UK health department republishes £330M Palantir contract with fewer ██████

The UK health department has republished its contracts with US spy-tech company Palantir, blanking out fewer sections, following a warning from legal campaigners.

In February, the Good Law Project, a political non-profit company, said publication of heavily redacted contracts meant the public was “unable properly to understand or scrutinise the arrangements under the contract, including but not limited to the issue of how personal data will be handled.”

The pre-action legal warning came after NHS England, a health department quango, published contracts for the deal launched at £330 million ($412 million) ahead of the Christmas holiday season. Large sections of the documents were blacked out, including most of the section describing “protection of personal data.”

The Good Law Project is considering its response to the new publication. The decision to heavily redact the documents followed concerns about transparency in NHS England’s dealings with the Federated Data Platform (FDP), the data store and analytics environment Palantir is set to support.

Concerns centered on commercial arrangements after Palantir built an analytics platform for NHS England based on an initial £1 contract, which led to a total of £60 million in uncontested deals. NHS England maintains that the separate FDP agreement was a fair and open competition, although some use cases will be ported from the old system to the FDP.

Another set of concerns focus on the confidentiality of medical data and patients’ rights to exclude their data from the system.

In a briefing published about the FDP contract, NHS England said: “Key lessons have been learned from previous data programmes including the need for a) transparency and b) data to be held in secure environments with the correct checks and balances in place. We are ensuring that trust and transparency lessons have been learnt both in terms of design, but also in how we act, for example the timely publication of information and documentation, open publication of use cases and Data Protection Impact Assessments.”

Under the question “Who will be able to see this data?” the same briefing said: “Only authorised users will be granted access to data for approved purposes, for example, NHS staff and those supporting them, such as administrators, bed managers or care coordinators, and staff in social care supporting the move from hospital care.”

However, other documents from NHS England make clear that Palantir staff will be able to see the data for technical administration purposes.

Under a privacy note, NHS England says FDP contractors Palantir and IQVIA, which won the award for privacy enhancing technology, will be able to process personal data in the FDP, but only “where it is necessary for them to operate and maintain the FDP” and only under “the written instructions” from user organizations, which include national or local “instances.”

“These written instructions are given under a data processing agreement between the FDP contractor and each user organisation for each product that a user organisation chooses to use,” it says.

Subcontractors may also access the data, if they are on an “approved list” from user organizations.

Meanwhile, UK data regulator, the Information Commisioner’s Office has warned NHS England to comply with a request to publish documents leading up to the decision to select Palantir as a contractor for the FDP. A letter seen by The Register says NHS England breached the Freedom of Information Act “in that it failed to provide a valid response to the request within the statutory time frame of 20 working days.”

In November last year, a complainant asked NHS England to announce the winner of the first two stages of the FDP procurement. They also asked for agendas and agreed minutes for all meetings of the board responsible for making the decision and copies of papers or presentations provided to that board in 2023.

The Information Commissioner’s Office said NHS England had failed to comply with the request in 20 working days and the health quango was now required to fall in with the request.

Sam Smith, coordinator at health privacy campaign group medConfidential, said: “The culture of cover-up continues. NHS England will only offer privacy, transparency, or be trustworthy when they’re forced to by legal action. NHS England will do to Palantir what the Post Office did to Fujitsu.”

NHS England has been offered the opportunity to respond. ®

Read More

Lindsay Clark