This week openDemocracy and Foxglove, a tech justice start-up, sent a legal letter demanding the UK government urgently publishes details of its controversial patient data deals with big tech companies – struck at the height of the COVID-19 crisis. If we don’t get this information, we will consider suing for publication.
Outside of the horrific death toll, perhaps the most far-reaching global consequence of the pandemic is the rapid expansion of surveillance in our daily lives. In the name of beating back the pandemic, governments around the world are giving tech giants extensive access to valuable stores of health data.
Britain is no different. On 28 March, a blog quietly appeared on the website of the cherished National Health Service. It announced what might be the largest handover of NHS patient data to private corporations in history.
US tech giants Amazon, Microsoft, and Google – plus two controversial AI films called Faculty and Palantir – are apparently assisting the NHS in tracking hospital resources and in providing a “single source of truth” about the epidemic, in order to stem its spread.
Whitehall sources have described the amounts of health data funnelled into the new datastore as “unprecedented.” Yet the government has released virtually no detail about the deals. Why?
We do know some things. Palantir, founded by Silicon Valley billionaire and close Trump ally Peter Thiel, is a data-mining firm best known for supporting the CIA’s counterinsurgency and intelligence operations in Iraq and Afghanistan.
In 2019 it was criticised for its support for US Immigration and Customs Enforcement’s brutal regime of deportations.
Palantir, founded by Silicon Valley billionaire and close Trump ally Peter Thiel, is best known for supporting the CIA’s operations in Iraq and Afghanistan.
Meanwhile Faculty, an artificial intelligence startup, is headed by Mark Warner: brother of Ben Warner who ran the data operation for the Vote Leave campaign. Faculty is reported to have won seven government contracts worth almost £1m in 18 months. Why did this firm get picked for the big NHS datastore, and what role is it playing?
No Freedom of Information
We have laws in Britain which mean journalists and members of the public can access information about such deals, so that they can answer precisely these sorts of questions. But now the UK government is acting as though these laws no longer apply.
On 3 April Foxglove submitted requests under the Freedom of Information (FOI) Act, asking for publication of the data-sharing agreements with these companies and files called ‘data protection impact assessments,’ which assess the risks to fundamental rights of such deals.
The government normally must respond to such requests within 20 working days. That deadline has now passed.
Perhaps they think the law no longer applies. On 15 April, the Information Commissioner’s Office (the public body responsible for FOI), seemingly announced that it was relaxing or allowing the suspension of FOI enforcement for the duration of the crisis.
Although the wording of the announcement was vague, it risks leaving the public with no practical way to hold the government to account – indefinitely.
This is an unacceptable carte blanche for the government and corporations to evade scrutiny on how they are monitoring our lives. And it makes it far harder to assess whether, in this massive COVID data deal, the technology works as promised, whether the public has gotten fair value for our NHS data assets – and much more.
Secret deals and public trust
The NHS stressed in its blog that “essential data governance procedures and established principles of openness and transparency remain at the core of everything we do”; that the data collected “will only be used for COVID-19”; and that “only relevant information will be collected.”
It also said that “once the public health emergency situation has ended, data will either be destroyed or returned in line with the law and the strict contractual agreements that are in place between the NHS and partners”.
The problem is, we don’t know what any of those “strict contractual agreements” are. All we do know is that these firms exist to aggregate and monetise data, and that “sources close to” the deal suggest they hope to bed down with the NHS for the long haul.
We also know that, even when data is anonymised, it can easily be re-assembled to identify people. And we know that recent government memos about the new UK coronavirus app apparently considered giving ministers power to strip people’s anonymity away “if ministers judge that to be proportionate at some stage.” Even if we’re anonymous now, will we stay that way?
There are serious questions to be asked about whether these companies have earned the public trust necessary to be working with the UK’s treasured public health service. And particularly whether they should have access to details about millions of citizens’ private lives.
What have they got to hide?
We have given the UK government until 11 May to release the information requested about these massive COVID data deals.
If they fail to do so, we will consider seeking answers in the courts. The public urgently needs to know not only how their personal information is being traded, and who has access to it. But also whether this pandemic means that our rights to ask questions, and to scrutinise the actions of our leaders, are fundamentally compromised.
COVID-19 cannot be an excuse for governments and corporations to avoid accountability. The NHS is a precious public institution. Any involvement from private companies should be open to public scrutiny and debate. And this NHS datastore deal is a critical part of our government’s strategy to tackle a deadly pandemic which has killed over 30,000 people in the UK, and more than 250,000 worldwide.
Why is there so much secrecy over the government response? What have they got to hide?