UK government set to extract hospital data to Palantir system without patient consent

'You'll be hearing from us,' say privacy campaigners who previously forced the government to back down

The UK government is set to extract patient-identifiable data from NHS hospital systems and share this with its data platform based on technology from Palantir, a move that seems set to provoke another legal challenge.

Without consulting patients or giving them the choice of opting out, NHS England and NHS Improvement — the non-departmental government body which runs the NHS in England — has instructed NHS Digital to gather the data for the purpose of understanding and reducing the crisis in treatment waiting times resulting from the COVID-19 pandemic.

In NHS Digital board meeting papers [PDF] (see Faster Data Flow - 3.1.2 - on page 163), NHS England tells NHS Digital to "collect patient level identifiable data pertaining to admission, inpatient, discharge and outpatient activity from acute care settings on a daily basis."

The move is an expansion of NHS England's use of Palantir, which had been subject to the threat of a judicial review in 2021. Under legal pressure, the government caved in and agreed not to extend Palantir's contract beyond the pandemic without consulting the public.

The judicial review was set to be brought by the news website openDemocracy, backed by tech campaign group Foxglove.

Speaking to The Register, Foxglove director Cori Crider said: "We're very concerned that this latest move to force more patient data into Palantir has been done with zero public input or consent. That's not what we were told would happen in our case, and we're seriously concerned it's unlawful. The government will be hearing from us shortly."

In the board papers, NHS England directs NHS Digital to use Foundry, a Palantir product for the collection.

While NHS England owns the contractual relationship with Palantir, the new instruction creates "a complex relationship" where, in terms of data protection law, NHS Digital will be the data controller for the collection but will use NHS England as a data processor and Palantir will be a sub-processor, the document said.

NHS England said that patients would not be allowed to block the transfer of their data under the National Data Opt-outs programme since the data was due to be "anonymized in accordance with the Information Commissioner Office's Anonymisation Code of Practice before being released."

However, the same document talks about the data being pseudonymized "to provide daily services" under the plan. And there's always the danger of pseudonymized records being deanonymized, and identifying and documenting actual individuals, when additional info is brought into the mix.

In February 2022, the country's information watchdog, the Information Commissioner's Office (ICO), published draft guidance on pseudonymization [PDF], that said "…personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…"

The guidance followed the introduction of the EU's General Data Protection Regulation, the local implementation of which (the UK GDPR) is under review in the UK following Brexit. The proposed replacement – the Data Protection and Digital Information Bill (DPDIB) – is still progressing through Parliament.

In a Twitter thread explaining the issues with NHS England's approach Phil Booth, coordinator of campaign group medConfidential, said: "The fact is that patients have a #RightToObject to the #processing of their #PersonalData, so – while @NHSEngland may want to ignore people's opt-outs… and contorts itself to say their data's not 'confidential patient information' – the law(s) says otherwise."

An NHS England spokesperson said: "By collecting data in a more streamlined way the NHS is better able to plan and allocate resources to maximise outcomes for patients, whilst ensuring that data control remains with the NHS at all times. Ultimately, it will help all NHS organizations to better understand their waiting lists and pressures in near real time, work as systems, and the burden of manual reporting on staff will be significantly reduced."

There are currently a record 6.3 million patients waiting for treatment in the NHS in England, with 2.54 million patients waiting more than 18 weeks. The median waiting times remain "significantly higher" than pre-COVID levels, NHS England said, while a hidden backlog of patients yet to present with conditions may be even greater.

In the board papers, NHS England calls the new Palantir data initiative the Faster Data Programme. A separate Federated Data Platform is officially still in the pipeline, although the £360 million (c $406 million) procurement has been delayed by several months. Palantir is said to have made that competition a "must-win", having recruited Indra Joshi and Harjeet Dhaliwal, key figures in NHS England's data science and AI teams.

Palantir has provided technology used by the CIA and controversial US immigration agency ICE. ®

Send us news

The UK Digital Information Bill: Brexit dividend or data disaster?

Move could 'weaken' Brits' personal data rights when info is transferred outside Europe

Palantir and Oracle buddy up on cloud infrastructure

But do all Foundry workloads move to OCI? It's up to the customer, spy-tech firm says

UK health department republishes £330M Palantir contract with fewer ██████

As Good Law Project considers response, ICO slams failure to comply with FoI request

UK businesses shockingly unaware of how to handle security threats

Many decide to make no changes after detecting a breach

UK government sets sights on £8B tech procurement overhaul

Mega framework set to replace earlier deals coming to an end next year

Rubrik files to go public following alliance with Microsoft

Cloud cyber resilience model could raise $700M despite $278M losses

Fujitsu set to be preferred bidder in UK digital ID scheme

Selection comes despite Japanese supplier's role in Post Office scandal

Fujitsu's 30-year-old UK customs system just keeps hanging on

After declaring the end of CHIEF at least five times in as many years, HMRC hopes this June 2024 date will stick

Uncle Sam wants to know how big airlines use passenger data

'Problematic' carriers can look forward to scrutiny, fines, and new rules

Record breach of French government exposes up to 43 million people's data

Zut alors! Department for registering and helping unemployed people broken into

London Clinic probes claim staffer tried to peek at Princess Kate's records

First: Not being able buy a meat pie with a credit card. Now this

UK awards £1.73M to AI projects to advance net zero goals

Great! Just ignore the energy needed to train them, process queries, keep the lights on in datacenters ...