Lambert here: That’s nice. I guess American consulting and IT firms will be doing for the UK what they have already done for the US.
By Mary Fitzgerald, openDemocracy’s Editor in Chief, and Cori Crider, a US lawyer and a founding Director of Foxglove, a new non-profit that exists to make tech fair. Originally published at OpenDemocracy.
They claimed it was a short-term, ‘emergency’ response to the COVID crisis. In March, the UK government announced a massive NHS data deal with private tech firms. Experts warned it could involve an ‘unprecedented’ transfer of citizens’ private health information to controversial private firms like Palantir: a secretive artificial intelligence outfit founded by a Trump-backing billionaire.
During months of ensuing legal correspondence, the government assured us that this ‘COVID datastore’ would be unwound at the end of the pandemic and the data destroyed. They also assured us that any extension would go out to public tender, in which taxpayers could see and debate the issues at stake.
All of that has now turned out to be false. Today we can reveal that, right as health secretary Matt Hancock was heralding the new vaccine and telling Britons life would be getting “back to normal” by Easter, his government was quietly sealing a lucrative deal with Palantir, worth up to £23 million, to run its massive health datastore for two years. The contract, awarded on 11 December, paves the way for Palantir to play a major, long-term role in the NHS beyond COVID – now, even by the government’s own admission
It’s still not clear what precisely Palantir has been given access to: the list of NHS datasets that the firm will draw on have been redacted from the contract. What is clear, though, is that the government deliberately struck this deal on the quiet – knowing it would be controversial.
Public Trust
Palantir has built software accused of fuelling racist feedback loops in the hands of the Los Angeles police, and has come under fire from its own staff over its role in the US Immigrations and Customs Enforcement (ICE) agency’s brutal policy of family separations.
Palantir says its software is being used to “provide secure, reliable, and timely processing of data – while protecting the privacy of data subjects – to enable NHS decision makers to make informed, effective, and responsible public health decisions”.
But serious questions remain about whether the firm has earned the public’s trust, and is a fit and proper partner to be handling the sensitive personal health information of millions of NHS users across England. How should, say, Black or Muslim NHS users feel about their health data going to a company with a long track record of work with the CIA, the US Department of Defense and the LA police?
We’ve been asking the government questions in letters for months. We’ve asked them, repeatedly, what the long-term plans for the datastore are. Whether the companies involved stand to profit from this crisis. And how our personal health information is being used, traded and protected. These are critical questions which affect millions of people across the country. And yet the answers we’ve received have been partial, misleading and obfuscatory.
On 11 December, suspecting they were getting ready to strike a long-term deal with Palantir and others, we wrote to the government warning that we would issue court proceedings to challenge any such move.
Under the NHS Act, common law and data protection laws, the government has to consult the public about major changes to the National Health Service. Were they planning to do so?
They also have to conduct a ‘data protection impact assessment’: to show that they are complying with a range of laws to protect citizens’ sensitive health information. Had this been done?
We also questioned whether it was appropriate to use the so-called G-Cloud framework – an accelerated system for quick-fire, minor contracts – for flagship long-term programmes. We expressly sought assurance that no permanent steps would be taken until the legal issues were resolved.
Instead of responding, the government simply pushed the deal with Palantir through, thereby avoiding having to defend themselves in court.
On top of that, they used our enquiries as an excuse to hide what they were up to; telling other journalists that they couldn’t answer their questions on the COVID-19 datastore because it was the subject of “legal action”, while pressing ahead with the deal anyway.
Secrecy and Obfuscation
This fits a long, worrying pattern of secrecy and obfuscation. Back in June, we had to threaten to sue to just force the government to publish the original contracts governing the NHS COVID data deals. More than 14,000 people across the country backed our call – but we should never have had to fight. People have a right to know how their health assets are being held, protected or traded.
They also have a right to be heard about whether a firm like Palantir is right for the NHS. Palantir’s co-founder, Peter Thiel, was not merely a major donor to the campaign of President Donald Trump: during the 2016 campaign season he chose to consult with avowed White nationalists.
When pressed, Palantir seeks to justify its support for rights abuses committed by government clients by claiming its role is not to set the direction of a democracy’s travel. This is an impoverished view of democracy, in which people periodically vote, but on all detailed questions the government governs, and contractors contract. Our organisations, openDemocracy and Foxglove, are both founded on a different idea: that democracy is a participation sport, involving constant negotiation between the governors and the governed.
openDemocracy’s journalism this year has uncovered countless ‘COVID cronyism’ scandals involving Boris Johnson’s government: massive, taxpayer-funded contracts for Tory donors, allies, or large firms without fair competition or scrutiny. Vast sums have gone to unaccountable companies to deliver a range of poorly performing COVID services, from ‘disastrous’ PPE provision to the failing Test and Trace system.
The government’s furtive conduct around the datastore once again exposes a lack of respect for the views of the citizens who fund the NHS. And it raises real concern about recently revealed plans for a radical ‘shake up’ of the NHS, currently understood to be in development under a political unit in Downing Street. What will that mean?
Healthy democracies hold their leaders accountable. The government snuck through the Palantir deal to avoid scrutiny or debate. But the result will be quite the opposite.
We’re now assessing the grounds for a more ambitious legal challenge: to establish a precedent that will stop them ever doing this again. From Freedom of Information failings to the blacklisting of journalists to the ‘chumocracy’ which has defined the chaotic, failing COVID response, the secrecy, cronyism and lack of accountability we’ve seen from the UK government this year cannot become the new normal. And we’re going to fight to make sure it isn’t.
How can this meet GDPR? A US surveillance company handling very PI?
Correct me if I’m wrong, but doesn’t Brexit mean GDPR no longer applies in the UK?
The UK GDPR replacement is in the works… probably be 5-eyes friendly, and European Commission will moan.
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#United_Kingdom_implementation
…the GDPR will be amended by statutory instrument to remove certain provisions no longer needed due to the UK’s non-membership in the EU. Thereafter, the regulation will be referred to as “UK GDPR”. The UK will not restrict the transfer of personal data to countries within the EEA under UK GDPR. However, the UK will become a third country under the EU GDPR, meaning that personal data may not be transferred to the country unless appropriate safeguards are imposed, or the European Commission performs an adequacy decision on the suitability of British data protection legislation (Chapter V). As part of the withdrawal agreement, the European Commission committed to perform an adequacy assessment.
In 1974, as part of the Privacy Act, the U.S. government defined Fair Information Practice Principles (FIPPs). Although these principles are not in themselves law, they form the backbone of privacy law in the United States and the world.
The problem is that BIG DATA undermines one of the major principles: Data Minimization.
Governmental agencies are outsourcing this work because it requires updated secure systems. That’s why “proven” foot soldiers in the spy industry become the go-to companies.
Does England have an equivalent of our awful HIPAA?