MPs Warn NHS Patient Data Access by Palantir is 'Dangerous'

NHS England has permitted staff from Palantir — the controversial US data analytics company — and other contractors to access patient data before it has been pseudonymised, according to a report by the Financial Times. The revelation has drawn sharp criticism from MPs, who say the arrangement prioritises technological development over patient privacy protections.

The access forms part of a broader effort by NHS England to build an integrated digital platform using artificial intelligence, with Palantir playing a central role. However, reports indicate that internal NHS concerns about a 'risk of loss of public confidence' were raised before the access was granted, suggesting the arrangement proceeded despite recognised reservations within the organisation.

MPs characterised the situation as 'dangerous', arguing that allowing a foreign commercial entity unrestricted access to identifiable health records — even temporarily — sets a troubling precedent. Critics have long argued that patient data is among the most sensitive personal information held by public institutions, and that robust anonymisation protocols should be in place before any third-party access is permitted.

Palantir, founded in part with backing from the CIA's venture capital arm In-Q-Tel, has faced sustained scrutiny over its government data contracts on both sides of the Atlantic. In the UK, the company secured a £330 million NHS contract in 2023 for its Federated Data Platform, a decision that triggered significant public debate about the commercialisation of health data.

NHS England has not denied the substance of the Financial Times reporting. The organisation has previously argued that data sharing with technology partners is necessary to develop and test systems intended to improve patient outcomes and operational efficiency across the health service.

The UK government has been pushing to harness NHS data — one of the largest longitudinal health datasets in the world — to drive advances in medical research and AI-assisted diagnostics. Proponents argue that carefully managed data access is essential to realising these benefits. Critics, however, maintain that 'carefully managed' must mean anonymised before access, not after.

Why This Matters

NHS patient data represents one of the most comprehensive health datasets in the world; how it is shared with commercial entities sets precedents for public health data governance across democratic nations.
If public trust in NHS data handling erodes, patients may opt out of data sharing schemes, potentially hampering legitimate medical research and AI development.
The arrangement raises unresolved questions about sovereignty over sensitive national data when foreign commercial firms are involved in core public infrastructure.

Background

The relationship between the NHS and Palantir has been contentious since at least 2021, when the company's involvement in a COVID-19 data store drew protests from privacy advocates. In 2023, NHS England awarded Palantir a £330 million contract to build its Federated Data Platform — a centralised system intended to link up patient records across hospitals and care settings — after a procurement process that itself attracted criticism for its scale and opaqueness.

Palantir was founded in 2003 by Peter Thiel and others, and built its early reputation on contracts with US intelligence and defence agencies. Its entry into civilian healthcare markets in the UK and elsewhere has consistently prompted debate about whether a company with such roots is an appropriate custodian of public health data.

UK data protection law, including the UK GDPR and the Data Protection Act 2018, places strict obligations on organisations handling health data, which is classified as a 'special category' requiring heightened safeguards. The question of whether allowing access before pseudonymisation breaches these obligations may now attract regulatory attention.

Key Perspectives

NHS England: The organisation argues that working with technology partners — including granting access needed to build and test systems — is essential to delivering a functioning integrated platform that will ultimately benefit patients through faster, better-coordinated care.

Palantir: The company has consistently maintained that its NHS work complies with UK data law and that it is committed to protecting patient privacy. It argues its technology enables more efficient use of health data for public benefit.

MPs and Privacy Advocates: Parliamentary critics and organisations such as openDemocracy and Foxglove have argued that commercial access to identifiable patient data — particularly by a US-headquartered firm subject to American legal jurisdiction — represents an unacceptable risk, and that any access should only occur post-anonymisation.

Critics/Skeptics: Some data governance experts caution that 'pseudonymisation' itself is not an absolute safeguard, as re-identification is technically possible with sufficient auxiliary data. They argue the NHS should be pursuing privacy-by-design approaches from the outset, not as an afterthought.

What to Watch

Whether the UK Information Commissioner's Office (ICO) opens a formal investigation into the data access arrangements described in the Financial Times report.
Parliamentary scrutiny: any upcoming Health Select Committee sessions or written ministerial statements addressing the specific access arrangements and what oversight mechanisms are in place.
Public opt-out rates from NHS data sharing — a sustained rise would signal that confidence has been materially damaged and could affect the viability of the broader data platform project.

ZOTPAPER