The NHS has extended its data platform service contract with controversial US business Palantir for another six months, costing it £11.5m – double what it previously paid the big data company.
Providing additional support from 12 December 2022 until 22 June 2023, Palantir is tasked with continuing its support of the procurement of the NHS’s Federated Data Platform (FDP). However, privacy experts are dismayed to see the company working with the national health service. The contract was procured through G-Cloud framework.
According to the Guardian, the FDP will incorporate “tens of millions” of personal digital medical records, making it one of the biggest health data platforms in the world. However, it will reportedly be launched without seeking patient consent, with ministers disclosing in November in parliamentary answers that the project doesn’t “require public consultation” before the five-year contract for the platform is tendered.
The contract announcement says that there are “a number of reasons” a new procurement process for the project has not been possible until now. No reasons are given on the notice. Tech Monitor has contacted NHS England for comment.
“A change of contractor at this stage would cause significant inconvenience and have substantial duplication of cost implications as in order to compliantly replace the contractor now would require two concurrent procurement processes to be run for the same service,” says the contract award notice. “It would therefore be both impractical and uneconomic. The total value of this modification does not exceed 50% of the original contract value.”
The previous two-year contract between Palantir and NHS England was valued at £23m, meaning the cost for six months of additional services has doubled.
Palantir’s relationship with the NHS under scrutiny
Palantir’s secretive structure and close links to the US security agencies such as the CIA have long made it a target of privacy campaigners. Its technology has been deployed by the US government in a number of controversial ways, including tracking undocumented migrant workers.
It has been involved with the UK health system since the Covid-19 pandemic, working with NHSX and NHS England on a database for organisations involved in the response to the virus.
Alongside Big Tech companies such as Amazon and Microsoft, Palantir provided its software, Palantir Foundry, to power the front end of the data platform. According to a blog published in March 2020 on behalf of the Department of Health and Social Care, the company was classified as a data processor, not a data controller, and wouldn’t be permitted to pass on or use any of the data for “any other purpose without the permission of NHS England”.
Despite this reassurance, campaign group openDemocrary launched legal action against the UK Government in February 2021, raising concerns about the database and Palantir’s involvement beyond the pandemic.
Fast forward to June 2022 and the Financial Times reported that Palantir had its sights set on the five-year contract for the proposed FDP, worth £360m. It had also hired Dr Indra Joshi, the former director of artificial intelligence for NHSX, and Harjeet Dhaliwal, deputy director of data services at NHS England and NHS Improvement, in what many see as a play to win more NHS contracts.
NHS England paying more to work with Palantir
Phil Booth, coordinator of medConfidential, told Tech Monitor that there are a number of concerns surrounding the latest contract extension award to Palantir.
“Having twice failed to issue the tender for its giant new FDP, NHS England is now paying through the nose for a six-month extension,” he explains. “Handing millions more to Palantir to buy time is bad enough, but what about the ‘mission creep’? A system that was supposed to be a Covid-19-only data store, which was set up on that sole legal basis, is now being described as the ‘same service’ as the FDP.”
The NHS has also come under fire before over deals involving patient personal data in the past. In May 2022, 13 Trusts were advised to terminate their agreements with clinical analytics provider Sensyne Health. The company was also told to return and delete all the data it held after medConfidential said supposedly “anonymised” data could be used to identify patients.