UK citizens need to be “educated” on how and when the NHS shares their data with third parties, ministers said this week. The comments from two members of the government came hours before it was revealed controversial big data company Palantir is planning to expand its reach into the health service in Britain.
Privacy experts say the onus should be on NHS England, not patients themselves, to ensure data is protected.
During the hearing yesterday, data and digital infrastructure minister Julia Lopez and Lord Kamall, technology and innovation minister at Department for Health and Social Care (DHCS), argued that patients don’t know enough about data sharing, using an example from the National Data Opt Out.
The committee meeting on Tuesday heard evidence from academics, policymakers and ministers regarding the government’s proposals to share NHS health data for research and innovation as well as upcoming changes to data protection legislation which are likely to stem from the government replacing the EU’s GDPR with its own data reform bill.
This morning it was revealed Palantir is working to “expand its reach” into the NHS. The platform lets users access, analyse and link together databases, imagery and various other forms of data and has been deployed by banks, as well as US police forces and its immigration service. The Financial Times reported that Palantir will bid for a five-year £360m contract for the proposed Federated Data Platform (FDP), which will be a new data tool to connect and integrate patient data from across the system for real-time decision making.
However, data privacy experts have said that patients have every right to access and choose who can access their data and that while Palantir comes with a “toxic reputation”, it’ll be up to NHS England to ensure patients’ data is protected.
What do government ministers think about NHS data sharing?
Lord Kamall told the committee that patients often don’t understand how their data is used by the NHS. “I was talking to a doctor the other day and she said she’d asked one of her patients why they’d opted out,” he explained. “They said “Oh, because I didn’t want my data shared with Facebook.”
The minister commented that the data would never be shared with Facebook. “I don’t mean to be patronising, but we have to educate the public about all the data we use,” he continued. He went on to say that sometimes data from patients would be used in large data sets and be anonymised.
The point was reiterated by Lopez later in the session, who said: “I was struck by a particular example earlier on where somebody opted out of GP patient records because they didn’t want Facebook to have their data.” She told the committee that this example was an “item of evidence that suggests that the public needs to be better educated.”
Does the public need educating about NHS data sharing?
The comments from the ministers appear to reflect that the government is blaming patients for their own failings when it comes to understanding data sharing, says Phil Booth, coordinator at medConfidential, a non-profit organisation that advocates for ethical data sharing within healthcare.
“Patients should have access to complete and accurate information on how their data is used, and the Department of Health Minister seemed to agree,” Booth says. “It’s typical of this government that the DCMS minister blames patients because her government failed to tell anyone about their plans.”
He also explains that it’s not enough for the government or the NHS just to say that patient data isn’t being shared with tech giants such as Facebook; they have to show it.
“People have misconceptions around data – both ministers and patients alike – and more and better education is always good,” he told Tech Monitor. “But you don’t have to just tell people that Facebook isn’t getting their data, and hope they trust what you’ve told them, if you show them how their data is actually being used. And by who.”
On a practical level, Booth says that if ministers want to make sure that no data about NHS patients makes it to Facebook, they should tell the NHS to “ban all advertising IDs in every app that the NHS recommends” as this data can be utilised by tech companies.
“Facebook might not get access to their GP record, but it can and does derive a lot of information from people’s use of apps,” he adds.
How does the NHS share data with tech companies?
The NHS has created contracts with companies such as Google DeepMind and Palantir in the past, some of which have resulted in legal action. In 2016, DeepMind was found to have been passed data on more than one million patient records without their consent, as part of an app development project by Royal Free NHS Trust in London. Google is now facing a class-action style lawsuit in relation to this, having been found have breached data protection law in 2017 by the Information Commissioner’s Office.
Other organisations such as GlaxoSmithKline (GSK) and Imperial College London were found to have carried out “high risk” breaches, according to NHS Digital audits examined by The British Medical Journal, however they have avoided being punished.
Is Palantir a concern for the NHS?
Palantir, which has received funding from the CIA, has courted controversy over the way its technology has been used by the US government as part of law enforcement operations. Digital privacy expert Ray Walsh, from ProPrivacy, says his organisation has great concerns over how the NHS and Palantir will share NHS data. The company has been working with the NHS since the Covid-19 pandemic.
“Palantir is a controversial CIA-backed spy tech business, and its potential access to NHS patient data raises severe concerns due to the way it can potentially be leveraged for surveillance purposes,” he explains. “Ever since Palantir was drafted in at great expense to help with the pandemic we have had grave concerns over how the company intends to use the data it is provided with to create secondary revenue streams.”
He says that the company is now employing senior NHS officials within its ranks to secure the FDP contract win. “Palantir’s growing foothold over these NHS contracts lacks transparency, meaning that it remains unclear how this profoundly unsettling surveillance tech company may stand to profit from the UK’s health data,” he says. “Combine this with the way in which Palantir has courted the UK government and poached NHS top brass, which has been both secretive, and underhanded and raises severe concerns over public trust in the NHS.”
Walsh adds: “The monumental deals that this American spy tech company now seems like a shoo-in to win have been made without due oversight and without the detailed data protection impact assessments we would expect. As a result, there is no concrete way to know just how deeply British patients will be affected by Palantir’s position within the UK’s health service.”