World

NHS Contract With US Tech Firm May Be 'Massive Breach' of Data Protection Law, Says medConfidential

A CIA-linked surveillance and data analysis firm has been awarded a £23 million two-year contract by the British government, in what rights groups say is part of a wider problem of a lack of transparency regarding the management and analysis of NHS and patient data.
Sputnik

Phil Booth, a coordinator of medConfidential campaigning for patient confidentiality and consent in Britain, says that the already problematic relationship between Palantir - a CIA-linked surveillance and data analysis firm - and the NHS has just seen a "significant expansion" well beyond the health emergency posed by the coronavirus (COVID-19) pandemic.

Booth also explains that Palantir is "just one part of a chain" and that medConfidential's concerns are "about what is being done with tens of millions of patients' sensitive health data, throughout the entire set of linked systems".

Sputnik: Explain exactly what it is that Palantir has been selected to do by the UK government over the next two years.

Phil Booth: The latest contract for £23 million, awarded in December, is a significant expansion of what Palantir has been providing to NHS England during the pandemic thus far.

What's being provided is still based on Palantir's Foundry platform, fed with data from NHS England's COVID-19 Data Store – but several entirely new 'dashboards' and capabilities have been commissioned, including ones for vaccination management; NHS workforce analytics; national, regional and local planning; and adult social care. It is notable that what this amounts to is precisely the sort of 'real-time intelligence' and staff/resource micromanagement system the technocrats at NHS England have been seeking to impose for years.

Sputnik: How does this differ from the role that Palantir has been playing in respect of managing NHS data thus far?

Phil Booth: The major difference with this contract is that parts of it are explicitly intended for "business as usual", i.e. for use after the pandemic.

This is relevant because the legal basis on which NHS England can require the collection of [data], and is able to pass patients' data on to Palantir (and others) from its central Data Store, is the emergency 'COPI Notices' issued early on in the pandemic. These COPI Notices were explicitly and exclusively for "COVID-19 purposes", not "business as usual" – and certainly not for "EU exit" (i.e. Brexit) purposes, which are also listed in the contract.

NHS Data is At Risk From For-Profit Surveillance and Data Analysis Firms, Says medConfidential
It is one thing to use Palantir's data integration capabilities during a declared public health emergency, it is quite another to begin to embed them in the day-to-day running of aspects of the NHS and wider care system.

Sputnik: What concerns do you have regarding this apparently expanded role being given to firm such as Palantir?

Phil Booth: For starters, the contract as written appears to breach the terms of the COPI Notices – which, in itself, would be a massive breach of Data Protection law, potentially affecting tens of millions of patients.

On an ongoing basis, the lack of transparency about the data that is being processed by Palantir (and others) is deeply concerning. The recently published contract redacts some 120+ classes of data on NHS employees alone, and NHS England has still not published a definitive list of exactly what patient data it is collecting and passing on to others, including Palantir.

Also, serious questions must be asked about the involvement of a company with such a toxic global reputation in the NHS at all. Foundry may have been a useful tool during the pandemic, but assuming that you will retain public confidence or trust in its use is extremely high risk.

Sputnik: Has the government in anyway gone back on prior assurances about the role this company and others like it would be playing in respect of handling private medical data and working with public services?

Phil Booth: I'm not aware of any specific assurances by the Government with regard to Palantir, whose software has been available on the 'G-Cloud' procurement framework for years.

What the Government has gone back on is assurances to be transparent about exactly what patients' data is being used for, by who, and for what purposes. Widespread concern about Palantir has forced it to publish some information– but nowhere near enough, and this doesn't address equally important concerns about companies like Faculty Science (the controversial AI outfit unduly favoured by Number 10) who make use of the data integration platform Palantir provides.

Sputnik: Is there anything that could be done to allay your concerns?

Phil Booth: To begin with, far greater transparency! Not just on Palantir, but on everything that is being done with NHS England's COVID-19 Data Store – including the data it passes on to Foundry.

People should remember Palantir is just one part of a chain. It has rightly drawn a lot of attention, but our concerns are about what is being done with tens of millions of patients' sensitive health data, throughout the entire set of linked systems. Indeed, it may be that the Government is to an extent 'hiding behind' Palantir's toxic reputation – betting people will be distracted by that, rather than paying attention to what it is actually doing.

NHS Disclosures Show 'Sensitive Personal Data' is Being Unlawfully Shared, Expert Explains
Sputnik: What are you calling for now?

Phil Booth: We believe it is fundamental for public trust and confidence that every use of patients' and service users' data is consensual, safe and transparent.

In the case of Palantir, there's no reason to assume the data it is processing is any less secure than in other IT systems. There is however literally no way for any member of the public to know if the projects or purposes, or the people and companies doing them, are safe – i.e. properly authorised, ethically-approved, etc. So there must be full and proper transparency around this, and the data being used – and people's choices must be respected.

In a "business as usual" NHS world, patients have a right to opt out of having their data used for purposes beyond their direct care, e.g. for research or planning. If people choose to opt out because NHS England chooses to use Palantir for such purposes, then that's for NHS England to justify.

Discuss