The National Data Guardian declined to endorse NHS England's effort to be transparent with its recently published detail on data flows from a patient medical information project that put US spy-tech firm Palantir at the heart of the government's response to the pandemic.
The COVID-19 data store was launched in March 2020, and would pull together medical and operational data about the spread of the virus.
Campaigners had to force the government to publish details of the contract supporting the project awarded to AWS, Microsoft, Google, Brexit-linked analytics firm Faculty, and Palantir, whose technology has been employed by the CIA and controversial US immigration agency ICE.
It's also hard to understand why they haven't mentioned Palantir and Faculty, two highly controversial companies at the heart of the whole system...
Late last year, a threat of a judicial review preceded a government promise to consult the public before extending Palantir's NHS role beyond the pandemic after US tech firm's contract was extended for two years – well beyond the initial phase of the virus outbreak.
Better late than... what? Is that all the information you're releasing?
Earlier this month, the National Data Guardian – health and social care data watchdog for England – said it was disappointing NHS England had taken more than a year to release details of data moving from the system.
NHS England and NHS Improvement published a "data dissemination register" on 12 August, at which point it was likely to have read an early version of the NDG report.
The published register details just 18 points of access to the data, which includes patients' medical information, eight of which take place in 2021. There are no details on Palantir's extraction of data.
The platform... or the store?
It's a bit confusing but the data store project has two elements. The data store is a SQL Server database operated in Microsoft Azure cloud platform. That data is then used by the "data platform," which employs Palantir's Foundry product, hosted in AWS, according to NHS England's Data Protection Impact Assessment [PDF] for the project.
In its report [PDF], the National Data Guardian makes a distinction between the platform and the store, and specifies that "NHS England and NHS Improvement had committed to publish a full register of releases of data from the data store to promote transparency in how information is used and shared." [Our emphasis]
The Register asked the NDG if NHS England's "dissemination register" met the watchdog's criteria for detailing releases of data from the data store and if it promoted transparency. Dr Nicola Byrne side-stepped the question, only saying that "my panel and I will continue our ongoing dialogue with NHS England and NHS Improvement" on its release of information about who is accessing the data and what for.
Dr Byrne added in a statement to The Register:
It is important that organisations across health and social care work together effectively to make progress and effect change. The National Data Guardian has always offered support, guidance and challenge to colleagues and stakeholders in order to achieve goals such as improved transparency around data use, including providing accessible and comprehensive data dissemination registers. In this spirit, my panel and I will continue our ongoing dialogue with NHS England and NHS Improvement about their work.
'It's hard to take this [dissemination register] very seriously, to be frank'
Others were more frank in their assessment of whether NHS England had met the NDG's criteria.
Sam Smith, coordinator at independent lobby group medConfidential, said: "It has definitely not met that criteria. We are arguing over which bits are screwed up and how badly [they are] screwed up."
Smith said there was no doubt NHS England had failed to deliver the information requested by the highly respected Dame Fiona Caldicott, who was NDG for the majority of the period covered by the 2020-2021 report and whose 1997 review [PDF] of patient-identifiable information detailed the principles of information governance in the NHS over the last 20 years.
At stake was the public's trust in how NHS England – an executive non-departmental public body of the Department for Health and Social Care – uses their data. This use spans across data projects including the Palantir data store, but also the GPDPR "data grab" project run by NHS Digital, another non-departmental body.
"NHS England will not, voluntarily, tell the full truth about what they're doing. They were given a lot of leeway. The dissemination register should have been published last April: it took until August 2021. This is just pathetic. When they're talking about GP data or Palantir, no one expects that they will be voluntarily transparent because when they had all the time in the world [to release information about] their flagship data project," Smith said.
- 'Biggest data grab' in NHS history stuffs GP records in a central store for 'research' – and the time to opt out is now
- Legal complaint lodged with UK data watchdog over claims coronavirus Test and Trace programme flouts GDPR
- Watchdog 'disappointed' it took NHS England over a year to release details of access to Palantir COVID-19 data store
- Palantir abandons any attempt at curating nice-guy image with 'Global Information Dominance Experiments'
The data store project dates back to March 2020. In a blog published in December 2020, Ming Tang, the national director for data and analytics at NHS England, said the project had allowed the NHS to "develop tools and dashboards within a single integrated data platform to give decision-makers more accurate visibility into the status of the response" to the pandemic.
But, with apparently just eight disseminations of the data in 2021, the flagship data project is either "largely useless" or NHS England is "dishonest" because it is refusing to tell people about access to the data, Smith said.
"I suspect it is more the latter than the former. That's not a good thing," he told The Register.
The Register has requested a comment from NHS England and NHS Improvement.
"It's hard to take this [dissemination register] very seriously, to be frank, because it says data was accessed just eight times this year, including at the worst of the pandemic. It's also hard to understand why they haven't mentioned Palantir and Faculty, two highly controversial companies at the heart of the whole system," said Cori Crider, director of Foxglove, the not-for-profit legal campaign group which proposed the judicial review of Palantir's work with the data store project.
"If there's one lesson to be taken from the GP data fiasco, it's that a 'nothing to see here' approach to people's health records won't work. The pandemic hasn't changed the basic fact that people care who sees their private health records and want some control over that.
"Sadly, it doesn't seem like the government has learned this basic lesson. The datastore is a temporary, emergency system that they have committed to destroying at the end of the pandemic. They are going to be held to that. People have the right to a say in what happens to their personal health information." ®