Banking payments – representing a 2,800% increase over five years – the most important structural shift came from Account Information Services (AIS). AIS allows authorised third parties to access and aggregate account data, with explicit user consent, without initiating transactions. It created a shared, trusted view of information across institutions.
For the first time, this meant that customers gained the ability to grant time-limited, purpose-specific access to their data. Banks retained responsibility for accuracy and security, but third parties could be regulated and made accountable for how data was used. Moreover, interoperability was mandated rather than encouraged – and innovation followed.
This is the element most directly transferable to healthcare: governed, read-only access to up-to-date records that improves coordination and decision-making without introducing new execution risk.
Healthcare has learned few of these lessons
Like early consumer fintech, digital health use by patients has become mainstream. In the past year alone, more people in the UK have booked GP appointments online than by phone for the first time. More than 30 million patients are now registered on the NHS App. Millions more access private digital consultations. Digital access is therefore not a marginal behavioural shift – it reflects a structural change in how people expect to access healthcare.
Yet health data governance still assumes patients receive care within a single system, from a single provider, anchored to one institutional record of truth, most commonly GP systems or the NHS Summary Care Record. That assumption no longer holds, and pretending it does increases risk.
Fragmented records make it harder for clinicians to see the full picture, slow down treatment decisions, and drive unnecessary repeat testing that increases costs. Patients also struggle to track results across providers or understand their own health journeys, leading to disengagement. The fact is that care coordination is crucial for efficiency and to ensure fair and equal access to care. The risk is that some inequalities are actually widened when people who are less able to navigate complex systems become even more likely to disengage.
The answer is not owning health data
Health information is sensitive, relational, and sometimes needs to be accessed when patients cannot actively consent. But control is not the same as ownership – and health can adopt a more mature model of controlled access.
An open-banking-style approach to health data would allow patients to authorise specific providers to access defined parts of their record, for clear clinical purposes, with transparent audit trails. Access could be time-bound. It could also be revoked. Responsibility would be explicit. Data would move securely between NHS services and accredited private providers, reducing fragmentation rather than entrenching it. And notably, it could boost patient engagement with the healthcare system. Actively engaged patients are more likely to see journeys through to the end and ensure that they get care which is suited to them and that it delivers better outcomes.
This is particularly important as care becomes more personalised. Digital providers increasingly support patients managing long-term conditions, preventative interventions, and complex treatment pathways over time. These models generate rich longitudinal data, but without the ability to connect records across settings that value is limited.
Weight management and metabolic care illustrate the point. Digital pathways have lowered barriers for many people who might otherwise delay or avoid care – in fact, more than 2.5 million people per month are estimated to be accessing obesity care via private providers in the UK. That shift broadly aligns with the direction set out in the government’s NHS Long Term Plan, which recognises the role of scalable, preventative and digitally enabled care in reducing long-term pressure on the NHS.
But while delivery models are evolving, the challenge is that even though more patients are moving between NHS services and private digital providers, their data is not. This leads to unmanaged fragmentation that is not the result of increased digital access nor lack of NHS access. It is simply a matter of data ownership.
Trust will be critical
In banking, consumer confidence did not emerge from good intentions but from regulatory clarity. Before Open Banking could start to roll out, standards needed to be defined and liability assigned, as well as significant efforts taken to stop fraud and exclude bad actors. Health needs the same discipline.
Security and privacy matter, but technical safeguards alone are not enough. Patients trust systems when they understand who is responsible for what – and when regulators visibly enforce rules that are clearly communicated and shared. Clear governance also accelerates adoption and supports innovation so that better outcomes can be achieved by all those involved.
Digital healthcare is now a permanent feature of the UK health landscape. The genie cannot be forced back into the bottle. That ship sailed in 2020 with the COVID-19 pandemic. This is why the digital health conversation in 2026 needs to ask the question: are the data foundations beneath the entire UK ecosystem fit for purpose?
Open banking worked because it aligned consumer benefit, regulatory oversight, and market innovation.
Healthcare should stop ignoring the question of data ownership and start designing a framework for controlled access, interoperability, and accountability.
If we do not, we risk entrenching a fragmented system that is increasingly digital in form but analogue in function, at precisely the moment patients expect better.
