NHS England staff voice concerns about access controls on US spy-tech firm Palantir's COVID-19 data store
Foundry platform lacks transparency and accountability, sources tell El Reg.
Researchers at NHS England are being denied access to datasets on the Palantir platform which supports the COVID-19 data store, with no reason given, despite requests for greater transparency on the system.
According to documents seen by The Register, some staff at the non-departmental body of the Department for Health and Social Care (DHCS) are concerned about the lack of clarity when requests are made for data sets on the system built on Palantir's Foundry platform.
Some requests for data are ignored, with no information given in the fields for “decision maker” or “decision reason,” according to screengrabs seen by El Reg.
Even if NHS England staff get access to the data they request, names of decision-makers might be given as “unknown group or user”, while the reason for a decision might be “approved by a triage panel”. The lack of transparency is leaving staff frustrated that they cannot get more information on the data sets they request.
The documents, and views of NHS England staff, raise the possibility that NHS England management is restricting access to data without giving proper justification. Others have speculated that the American software firm itself, with its consultants still working on the system, is restricting access to the data.
According to NHSE's own Data Protection Impact Assessment for the NHS COVID-19 Data Store [PDF, also available here], Palantir does have access to that data.
Only members of the Palantir team authorised and onboarded by NHSE to the Foundry platform may have access to de-identified NHSE data.
Palantir employs controls which prevent Infrastructure Operators accessing data integrated in the Foundry platform.
Palantir employee access is approved by designated Palantir team leads following Palantir’s annually updated and management approved Access Control policy and processes.
They include requirements for the verification of identity, regular verification of users and access, and procedures for new user access requests, changing access, and updating and deleting users upon termination or when responsibilities change.
We are awaiting a statement from NHS England, which was contacted for comment last week.
Palantir declined to comment.
NHS data crew not happy
Meanwhile, data workers and system planners have expressed concerns about Palantir’s involvement with the healthcare body, with negative opinions said to be shared among many of the relevant employees.
Staff we have spoken to point to the fact that while data is pseudonymised – where personal details are given an anonymous marker – individual patient records can be reconstructed by triangulation over several data sets or reintegration with the original marker set. For example, the Personal Demographics Service, controlled by NHS Digital, another non-departmental body of DHCS, can link NHS numbers to patient names and addresses.
Palantir is a US company that carries out information analysis and processing work for the defence and intelligence communities, often creating bespoke solutions such as digital-profiling tools for the CIA and ICE, the latter being the controversial US immigration agency. The company was founded by prominent Trump financier and PayPal co-founder Peter Thiel.
Why not FOSS?
Members of technical teams at NHS England have told The Register they see little or no functionality in the Palantir Foundry platform that is not already available with open-source data warehousing and analytics tools.
NHS England was also asked for a response to the information about its relationship with Palantir, as well as transparency of the Foundry system.
Campaigners fought for greater transparency over Palantir’s involvement with the NHS and its COVID-19 data store since its role in the pandemic response first emerged in March 2020.
Palantir was named along with fellow providers Microsoft, Google, and AWS, as well as Faculty, a UK analytics firm with links to the Vote Leave Brexit referendum campaign.
- UK health secretary Matt Hancock follows delay to GP data grab with campaign called 'Data saves lives'
- British Medical Association calls for clarity on patient deadline for opting out of NHS Digital's GP data grab
- Of all the analytics firms in the world, why is Palantir getting its claws into UK health data?
- Palantir and UK policy: Public health, public IT, and – say it with me – open public contracts
How we got here
In May, a broad-based campaign group wrote to UK Health Secretary Matt Hancock calling for greater openness around the government’s embrace of this gang of private-sector tech companies. The group — including Liberty, openDemocracy, Foxglove, and Privacy International — said promises of openness in handling the health data of millions of UK citizens had not been fulfilled.
In June 2020, the UK government published the contracts it holds with the tech firms and the NHS for the creation of a COVID-19 data store, just days after the campaigners fired legal shots over a lack of transparency.
In December 2020, the NHS signed a £23m two-year contract with Palantir without scrutiny, even though the AI firm’s engagement with the UK health service was originally supposed to be a temporary emergency measure to help address the COVID-19 pandemic.
In February this year, campaigners filed for a judicial review of the UK government’s decision to award the new contract to Palantir, while separate investigations showed the American software business had been in discussions with the NHS about using the health data of UK citizens since the middle of 2019 — well before the pandemic.
In March, the government agreed not to expand Palantir’s work on the NHS data store beyond COVID-19 without notifying the public. At the same time, it agreed to engage citizens about Palantir’s role in the NHS via patient juries, apparently bowing to pressure from campaigners.
Evidence seen by The Register shows staff with NHS England share some of the campaigner’s concerns.