By Robert Bateman

The U.K.’s National Health Service (NHS) is creating a “COVID-19 datastore” with the help of such tech firms as Google, Microsoft, Amazon, and Silicon Valley artificial intelligence company, Palantir.

In a March blog post detailing the project, Matt Gould, chief executive of government unit NHSX, said the goal was to provide “secure, reliable and timely data — in a way that protects the privacy of our citizens — in order to make informed, effective decisions.”

“We’re seeing sensitive health data on millions of people passed with virtually no debate to some of the world’s most powerful tech companies.”

Cori Crider, director, Foxglove.

But privacy experts and lawyers claim to Digital Privacy News that the U.K. government is handing over patient data without sufficient consultation or transparency.

“At the moment, we’re seeing sensitive health data on millions of people passed with virtually no debate to some of the world’s most powerful tech companies,” said Cori Crider, director of Foxglove, a U.K. legal startup.

“Some of these companies, like Palantir, have troubling histories of involvement with rights abuses,” Crider said.

Palantir, based in Palo Alto, Calif., has provided case-management software for U.S. Immigration and Customs Enforcement (ICE).

The datastore will combine datasets from across the U.K.’s health services, providing information on hospital occupancy rates, emergency room waiting times and lengths of stay of COVID-19 patients. 

In April, Foxglove and other organizations approached Palantir seeking more information on its NHS contract, including whether it had carried out a “data-protection impact assessment” to assess the privacy implications.

Such an evaluation is required by U.K. law.

Datastore deals represent the “handover of state functions and assets on a massive scale.”

Arne Hintz, Cardiff University.

However, Palantir’s response, published last month by Foxglove’s collaborator on the issue, Privacy International, said:

“We would refer you to the data controller, the NHS, to answer this question. It is for the data controller… to carry out a data-protection impact assessment.” 

Foxglove also approached the NHS, which replied that it could not respond within the normal time-frames due to “commercial interests,” according to a blog post on Foxglove’s website.

“To build trust, the government ought to publish these data deals immediately,” Crider said.

NHS also did not immediately return a query seeking comment from Digital Privacy News.

How Will Data Be Used?

Anouk Ruhaak, Mozilla fellow and a U.K.-based data-governance expert, shared Crider’s concerns.

Ruhaak published an open letter last month urging the government to provide more information about its datastore contracts.

“We need to be able to hold (these companies) accountable, which right now is impossible because we just don’t know what’s going on,” Ruhaak told Digital Privacy News. “How is the data going to be used? What kind of decisions are going to be based on this data?”

Ruhaak said she was concerned about the creation of so-called “immunity passports,” which could restrict the activities of people who have not yet been exposed to COVID-19, or the use of the data for commercial or surveillance purposes. 

There is no suggestion that patient data would be used in this way — but also no assurances that it would not. “Without any impact assessment, it’s really hard to say,” Ruhaak said.

“What kind of decisions are going to be based on this data?”

Anouk Ruhaak, U.K. data-governance expert.

A signatory of Ruhaak’s communication was Arne Hintz, founder of the Data Justice Lab research unit at Cardiff University in Wales.

Hintz said the datastore deals represented the “handover of state functions and assets on a massive scale,” a trend exacerbated by the COVID-19 pandemic.

“The Palantir deal and similar deals are just a small part of this trend, but it is particularly significant as it concerns some of the most sensitive aspects of our lives,” Hintz told Digital Privacy News.

“The power relations between citizens and the state (as well as large tech companies) are, therefore, shifting towards the latter.

“The Palantir deal signals that protecting citizens’ health data,” he argued, “is not a major concern of this government.”

Robert Bateman is a writer in Brighton, U.K.

Sources (external links):

• Anouk Ruhaak: Open Letter
• Foxglove: Update: our legal challenge to secrecy surrounding NHS data deals with private companies
• NHSX: The power of data in a pandemic
• OpenDemocracy: We need urgent answers about the massive NHS COVID data deal
• Palantir: Response to Privacy International Open Letter dated 29 April 2020