UK government set to extract hospital data to Palantir system without patient consent

'You'll be hearing from us,' say privacy campaigners who previously forced the government to back down

The UK government is set to extract patient-identifiable data from NHS hospital systems and share this with its data platform based on technology from Palantir, a move that seems set to provoke another legal challenge.

Without consulting patients or giving them the choice of opting out, NHS England and NHS Improvement — the non-departmental government body which runs the NHS in England — has instructed NHS Digital to gather the data for the purpose of understanding and reducing the crisis in treatment waiting times resulting from the COVID-19 pandemic.

In NHS Digital board meeting papers [PDF] (see Faster Data Flow - 3.1.2 - on page 163), NHS England tells NHS Digital to "collect patient level identifiable data pertaining to admission, inpatient, discharge and outpatient activity from acute care settings on a daily basis."

The move is an expansion of NHS England's use of Palantir, which had been subject to the threat of a judicial review in 2021. Under legal pressure, the government caved in and agreed not to extend Palantir's contract beyond the pandemic without consulting the public.

The judicial review was set to be brought by the news website openDemocracy, backed by tech campaign group Foxglove.

Speaking to The Register, Foxglove director Cori Crider said: "We're very concerned that this latest move to force more patient data into Palantir has been done with zero public input or consent. That's not what we were told would happen in our case, and we're seriously concerned it's unlawful. The government will be hearing from us shortly."

In the board papers, NHS England directs NHS Digital to use Foundry, a Palantir product for the collection.

While NHS England owns the contractual relationship with Palantir, the new instruction creates "a complex relationship" where, in terms of data protection law, NHS Digital will be the data controller for the collection but will use NHS England as a data processor and Palantir will be a sub-processor, the document said.

NHS England said that patients would not be allowed to block the transfer of their data under the National Data Opt-outs programme since the data was due to be "anonymized in accordance with the Information Commissioner Office's Anonymisation Code of Practice before being released."

However, the same document talks about the data being pseudonymized "to provide daily services" under the plan. And there's always the danger of pseudonymized records being deanonymized, and identifying and documenting actual individuals, when additional info is brought into the mix.

In February 2022, the country's information watchdog, the Information Commissioner's Office (ICO), published draft guidance on pseudonymization [PDF], that said "…personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…"

The guidance followed the introduction of the EU's General Data Protection Regulation, the local implementation of which (the UK GDPR) is under review in the UK following Brexit. The proposed replacement – the Data Protection and Digital Information Bill (DPDIB) – is still progressing through Parliament.

In a Twitter thread explaining the issues with NHS England's approach Phil Booth, coordinator of campaign group medConfidential, said: "The fact is that patients have a #RightToObject to the #processing of their #PersonalData, so – while @NHSEngland may want to ignore people's opt-outs… and contorts itself to say their data's not 'confidential patient information' – the law(s) says otherwise."

An NHS England spokesperson said: "By collecting data in a more streamlined way the NHS is better able to plan and allocate resources to maximise outcomes for patients, whilst ensuring that data control remains with the NHS at all times. Ultimately, it will help all NHS organizations to better understand their waiting lists and pressures in near real time, work as systems, and the burden of manual reporting on staff will be significantly reduced."

There are currently a record 6.3 million patients waiting for treatment in the NHS in England, with 2.54 million patients waiting more than 18 weeks. The median waiting times remain "significantly higher" than pre-COVID levels, NHS England said, while a hidden backlog of patients yet to present with conditions may be even greater.

In the board papers, NHS England calls the new Palantir data initiative the Faster Data Programme. A separate Federated Data Platform is officially still in the pipeline, although the £360 million (c $406 million) procurement has been delayed by several months. Palantir is said to have made that competition a "must-win", having recruited Indra Joshi and Harjeet Dhaliwal, key figures in NHS England's data science and AI teams.

Palantir has provided technology used by the CIA and controversial US immigration agency ICE. ®

Send us news

UK's GDPR replacement could wipe out oversight of live facial recognition

Question not whether UK police should use facial recog, but how, says surveillance chief

EU-US Privacy Framework could make life easier for a data biz, if it survives

But what about the Brits? A lawyer gives their take on the privacy minefield

Meta facing third fine of 2023 for mishandling EU user data under GDPR

This one could set a new record for penalties against US companies doing business on the continent

That Meta GDPR fine is €1.2B. Plus biz must stop sending EU data to US

Zuckercorp says the EU-US Data Privacy Framework will pass before its penalties enacted, so why worry?

Criminals spent 10 days in US dental insurer's systems extracting data of 9 million

LockBit gang claimed 'trophy' of spilling low income families' details. Their parents must be proud

IR35 costs UK Research and Innovation £36M – the same it spent funding tech projects

Quango tax blunder follows similar payments from Defra and MoJ

Keir Starmer's techno-fix for the NHS: Déjà vu disaster or brave new blunder?

Beware over promising benefits and underestimating complexity

UK told it must double low carbon investment to meet net zero targets

Complexity also a problem across 115 funding streams, watchdog says

UK government prays that size doesn't matter as it chips in £1B for semiconductor sector

Domestic industry 'will never be wholly sovereign' say critics as Blighty hooks up with Japan

Fresh GDPR ruling says even 'minor anxiety' could mean payouts for EU folks

Lawyers quip: 'The definition of hell is European legislation with American enforcement'

Privacy Framework draft isn't 'future-proof', say MEPs

Take 3: the data must flow. Hold on, warns Euro Parliament, not so fast

Dyson moans about state of UK science and tech, forgets to suck up his own mess

Brexit-supporting offshore merchant wonders what has happened to all the investment