NHS England has given external staff at companies, including Palantir, unlimited access to identifiable patient data while working on some modules of its flagship data platform. An internal briefing showed that it involved the National Data Integration Tenant (NDIT) - a module defined as a "data haven" for data before it is "pseudonymized" and transferred to other systems.
NDIT is part of the Federated Data Platform (FDP). FDP aims to integrate the scattered data of the NHS into a unified system; in 2023, Palantir won a contract worth 330 million pounds to build the platform.
Under the plan, NHS England agreed to create an "administrator" role. The brief acknowledges that this role "allows non-NHS England staff to have unrestricted access to the NDIT and the identifiable patient information it stores".
In addition to Palantir employees, employees of consulting firms involved in FDP projects may also receive such access.
The move is a significant departure from current practice: previously, anyone who needed access to the NDIT had to apply for explicit data access permissions for specific data sets.
The briefing note, written by senior NHS data officers in April, acknowledged that granting greater permissions could lead to a loss of public confidence in "patient data protection, appropriate data use and access controls".
Initially, full access will only be available to internal NHS England staff who have passed security clearance. But the brief noted that external employees also requested the same permissions because "it would be too cumbersome to apply for each of the necessary independent data access authorizations (CDAs) one by one."
The briefing adds: "This issue does not only involve Palantir, so we refer to it as 'non-NHS England staff'. However, there is currently heightened public concern and concern about the extent of access to patient data by Palantir and its employees."
The briefing suggests that a cap should be set on the number of external administrators who can access the NDIT, and that permissions need to be valid for a limited time and reviewed regularly.
Officials confirmed that the proposal had been approved recently, but emphasized that such permissions would only be opened to a very small number of non-NHS employees.
Martin Wrigley, a member of the Liberal Democratic Party of the House of Commons Technology Committee, said: "This careless attitude towards data security shows that the entire FDP project has not been designed with security at its core. The public has reason to worry that data privacy is not regarded as a primary consideration."
NHS England has promised to fulfill five "data commitments", including disclosing the identities of data visitors and the content of their visits.
"Knowing exactly who has accessed what identifiable patient data at any time is a core priority," the briefing note warns of that commitment. "The more open access is, the harder it is to achieve this goal."
A spokesman for NHS England responded: "NHS has established strict patient data access management policies and conducts regular audits to ensure compliance - including supervising the work of engineers who help build a central data collection platform. This platform is used to track NHS operational performance and optimize patient diagnosis and treatment services. All external access personnel must pass government security reviews and be approved by NHS England directors and above."
Palantir's involvement in the construction of FDP has become increasingly controversial because of the company's long service in the U.S. defense and immigration law enforcement fields.
Its co-founder and CEO Alex Karp is a public supporter of Donald Trump; some NHS staff have refused to participate in the FDP project due to ethical concerns about the company.
Supporters of FDP praise its ability to integrate operational data such as waiting lists and operating room schedules to help improve patient diagnosis and treatment.
A spokesperson for Palantir said: "According to legal provisions, we are only a 'data processor' for the NHS and all customers, and customers are 'data controllers'. This means that Palantir software can only process data strictly in accordance with customer instructions. Unauthorized use of data is not only illegal, but also technically impossible - because the NHS has implemented refined access control."