Software

Databases

UK government set to extract hospital data to Palantir system without patient consent

'You'll be hearing from us,' say privacy campaigners who previously forced the government to back down


The UK government is set to extract patient-identifiable data from NHS hospital systems and share this with its data platform based on technology from Palantir, a move that seems set to provoke another legal challenge.

Without consulting patients or giving them the choice of opting out, NHS England and NHS Improvement — the non-departmental government body which runs the NHS in England — has instructed NHS Digital to gather the data for the purpose of understanding and reducing the crisis in treatment waiting times resulting from the COVID-19 pandemic.

In NHS Digital board meeting papers [PDF] (see Faster Data Flow - 3.1.2 - on page 163), NHS England tells NHS Digital to "collect patient level identifiable data pertaining to admission, inpatient, discharge and outpatient activity from acute care settings on a daily basis."

The move is an expansion of NHS England's use of Palantir, which had been subject to the threat of a judicial review in 2021. Under legal pressure, the government caved in and agreed not to extend Palantir's contract beyond the pandemic without consulting the public.

The judicial review was set to be brought by the news website openDemocracy, backed by tech campaign group Foxglove.

Speaking to The Register, Foxglove director Cori Crider said: "We're very concerned that this latest move to force more patient data into Palantir has been done with zero public input or consent. That's not what we were told would happen in our case, and we're seriously concerned it's unlawful. The government will be hearing from us shortly."

In the board papers, NHS England directs NHS Digital to use Foundry, a Palantir product for the collection.

While NHS England owns the contractual relationship with Palantir, the new instruction creates "a complex relationship" where, in terms of data protection law, NHS Digital will be the data controller for the collection but will use NHS England as a data processor and Palantir will be a sub-processor, the document said.

NHS England said that patients would not be allowed to block the transfer of their data under the National Data Opt-outs programme since the data was due to be "anonymized in accordance with the Information Commissioner Office's Anonymisation Code of Practice before being released."

However, the same document talks about the data being pseudonymized "to provide daily services" under the plan. And there's always the danger of pseudonymized records being deanonymized, and identifying and documenting actual individuals, when additional info is brought into the mix.

In February 2022, the country's information watchdog, the Information Commissioner's Office (ICO), published draft guidance on pseudonymization [PDF], that said "…personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…"

The guidance followed the introduction of the EU's General Data Protection Regulation, the local implementation of which (the UK GDPR) is under review in the UK following Brexit. The proposed replacement – the Data Protection and Digital Information Bill (DPDIB) – is still progressing through Parliament.

In a Twitter thread explaining the issues with NHS England's approach Phil Booth, coordinator of campaign group medConfidential, said: "The fact is that patients have a #RightToObject to the #processing of their #PersonalData, so – while @NHSEngland may want to ignore people's opt-outs… and contorts itself to say their data's not 'confidential patient information' – the law(s) says otherwise."

An NHS England spokesperson said: "By collecting data in a more streamlined way the NHS is better able to plan and allocate resources to maximise outcomes for patients, whilst ensuring that data control remains with the NHS at all times. Ultimately, it will help all NHS organizations to better understand their waiting lists and pressures in near real time, work as systems, and the burden of manual reporting on staff will be significantly reduced."

There are currently a record 6.3 million patients waiting for treatment in the NHS in England, with 2.54 million patients waiting more than 18 weeks. The median waiting times remain "significantly higher" than pre-COVID levels, NHS England said, while a hidden backlog of patients yet to present with conditions may be even greater.

In the board papers, NHS England calls the new Palantir data initiative the Faster Data Programme. A separate Federated Data Platform is officially still in the pipeline, although the £360 million (c $406 million) procurement has been delayed by several months. Palantir is said to have made that competition a "must-win", having recruited Indra Joshi and Harjeet Dhaliwal, key figures in NHS England's data science and AI teams.

Palantir has provided technology used by the CIA and controversial US immigration agency ICE. ®

Send us news
99 Comments

Mega defense corp Thales faces Anglo-French bribery and corruption probe

Authorities remain tight-lipped on specifics

UK tax collector inks £366M in ERP deals to get systems into cloud

SAP and Deloitte winners in transition from legacy software to SaaS, which includes housing and transport ministries

UK energy watchdog slaps down Capita's £130M smart meter splurge

Regulator finds poor planning and overuse of consultants added to costs in ailing rollout

Europe's largest local authority slammed for 'poorest' ERP rollout ever

Government-appointed commissioners say Birmingham severely lacked Oracle skills during disastrous implementation

Yet another UK government seeks to reform GDPR

Yes, the law that needs to be harmonized with Europe for tech businesses' data to flow freely

UK orders Chinese biz to sell majority stake in Scottish chipmaker

Government invokes National Security and Investment Act

NHS would be hit by 'significant' costs if UK loses EU data status, warn Lords

As another government yet again seeks to reform UK GDPR, legislators say data must continue to flow

'Consent' LinkedIn used for data processing was not freely given, says Ireland

Microsoft-owned social media for suits site gets €310M fine, told to get compliant

NHS England warned about plans to extend Covid-era rules for patient data access

Governance and public consultation need work before rule change goes ahead

US moves ahead with crackdown on data brokers selling to six 'countries of concern'

Biden's Executive Order finally getting its day in the sun, soonish

Post Office CTO had 'nagging doubts' about Horizon system despite reliability assurances

As 'heat' built from campaigners, tech boss kept telling MPs everything was fine

UK electronics firms want government to stop taxing trash and let them fix it instead

CLEAR group calls for VAT to be dropped on spare parts, repairs, labor