MPs have warned the NHS decision to widen Palantir data access is dangerous and could deepen public fears that patient privacy is not being prioritised.
NHS England has allowed staff from the US technology firm and other contractors to access patient data before it has been pseudonymised, despite internal fears of a “risk of loss of public confidence”, according to reports.
Pseudonymised data is information where details that directly identify a person, such as their name or NHS number, are replaced or masked.
The Financial Times reported that the move was made in recent weeks and that an internal NHS briefing said it would allow “unlimited access to non-NHSE staff” to part of the NHS’s federated data platform, which holds identifiable patient information.
The federated data platform is a system designed to bring together health datasets from across the NHS to support planning, treatment and service improvements.
Tom Hegarty, head of communications at tech equity campaign group Foxglove, said: “NHS patients never consented to have their data accessed by a company like Palantir whose record is in targeting people, not caring for them.
“Once again: Palantir fails the trust test. The government should cut Palantir out of our NHS once and for all.”
Palantir, which also supports Donald Trump’s ICE immigration crackdown and the Israeli, US and UK militaries, was awarded a £330m contract to help build the platform, installing AI systems to integrate scattered health datasets and bring efficiencies to medical treatment.
The deal has faced criticism from campaigners and MPs over the security and governance of patient records.
The Patients Association said it was concerned that patients had not been consulted on a significant change to who has unlimited access to patient data.
Rachel Power, chief executive of the Patients Association, said patients wanted “transparency, clear boundaries around access to their data, and to be consulted when changes to those agreements are proposed”.
The leaked NHS England briefing acknowledged the “considerable public interest and concern about how much access to patient data Palantir/Palantir staff have”.
In 2023, shortly after the deal was agreed, NHS England said it would ensure “personal data remains protected and within the NHS at all times”.
NHS England said external consultants requiring data access must have government security clearance and that it had “strict policies in place for managing access to patient data”.
The health service said the platform contains hundreds of different datasets, making it time-consuming for contractors, including Palantir engineers, to apply for individual permissions.
Instances where contractors see identifiable patient data while working on the system’s data “pipelines” are logged, according to the reports.
Data pipelines are the technical processes used to move, clean and organise data so it can be used by a system.
Palantir said contractors do not have permission to remove the data from the NHS.
Rachael Maskell, Labour MP for York Central and a former NHS worker, has called for the Palantir project to be stopped.
She said: “As Palantir get their claws deeper into our NHS data we can see how it is opening it up to greater private interest.
“This is a dangerous development and I ask the government to get a grip on this project before it is too late.”
Palantir said it was a “data processor” and not a “data controller”, meaning its software can only process data precisely in line with customer instructions.
The company said: “Using the data for anything else would not only be illegal but technically impossible due to granular access controls overseen by the NHS.”
Martin Wrigley, a Liberal Democrat member of the Commons technology select committee, criticised the NHS move.
He said: “This somewhat cavalier attitude to data security demonstrated how this whole project does not have security by design at its heart.
“The public will be rightfully concerned that data privacy is not the first concern.”
Palantir is facing opposition to its widening role in the UK public sector.
The Guardian reported last month that the company was closing in on a deal to widen its work with the Metropolitan Police to use AI to analyse intelligence in criminal investigations, while hundreds of thousands of citizens and numerous backbench MPs oppose its role.
Polling reported last week found that more than two-thirds of the UK public are concerned about Palantir’s growing number of public contracts, while 40 per cent distrust it not to access NHS patient data.
Palantir has repeatedly said it cannot and will not access NHS patient data for its own purposes.
NHS England said access would be given to a small number of people working on the new data collection platform.
A spokesperson said: “The NHS has strict policies in place for managing access to patient data and carries out regular audits to ensure compliance, including monitoring the work of engineers helping to set up the central data collection platform that will track NHS performance and help improve care for patients.
“Anyone external requiring access must have government security clearance and be approved by a member of NHS England staff at director level or above.”
Royal Cornwall Hospitals NHS Trust launches major new programme for preventive care
