Documents obtained by openDemocracy suggest the UK government has misled the public about how it is protecting the privacy of millions of NHS users in its major Covid-19 data deals – and about how the controversial tech firms involved stand to profit in the long term.

Two weeks after the government bowed to pressure from openDemocracy and tech justice firm Foxglove to publish the contracts governing its ‘unprecedented’ deals with Google, Microsoft and AI firms Faculty and Palantir, experts have raised a number of concerns with the current terms of the deals.

They have warned that NHS users could be re-identified from their health data, that the firms could profit from the intellectual property generated from the project (despite assurances to the contrary), and that contracts pave the way for unprecedented, long-term access to the NHS by unaccountable private firms.

“The fact that Hancock’s centralised track and trace app has now collapsed shows the government's incompetence and arrogance. But the debacle, and the way they ignored all the warnings, is also revealing of their wider intent around NHS and personal data. We can’t relax - all of this is exposing the way they’ve been handing out contracts to private companies and pursuing deals that give access to both personal and NHS data,” Tony O’Sullivan, chair of Keep Our NHS Public, told openDemocracy.

The mysterious case of the re-edited blog

The project was initially described by the government as a short-term, critical part of its emergency Covid-19 response. In a blog on 28th March, the government assured the public that “all the data in the data store is anonymous, subject to strict controls” and that these controls would “ensure that individuals cannot be re-identified... [including] removing identifiers such as name and address and replacing these with a pseudonym.”

However, after openDemocracy and tech justice firm Foxglove submitted Freedom of Information requests about the deals, the blog was altered to remove these assurances, and to state simply that: “All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.”

The contracts released on 5th June, hours before openDemocracy was due to sue for their disclosure, may explain why the government quietly amended the blog. The contracts give no guarantee on anonymity, but instead talk of “pseudonymisation”. Privacy campaigners have long argued that that “pseudonymisation” does not provide anonymity, because it makes it possible to re-identify people, particularly when cross-matched with large tranches of other data. The law under GDPR now recognises this risk as well.

The contracts also reveal a lack of clarity about the ‘data controller’ for the project. This is a critical question: who is ultimately responsible for keeping the personal data of NHS users safe?

The government has claimed that NHS England is the data controller. However the contract with Palantir – a tech firm founded by a Trump-supporting billionaire and backed by the CIA – is not held by NHS England. Instead with a small NHS organisation in the East Midlands, the NHS Arden & Greater East Midlands Commissioning Support Unit. This unit housed the controversial “Strategic Projects Team” until the unit was closed down in 2016 after a string of failed NHS privatisation projects. It has since taken the lead on many other outsourcing initiatives.

Palantir has come under previous criticism for its ‘predictive policing’ spyware which has been accused of creating ‘racist feedback loops’ in some US police forces. It has also played a role in the targeting and deporting undocumented migrants in the United States.

As Cori Crider at Foxglove has said: “We know the pandemic is hitting our Black and Asian fellow citizens the hardest. Putting Palantir – a firm that runs data operations for cops and spies – at the heart of the NHS risks undermining trust in the NHS among those who need it the most.”

openDemocracy has asked the government why the guarantees about anonymity had been removed, why the blog’s revisions had not been publicly acknowledged in line with good practice, and why Palantir’s contract is held by a small and controversial commissioning unit instead of with NHS England or the Department of Health and Social Care. At time of publication, no answer had been received.

Who stands to profit?

The contracts also raise concerns that the NHS is out of its depth in negotiating, or re-negotiating, rushed contracts with tech giants. Not only is there an increased risk that private and highly sensitive data could be exposed –- particularly as restrictions on data sharing have been relaxed in response to the crisis. But the contracts also suggest that the tech firms involved could well be bigger winners than the NHS itself.

Faculty, Palantir and other tech firms were reportedly given key roles in the Covid crisis without competitive tender. In the case of Faculty, the contract released to openDemocracy indicates that their role in the Covid-19 database has been established by modifying an existing contract – one to provide an “AI Lab” for the NHS. Modifying the contract in this way is lawful, but critics say it does not allow for sufficient transparency.

Critically, the contracts also appear to show that Palantir – which is conducting this project for just £1 – will be allowed to remain owners of valuable intellectual property, developed as they train their software on unprecedented amounts of our data stored across different cloud systems. We asked the government if it had commissioned any assessment of the likely (high) value of this learning. They have not answered. We also asked Palantir to comment on this issue, and received no response.

The government has told us that, in contrast, the Faculty contract was revised, and Faculty will surrender all intellectual property to the NHS. However legal experts have raised concerns about the strength of this protection, and have requested further clarifications.

‘Bedding down’ for the long term

The government has claimed that its ‘unprecedented’ Covid-19 datastore project is a short term measure to address the urgent public health challenges caused by the pandemic. However the substance of the contracts have caused concerns that the deal ties the NHS into buying more from these organisations – or from third parties they work with, such as consultancy firms that are specifically mentioned in the documentation around this project, including Deloitte and McKinsey.

In the blog announcing the project, the government said that: “After the emergency is over, we hope to be able to use what we have learned from our technology partners to get better within the government at data collection, aggregation and analysis…data analysis will allow us to make changes to the NHS, ensuring that our hardworking health and care professionals and the people that depend on them are served by a much more efficient and responsive organisation.”

But the contracts lack any clear guarantees that the NHS will be able to use the project outcomes to conduct this sort of analysis, unless it ties itself into further contracts with the software providers or other firms that use them.

The contracts also require the firms to provide an “exit plan”. We have asked the government if such exit plans exist and to disclose them, if so. We have not received a response.

openDemocracy understands a significant number of Palantir and Faculty staff are currently embedded in NHS organisations. We asked how many. Again, we’ve had no answer.

Speaking in response to openDemocracy’s latest findings, Phil Booth, co-ordinator of medical confidentiality campaigners MedConfidential has said: “We have demanded transparency since the very outset and it is essential to public trust. Months into the pandemic with tens of millions of people’s personal data being processed we cannot even see the most basic information of the extent to which our data is being used and to what end. They ask for all our data and they’re by and large getting it, so where are the benefits?

“We need transparency about what is being done with our data and what choices people actually have.”

If you think that public interest journalism should continue demanding transparency during the COVID crisis and long after it, please consider supporting openDemocracy today.