Big technology companies could use the coronavirus pandemic to gain a foothold in the UK’s health service, the Bureau of Investigative Journalism has learnt.
A number of companies will get unprecedented access to confidential patient data, such as test results and NHS 111 calls, after winning deals with the NHS to help tackle the coronavirus pandemic. NHS X, the health service’s digital arm, insists that the access will be time-limited, subject to data protection rules and only for very specific purposes. But critics complain about a lack of transparency in awarding the deals and that once the health crisis is over, this could place the companies at a commercial advantage.
Privacy campaigners are especially concerned that the crisis must not lead to a data “free-for-all” in response to a relaxation of rules that now permits the NHS to pass patient information onto private companies specifically working on projects tackling the pandemic.
One of the NHS partnerships is with the controversial data-mining company Palantir, which has been commissioned to create a data store for logistical planning during the pandemic.
Together with Amazon, Microsoft, Google and London-based Faculty AI, Palantir will use data, such as hospital occupancy levels, A&E capacity and the length of stay of Covid-19 patients, to predict where resources such as beds and ventilators will be in greatest demand.
Previously, Palantir has been accused of having its data-mining technology used for questionable purposes. Examples include a system used by the US Immigration and Customs Enforcement to separate immigrant families and the use of its software in predictive policing tools by the Los Angeles Police Department. In 2018, Palantir admitted that an employee had helped Cambridge Analytica build its data-harvesting app in 2013-14, although it maintains that this was in a “personal capacity”.
Critics have also expressed concerns about Palantir’s founder and major shareholder, Peter Thiel. Thiel, who helped fund the election of Donald Trump and bankrolled a lawsuit that took down the blog network Gawker, once said that he “no longer believes that freedom and democracy are compatible”.
This latest project raises a number of questions about access to personal data. In a blog post on the gov.uk site, the Department of Health and Social Care stated that all the data in the store is anonymous, with controls “that include removing identifiers such as name and address and replacing these with a pseudonym”.
But Yves-Alexandre de Montjoye, head of the computational privacy group at Imperial College London, said that if a third party is given access to the data, it may potentially identify people, adding that all that legal and technical controls do is limit the risk. (The NHS post has since been edited and no longer contains mention of anonymisation or pseudonymisation.)
The wording of the blog post “seems to suggest that some of the data relates to patients,” he added. But, he conceded that, beyond a reference to “statistics about the lengths of stay for Covid-19 patients”, it is unclear what other data is being used.
He judged that the only aspect of the project that will not include any form of potentially “identifiable patient data” is that managed by Google. Consequently, the tech giant’s involvement in this particular project has not raised special concerns for privacy campaigners, despite its track record in the health data space. The Google subsidiary Deepmind courted controversy with a data-sharing agreement with London’s Royal Free Hospital, which involved 1.6 million patient records. The Information Commissioner’s Office later found that the deal breached the Data Protection Act. The company was not fined.
More recently, Google came under fire after the Wall Street Journal revealed that the company was working on Project Nightingale – an initiative to collect and analyse the personal health information of millions of US citizens. A federal inquiry was launched following reports of the deal.
Under a recent relaxation of data-sharing restrictions, private companies can now be granted access to NHS patient data for valid Covid-19 purposes. The data-sharing powers will last until September.
Previously confidential NHS data could not be put under the control of anyone who was not a healthcare professional without a legal basis.
Doubts are growing about what happens once the coronavirus crisis is over. One insider told the Bureau: “I can understand why they are using Palantir, it has incredible software.” But they said they were concerned that the company was not known for being the most open and added: “I’d like to see it build a parallel system – so [the Palantir system] can get switched off when it is not needed anymore.” A second insider said that the deal could lead to supplier lock-in. “It’s an opportunity for Palantir to highlight how wonderful they are [while] getting the opportunity to build up knowledge."
Natalie Banner, lead on the Understanding Patient Data programme at the medical research charity Wellcome, said that the public do not object to private companies working with the health service as long as benefits to patients and the NHS are clearly prioritised. “The NHS can benefit from the capacity and technical expertise of technology companies, for example to build the data store,” she said.
Crucially, technology companies that work with the NHS during this crisis will develop a better understanding of the UK’s health data infrastructure, “which could give them an advantage in future discussions about providing services to the NHS”.
Rachel Coldicutt, former chief executive of the technology ethics think tank Doteveryone, said that: “Public services, funded by public money, must be open to public scrutiny – especially in times of great upheaval when lots of decisions are being made very quickly.
“Publishing the specification that Palantir is working to and appointing an emergency governance committee to give external oversight would help maintain trust in this volatile period.”
Palantir did not respond to a request for comment.
On 12 April, the health secretary Matt Hancock announced that the government is trialling a contact-tracking app, which will send anonymous alerts to people who have come into proximity with someone who has tested positive for Covid-19. He said that the NHS is working closely with the world’s “leading tech companies” and experts in digital ethics and will publish the app’s source code as part of its “commitment to transparency”.
However, Sky reported that one source who had witnessed work on the app had raised concerns to it anonymously that in their view the early phase of development had overall been a “hot mess” run by “a hodgepodge of suppliers and contractors” with “no clear voices in the room speaking to the privacy implications of the technology they were using”.
In recent weeks, app development has been taken over by Pivotal, a subsidiary of the American software giant VMware.
Phil Booth, of the patient data campaign group MedConfidential, has expressed concern about the involvement of a private cloud services company. He believes that the NHS should publish the contracts for all the initiatives that it is rolling out.
“[The NHS] is being given extraordinary leeway in a crisis – to do something it has been trying, and failing, to do for years in normal circumstances. If it wants to retain even a semblance of public trust, it must be fully transparent; we’re not asking to see any data, but rather what it is doing or intends to do with it.
“In a public health crisis, no one is going to complain that the NHS has pulled things together in a hurry,” he said. But, he added, all the normal rules around procurement and transparency have been “thrown out the window”.
“It’s not just the data [that the NHS] must delete when the emergency is over,” he said. “It’s the cobbled together system itself.” To manage things such as seasonal flu, for example, tools must be commissioned “properly from the ground up, following all the correct rules and procedures”.
According to Wired, some 40 tech companies were present at a meeting with No 10 advisor Dominic Cummings in Downing Street on 12 March. Among their ranks were said to be several who have got the Covid-related health contracts, as well as the AI start-up Babylon Health. The Bureau previously revealed Cummings had done some consultancy work for Babylon the year before he came into government, and Matt Hancock has recently been an enthusiast for Babylon’s GP at Hand app.
A spokesman for NHS X said that the decision to partner with Palantir and Faculty AI was made in accordance with proper processes. He told the Bureau that data protection impact assessments – designed to identify and minimise data protection risks – have been completed for all data required to support Covid-19 analysis.
“‘Strict data protection rules apply to everyone involved in helping in this critical task. The companies do not control the data and are not permitted to use or share it for their own purposes.
“At the end of the coronavirus public health emergency their work will either be deleted or returned to the NHS.”
NHS X did not respond to a request for more detail about the process of awarding these deals, the financial terms of the contracts and when the project specifications will be published in full.
Main image: BSIP/UIG via Getty Images
Our reporting on coronavirus is part of our Global Health project, which has a number of funders including the Bill and Melinda Gates Foundation. Our reporting on Decision Machines is funded by Open Society Foundations. None of our funders have any influence over the Bureau’s editorial decisions or output.
[Comment awaiting moderation]