UK government set to extract hospital data to Palantir system without patient consent

The UK government is set to extract patient-identifiable data from NHS hospital systems and share this with its data platform based on technology from Palantir, a move that seems set to provoke another legal challenge.

Without consulting patients or giving them the choice of opting out, NHS England and NHS Improvement — the non-departmental government body which runs the NHS in England — has instructed NHS Digital to gather the data for the purpose of understanding and reducing the crisis in treatment waiting times resulting from the COVID-19 pandemic.

In NHS Digital board meeting papers [PDF] (see Faster Data Flow - 3.1.2 - on page 163), NHS England tells NHS Digital to "collect patient level identifiable data pertaining to admission, inpatient, discharge and outpatient activity from acute care settings on a daily basis."

The move is an expansion of NHS England's use of Palantir, which had been subject to the threat of a judicial review in 2021. Under legal pressure, the government caved in and agreed not to extend Palantir's contract beyond the pandemic without consulting the public.

The judicial review was set to be brought by the news website openDemocracy, backed by tech campaign group Foxglove.

Speaking to The Register, Foxglove director Cori Crider said: "We're very concerned that this latest move to force more patient data into Palantir has been done with zero public input or consent. That's not what we were told would happen in our case, and we're seriously concerned it's unlawful. The government will be hearing from us shortly."

In the board papers, NHS England directs NHS Digital to use Foundry, a Palantir product for the collection.

While NHS England owns the contractual relationship with Palantir, the new instruction creates "a complex relationship" where, in terms of data protection law, NHS Digital will be the data controller for the collection but will use NHS England as a data processor and Palantir will be a sub-processor, the document said.

NHS England said that patients would not be allowed to block the transfer of their data under the National Data Opt-outs programme since the data was due to be "anonymized in accordance with the Information Commissioner Office's Anonymisation Code of Practice before being released."

However, the same document talks about the data being pseudonymized "to provide daily services" under the plan. And there's always the danger of pseudonymized records being deanonymized, and identifying and documenting actual individuals, when additional info is brought into the mix.

In February 2022, the country's information watchdog, the Information Commissioner's Office (ICO), published draft guidance on pseudonymization [PDF], that said "…personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…"

The guidance followed the introduction of the EU's General Data Protection Regulation, the local implementation of which (the UK GDPR) is under review in the UK following Brexit. The proposed replacement – the Data Protection and Digital Information Bill (DPDIB) – is still progressing through Parliament.

• UK government refuses public review before launch of NHS data platform
• Decisions on health data sharing should not be taken by politicians, citizen juries find
• NHS data platform procurement delayed for a second time
• NSO claims 'more than 5' EU states use Pegasus spyware

In a Twitter thread explaining the issues with NHS England's approach Phil Booth, coordinator of campaign group medConfidential, said: "The fact is that patients have a #RightToObject to the #processing of their #PersonalData, so – while @NHSEngland may want to ignore people's opt-outs… and contorts itself to say their data's not 'confidential patient information' – the law(s) says otherwise."

An NHS England spokesperson said: "By collecting data in a more streamlined way the NHS is better able to plan and allocate resources to maximise outcomes for patients, whilst ensuring that data control remains with the NHS at all times. Ultimately, it will help all NHS organizations to better understand their waiting lists and pressures in near real time, work as systems, and the burden of manual reporting on staff will be significantly reduced."

There are currently a record 6.3 million patients waiting for treatment in the NHS in England, with 2.54 million patients waiting more than 18 weeks. The median waiting times remain "significantly higher" than pre-COVID levels, NHS England said, while a hidden backlog of patients yet to present with conditions may be even greater.

In the board papers, NHS England calls the new Palantir data initiative the Faster Data Programme. A separate Federated Data Platform is officially still in the pipeline, although the £360 million (c $406 million) procurement has been delayed by several months. Palantir is said to have made that competition a "must-win", having recruited Indra Joshi and Harjeet Dhaliwal, key figures in NHS England's data science and AI teams.

Palantir has provided technology used by the CIA and controversial US immigration agency ICE. ®