Palantir’s access to identifiable NHS England patient data is ‘dangerous’, MPs say

MPs have warned that an NHS decision to grant Palantir access to identifiable patient information in its plan to use AI to improve the health service is “dangerous” and will fuel public fears that data privacy is not being prioritised.England" class="entity-link entity-organization" data-entity-id="722" data-entity-type="organization">NHS England has allowed staff from the US tech firm and other contractors to access patient data before it has been pseudonymised, despite internal fears of a “risk of loss of public confidence”, the Financial Times reported.The health service made the move to allow Palantir to access the data in recent weeks according to the reports, which revealed an internal NHS briefing that said it would allow “unlimited access to non-NHSE staff” to part of the NHS’s federated data platform (FDP), which holds identifiable patient information.Palantir, which also supports Donald Trump’s ICE immigration crackdown and the Israeli, US and UK militaries, was awarded a £330m contract to help build the FDP, installing AI systems to integrate scattered health datasets and bring efficiencies to medical treatment. But the deal has been dogged by warnings from campaigners and MPs concerned about the security of patient records.The Patients Association said it was concerned patients were not consulted on a significant change to who has unlimited access to patient data. Rachel Power, its chief executive, said patients wanted “transparency, clear boundaries around access to their data, and to be consulted when changes to those agreements are proposed”.The leaked England" class="entity-link entity-organization" data-entity-id="722" data-entity-type="organization">NHS England briefing acknowledged the “considerable public interest and concern about how much access to patient data Palantir/Palantir staff have”. In 2023, shortly after the deal was agreed, England" class="entity-link entity-organization" data-entity-id="722" data-entity-type="organization">NHS England said it would ensure “personal data remains protected and within the NHS at all times”.England" class="entity-link entity-organization" data-entity-id="722" data-entity-type="organization">NHS England stressed external consultants requiring data access must have government security clearance and that it had “strict policies in place for managing access to patient data”. With hundreds of different datasets in the FDP system, it was becoming time-consuming for contractors, including Palantir engineers, to apply for individual permissions. Instances when they did see identifiable patient data while working on the system’s “pipelines” were logged. They did not have permission to remove the data from the NHS, Palantir said.Rachael Maskell, the Labour MP for York Central, asked the government ‘to get a grip on this project before it is too late’. Photograph: Richard Saker/The GuardianBut the MP Rachael Maskell, a former NHS worker who is calling for the Palantir project to be stopped, said: “As Palantir get their claws deeper into our NHS data we can see how it is opening it up to greater private interest. This is a dangerous development and I ask the government to get a grip on this project before it is too late.”Palantir said it was a “data processor” and not a “data controller”, meaning its software could only be used to process data precisely in line with customer instructions. “Using the data for anything else would not only be illegal but technically impossible due to granular access controls overseen by the NHS,” it said.Martin Wrigley, a Liberal Democrat member of the Commons technology select committee, said of the NHS move: “This somewhat cavalier attitude to data security demonstrated how this whole project does not have security by design at its heart. The public will be rightfully concerned that data privacy is not the first concern.”Palantir is facing opposition to its widening role in the UK public sector. Last month the Guardian revealed the company was closing in on a deal to widen its work with the Metropolitan police to use AI to analyse intelligence in criminal investigations, while hundreds of thousands of citizens and numerous backbench MPs oppose its role.Polling last week showed more than two-thirds of the UK public are concerned at Palantir’s growing number of public contracts and 40% distrust it to not access NHS patient data, despite the company repeatedly saying it cannot and will not do so.Tom Hegarty, the head of communications at Foxglove, a tech equity campaign group, said: “NHS patients never consented to have their data accessed by a company like Palantir whose record is in targeting people, not caring for them … Once again: Palantir fails the trust test. The government should … cut Palantir out of our NHS once and for all.”England" class="entity-link entity-organization" data-entity-id="722" data-entity-type="organization">NHS England said access would be given to a small number of people working on the new data collection platform.A spokesperson said: “The NHS has strict policies in place for managing access to patient data and carries out regular audits to ensure compliance – including monitoring the work of engineers helping to set up the central data collection platform that will track NHS performance and help improve care for patients.“Anyone external requiring access must have government security clearance and be approved by a member of England" class="entity-link entity-organization" data-entity-id="722" data-entity-type="organization">NHS England staff at director level or above.”