Exclusive: NHS hospitals told to share patient data with US ‘spy-tech’ firm
Palantir, whose owner claimed the NHS ‘makes people sick’, will ‘collect and process confidential patient information’
Hundreds of NHS hospitals have been ordered to share people’s confidential medical records with an American spy-tech company owned by a billionaire Trump donor, openDemocracy can reveal.
Palantir Technologies – the secretive Silicon Valley firm first funded by the CIA – will collect patient information from all hospitals in England, according to internal NHS documents.
In a letter sent last month, the health service finance chief Julian Kelly gave NHS trusts until the end of March to begin uploading patient information to a new central database that uses Palantir’s Foundry software.
The instruction came despite a government pledge, made after openDemocracy sued the Department of Health and Social Care in 2021, to consult the public before agreeing to work with Palantir again.
Help us uncover the truth about Covid-19
The Covid-19 public inquiry is a historic chance to find out what really happened.
The new database, called ‘Faster Data Flows’, collects daily information about hospital patients – including their dates of birth, postcodes and detailed medical histories – that was previously held by individual trusts and shared less frequently.
NHS England told openDemocracy it would alter or remove identifiable personal information before it was passed to Palantir – a process referred to by the health service as “pseudonymisation”. Palantir also insisted that it does not have access to any “identifiable medical records”.
But an NHS document obtained by openDemocracy admits that the company will “collect and process confidential patient information”. It is not clear what, precisely, this processing entails.
Lawyers for three patient advocacy groups said that NHS England had not addressed vital legal and privacy concerns. “Slapping a sticker over your NHS number doesn’t suddenly mean your health record needs no protection,” said Cori Crider, a lawyer at Foxglove Legal. “People are very easy to re-identify from pseudonymised data.”
The news also raises fresh concerns that Palantir is being lined up to win a contentious £480m contract to process unprecedented amounts of NHS data without patient consent.
Palantir was originally funded by the CIA and has been heavily criticised for producing surveillance tech for police forces that allegedly creates “racist feedback loops” and has helped the US government to track and deport undocumented migrants.
The company’s founder, Peter Thiel, donated $1.25m to Donald Trump’s election campaign. Earlier this year he said the NHS “makes people sick” and claimed British affection for the health service was akin to “Stockholm syndrome”.
Tory MP David Davis told openDemocracy he was concerned “by the NHS appearing to be favouring an organisation with the provenance of Palantir”.
“NHS England should not be attempting to do this without explicit approval from Parliament,” he said, calling on the health secretary Steve Barclay to “explain himself” to MPs “before further action is taken”.
The pilot to trial Faster Data Flows to “support decision making” by doctors was launched in June 2022, with 21 “early adopters” joining.
The information it captured – including “admission, inpatient, discharge and outpatient activity” as well as personal details – was uploaded daily to a central portal built by Palantir. Palantir itself was described in pilot documents as a “sub-processor” of the data, which is a legal term given to a third party that has permission to process information gathered by others.
NHS execs knew their work with Palantir carried a “reputational risk”. The pilot documents state: “The use of Palantir to collect and process data… is likely to be perceived by some privacy campaigners as contentious and therefore there is a relatively high risk of media coverage and adverse comment about this”.
In November, lawyers working for Foxglove wrote to NHS England on behalf of the National Pensioners’ Convention, Just Treatment and the Doctors Association UK, to raise concerns about the sharing of pseudonymised data.
The lawyers questioned whether consent requirements – which are needed to process pseudonymised data – had been violated, and what safeguards, if any, had been put in place to protect patient privacy.
NHS England has still not sent a substantive reply after more than three months but has now instructed all trusts to implement Faster Data Flows.
Palantir is considered a “strong frontrunner” for a controversial new IT contract worth £480m to build a database that is expected to include all health information currently held by the NHS, including GP and social care records.
There are concerns that the rollout of Palantir’s Foundry to hospitals now – during the tendering process – may provide the tech firm with an incumbent advantage.
“Every trust in England will be forced to integrate Foundry into their workflows,” said GP IT consultant and clinical informatics expert Marcus Baw. “This means there has already been significant taxpayer investment in using Foundry.
“Trusts are busy, with limited IT team capacity, so they cannot afford to redo work. To me this means that the system will already have significant momentum towards Palantir and Foundry.”
A Department for Health and Social Care minister stated last month that whoever wins the contract will need to migrate data from Foundry into the new FDP system.
Labour MP Clive Lewis told openDemocracy that “the bid looks rigged… politicians of all parties should be screaming to the rafters about this”.
Palantir was first given an NHS contract in 2020 – without tender – to help manage the Covid-19 vaccine rollout while Matt Hancock was health secretary. Hancock used special ministerial powers to bypass patient confidentiality rules and allow the company to process patient data.
It won a further contract that was neither published nor tendered for – leading openDemocracy to sue the DHSC. After this legal action, the government released its contracts with Palantir and promised to consult the public before making further deals.
But our leaked documents reveal that NHS bosses have now ordered a rollout of Palantir software to hospitals across England, in a seeming breach of that promise.
The firm has also exploited a weakly regulated ‘revolving door’ in the NHS – poaching at least three former NHS data experts – as it chases the “must-win” contract. One of its recent hires, Indra Joshi, served as head of artificial intelligence for the NHS and helped launch the Covid-19 datastore – the first NHS project to use Foundry – before quitting the health service and joining Palantir in April 2022.
Harjeet Dhaliwal, who was previously deputy director of data services at NHS England, joined the firm later that same year.
The two ex-NHS staffers joined Paul Howells at Palantir, the company’s “health and care director”, who previously led a national data programme for NHS Wales.
Palantir did not respond to questions about whether the trio now work on NHS-related projects.
Palantir has lobbied the government extensively, famously entertaining the NHS executive Lord Prior with watermelon cocktails. The company also considered a contentious strategy described as ‘Buying Our Way In’. Emails sent by Louis Mosley, Palantir’s UK chief, said the company would try “hoovering up” smaller businesses with NHS contracts to “take a lot of ground and take down a lot of political resistance”, according to Bloomberg News.
NHS England did not respond to openDemocracy’s questions about whether the processing of patient data on Palantir’s Foundry platform was lawful.
A spokesperson said: “By collecting data in a more streamlined way, the NHS is better able to plan and allocate resources to maximise outcomes for patients, while ensuring that their personal data remains protected and within the NHS at all times.
“Ultimately, it will help all NHS organisations to better understand their waiting lists and pressures in near real time, work as systems, and significantly reduce the burden of manual reporting on staff.”
A Palantir Spokesperson said: “Any claim that Palantir has access to identifiable medical records through the Faster Data Flow programme is false – not a single Palantir employee does.
“We have simply built software that is being used to make a programme that already existed work faster – much like our software has been used during Covid to deliver the vaccine rollout and, subsequently, to cut waiting lists and speed up cancer diagnosis.”
We’ve got a newsletter for everyone
Get our weekly email
CommentsWe encourage anyone to comment, please consult the oD commenting guidelines if you have any questions.