Privacy International to Palantir: We are watching you

Privacy International expresses a qualified welcome for Palantir’s responses to questions about its data integration role in the NHS Covid-19 data store, but continues to raise concerns

Civil liberties campaigning group Privacy International continues to question the role of Silicon Valley data mining company Palantir in the NHS’s Covid-19 data management and analysis programme.

Palantir in the UK is building the front-end data integration platform to a data store specific to the current pandemic, using its Foundry software.

NHSX and NHS England Improvement reported at the end of March that they had engaged Palantir alongside Microsoft, Google and London-based AI firm Faculty to build an ad-hoc data store to “provide those national organisations responsible for coordinating the response [to the Covid-19 pandemic] with secure, reliable and timely data – in a way that protects the privacy of our citizens”.

Last week Privacy International, Big Brother Watch, medConfidential, Foxglove, and Open Rights Group sent Palantir ten questions about their work with the NHS.

According to Privacy International, Palantir has responded to their questions, but in such a way that, though welcome in some respects, “fails to clarify the extent of the project and what protections exist”.

It is therefore calling on the Health Secretary Matt Hancock to “release any impact assessment and agreements in place to enable public trust and verification”.

Palantir’s response to the four civil liberties campaigning groups states they betray a misunderstanding of “the nature of our software and our role as a data processor for the NHS”.

Read more about NHS Covid-19 data analysis

They point out that: “Under the GDPR and other relevant law, Palantir UK is a data processor: an organisation that processes data on behalf of a data controller according to their instructions. It is the data controller – in this case the NHS – that determines the manner in which data is processed, the purposes that this processing serves, and how this processing must adhere to legal frameworks.”

In answer to Privacy International’s question: “How have you ensured that the NHS will be able to maintain the insights/data analysis obtained after this contract is completed?” Palantir’s response was: “Under the terms of our contracts, customers retain full ownership and control over their data, analysis, and work products. The Palantir Foundry platform stores data in standard, nonproprietary data formats and customers can readily export or migrate their data, as their own security policies and protocols permit. Palantir Foundry supports interoperability, using open APIs to enable integration with other systems.”

And in answer to the question “will Palantir retain the NHS data analysis or insights gleaned from this contract once this exercise is over?” the data management and analytics supplier said:

“No. As documented in the project’s announcement, the NHS retains full ownership of NHS data and any analysis derived from this data. To use an analogy: Foundry is to NHS data what spreadsheet software is to the contents of a spreadsheet. Just as the author of a spreadsheet can – whenever they desire – export its contents to another spreadsheet software, the NHS, as the data controller, can – without hindrance – export its data from Foundry into other data management software.”

Privacy International characterises Palantir’s response as in significant part, buck passing to the NHS: “They do not clarify whether the company would obtain access to any sensitive health data held by the NHS such as patient records. Instead, they direct us to the NHS to answer this question.”

The privacy campaigners also find fault with the principle of data anonymisation applied within the Covid-19 data store project, arguing that de-anonymisation has been proven to often be possible. They find, in their view, Palantir’s response to a question about what other countries its software is being used in with respect to Covid-19 evasive.

They conclude by warning the US-based company that their watch will continue: “Palantir’s welcome assurances must be verified via the company and the government once the pandemic is over. This is the only way we can achieve proper oversight, ensure respect for sensitive patient data and strongly reject any actor that seeks to turn a public health crisis into an opportunistic power grab. In the meantime, we will keep watching them closely.”

Read more on Privacy and data protection