World

NHS Disclosures Show 'Sensitive Personal Data' is Being Unlawfully Shared, Expert Explains

Newly released documents by NHS England show that confidential patient information is being handled by third-party companies in a manner which has been hidden from the public and is most likely unlawful, according to Phil Booth from medConfidential.
Sputnik

The British government has released documents detailing parts of the relationship between the National Health Service and for-profit surveillance firms such as Faculty and Palantir and global consultancies such as McKinsey, following the threat of court proceedings brought by openDemocracy and Foxglove.

Phil Booth, coordinator of the organisation medConfidential that campaigns for patient confidentiality and consent in Britain, explains the "devastating" revelations in the documents as well as what is still unknown about how the private information of millions of people is being handled.

Sputnik: The last time we spoke you explained that NHS data was at risk from for-profit-surveillance firms. Since then newly obtained documents have revealed more about the agreements being struck between NHS England and this corporations. Explain the most important aspects of what has since been discovered.

Phil Booth: One of the more significant things these documents confirm is that patients' identifiable personal health data is indeed being processed, despite earlier claims that all the data in the Data Store was "anonymous". Indeed the contract for one company, Faculty AI, explicitly states that it will have access to "Sensitive Personal Data" – in addition to the still identifiable but "pseudonymised personal data" that other companies, like Palantir, will be processing.

One of the more striking things these documents reveal is the shambolic mess and lack of accountability around what must be one of the largest aggregations of English patients' medical histories in recent times. The "sole data controller" for the Data Store, NHS England, isn't even the legal entity that formed the contract with the most controversial data processor in the set-up, Palantir – and there's no public evidence of the sort of processes and procedures around access to data that other parts of the NHS have been doing routinely for years.

The most devastating thing these documents reveal is that NHS England's current Privacy Notice is at best misleading the public, which is a breach of the First Data Protection Principle, and thus unlawful. While it may have a lawful basis in the pandemic to hoover up, process and even hand over copies of our data, NHS England appears to have failed to grasp that it cannot do so in secret. And that it must still comply with all of the rest of the law, including patients' lawful dissent.

Sputnik: What are the different documents that have been released and what's their significance?

Phil Booth: What's been released is some of the contracts and the Data Protection Impact Assessment for what NHS England calls its "COVID-19 Data Store" – a giant accumulation of nearly 80 population-scale data sets, which include identifiable patient data that care providers are required  to submit, under what are known at the COPI notices.

While they raise as many questions as they answer, what these documents make absolutely clear is that, despite initial promises, the data in the Data Store and the data that is being passed to third parties is NOT "anonymous" but includes what the law recognises is sensitive ("special category") personal data – albeit with some of the most obvious 'identifiers' (e.g. your name, or full address) removed or obscured.

Public claims that individual patients are "not identifiable" are simply unsupportable, especially given the amount of linkage between data sets that is clearly being done – for if you cannot accurately identify an individual in one data set, how can you link their record to the correct one in another data set?

Possibly of greater significance than what is in the documents is what's NOT in them. Despite processing of tens of millions of patients' personal health data for months now, there's still no sign of NHS England's so-called "SPOC" application process for access to the data; no public list of who is applying for data, for what purposes, and who exactly is being given data or access to data; there's no evidence of claimed safeguards and oversight, nor any transparency such as a public record of every project that's being done.

Sputnik: It's being reported that the UK government has actually given the CIA-linked surveillance firm Palantir "access to sensitive medical records of Covid-19 patients".

What can you tell us about this agreement and is it just limited to Palantir?

Phil Booth: The Data Protection Impact Assessment (DPIA) and agreements published show Palantir is the data processor for what are being called the "dashboards" for officials and decision-makers look at views of the data, and to provide a platform on which other third parties can run 'models' that feed on actual data, rather than just guesses. Palantir's software (a product called Foundry, as opposed to the more notorious Gotham – the one law enforcement and security/intelligence services use) is a data integration tool – i.e. it acts like a sort of 'plumbing' layer, to enable lots of different types of data from different sources to be worked on.

The agreements show that the Data Store and dashboards actually use a bunch of different companies: Microsoft Azure for uploading the 'raw' data and doing initial processing, including 'pseudonymisation'; Amazon Web Services to hold the pseudonymised but still personal data; and Palantir Foundry on top of AWS to provide the 'plumbing' for others to make use of the data. The only other company for which we've seen an actual contract is Faculty AI, which seems to have pretty much free rein across government data at present – that the brother of its CEO is Dominic Cummings' deputy probably doesn't hurt in that regard! (Faculty used to be called ASI Data Science, which became notorious a few years ago for other reasons...)

What the documents also show is the presence of global consultancy firms throughout; McKinsey and Deloitte being two of those mentioned as having "honorary contracts" which effectively give them access to data as if they were NHS officials. As do Faculty staff.

What it looks like is that NHS England, lacking any real competence of its own, has handed the construction of a giant centralised data store of the country's most sensitive data to a handful of commercial players (some of whom dropped their price to £1 for the chance of doing the job) without putting adequate – or even basic – governance or transparency in place.

NHS England didn't even form the contract with Palantir directly itself, but through something called a 'Commissioning Support Unit'; one of the five remaining regional bodies providing back-office administration functions like procurement to smaller NHS bodies.

Sputnik: To what extent is the British government now offering, with the release of these documents, the transparency that you have been demanding?

Phil Booth: It's not even close! From what's referenced in the documents released last Friday alone, we now have a three-page long list of further documents that should be published – but chasing documents is beside the point. What we need now is full transparency and real accountability.

Tens of millions of people's identifiable health data (in many cases pseudonymised, but in others 'in the clear') is being processed. It has been for months. NHS England has been talking about proper processes, safeguards, oversight and transparency for most of that time – but it has delivered nothing but a shoddy DPIA and four contracts with much of the real detail (what's called the Statements of Work) removed. And it got to within hours of being sued before it would release those.

Sputnik: Is there evidence that agendas, which have nothing to do with COVID-19, are also being implemented by NHS England?

Phil Booth: There's scant evidence of anything at this point, which is why things like public registers of data applications, deliberations and releases, and audit trails of every data access are – and will be – so vitally important. It's boring and nerdy, but if you don't capture such things it will be very hard to prove what went on in the inevitable inquiry.

What is clear to those who've been following government's and others' ambitions for our data for years is that well-known groups of players with long term agendas (mostly around greater access to, and exploitation of, NHS patients' data) are using opportunities within the pandemic to accelerate those agendas – whether by aggregating data to which they've never had access before; setting precedents for how it can be processed, and by who; or simply shifting the narrative to normalise the idea that the nation's medical histories are a legitimate item for international trade.

I honestly don't think this should come as a surprise to most people. Wasn't it Churchill who first said: "Never let a good crisis go to waste"?

Sputnik: What do we still need to know that we don't know about the relationship between the NHS and for-profit surveillance firms?

Phil Booth: Ah! Rumsfeld's 'known unknowns'. Well, we definitely need to see the Statements of Work, i.e. the detail of what each company was asked to do, down to the data level. That, plus the sort of transparency measures I've mentioned above, consistently adhered to throughout the pandemic would give us the chance to see if these systems are/were operating (a) lawfully, and (b) as intended.

On matters such as data deletion – which must happen at the end of the contract with every data processor such as Palantir – I think people are going to want far stronger assurances than some NHS England official just ticking a box on a form. (Plus we don't want NHSE or the Government deleting audit trails that might be used to hold them accountable...)

And with firms like Faculty AI, we really want to know what they are getting out of it. What intellectual property, e.g. trained models, are they generating? Palantir doesn't get to take away anything at the end of the pandemic; it will have provided a service, and maybe tried to buff up its reputation a bit. Meanwhile, no-one's really paying enough attention to the AI mercenaries who seem to be roaming freely across Government (not just the NHS) at Number 10's behest.

Sputnik: Do you think the lawsuit will still go ahead?

Phil Booth: Probably not this lawsuit, because the Department and NHS England's lawyers will have ensured they released exactly enough documents (but no more!) to neutralise that particular demand for information. But, as I said, what they did release begs even more questions – to which the British public deserve answers.

Will it take further threats of being sued to get NHS England to meet its legal obligations? Let's hope not! This whole episode has been terrible for public trust; a currency the Government and public bodies cannot afford to squander right now.

Discuss