Big technology companies could use the coronavirus pandemic to gain a foothold in the UK’s health service, enquiries by the Bureau of Investigative Journalism suggest.
A number of companies could get unprecedented access to patient data, such as test results and NHS 111 calls, after winning deals with the NHS to help tackle the coronavirus pandemic. NHS X, the health service’s digital arm, insists that the access will be time-limited, subject to data protection rules and only for very specific purposes. But critics complain about a lack of transparency in awarding the deals, and warn that once the health crisis is over, this could place the companies at a commercial advantage.
Privacy campaigners are especially concerned that the current crisis must not lead to a data “free-for-all” in response to a relaxation of rules that now permits the NHS to pass patient information onto private companies. This is specifically for work on projects tackling the pandemic, and also subject to data controls. But as privacy campaigners always point out, recent history is littered with scandals about the mis-use of data and breaches of supposedly secure systems.
Growth opportunity One NHS partnerships is with the controversial data-mining company Palantir, which has been commissioned to create a data store for logistical planning during the pandemic.
Together with Amazon, Microsoft, Google and London-based Faculty AI, Palantir will use data, such as hospital occupancy levels, A&E capacity and the length of stay of Covid-19 patients, to predict where resources such as beds and ventilators will be in greatest demand.
Previously, Palantir has been accused of using its data-mining technology for questionable purposes. Controversies have included a system which some have alleged has been used by the US Immigration and Customs Enforcement to separate immigrant families (although the company itself states it only works for the criminal investigations side of the agency) and the use of its software in predictive policing tools by the Los Angeles Police Department. In 2018, Palantir admitted that in 2013-14 an employee had helped Cambridge Analytica build its data harvesting app, although it maintains that this was in a “personal capacity.”
Critics have also expressed concerns about Palantir’s founder and major shareholder, Peter Thiel. Thiel, who helped fund the election of Donald Trump and bankrolled a lawsuit that took down the blog network Gawker, once said that he “no longer believes that freedom and democracy are compatible.”
This latest project raises a number of questions about access to personal data. In a blog post on the gov.uk site, the Department of Health and Social Care originally stated that all the data in the store is anonymous, with controls “that include removing identifiers such as name and address and replacing these with a pseudonym.” But Yves-Alexandre de Montjoye, head of the computational privacy group at Imperial College London, said that if a third party is given access to the data, it can probably identify people, adding that all that legal and technical controls do is limit the risk. And the NHS post has since been edited and no longer contains mention of anonymisation or pseudonymisation.
De Montjoye concedes that beyond a reference to “statistics about the lengths of stay for Covid-19 patients,” it is unclear from the official blog what other data is being used. But he judges that the only aspect of the project that “will not include any form” of potentially “identifiable patient data” is that managed by Google. Consequently, the tech giant’s involvement in this particular project has not raised special concerns for privacy campaigners, despite its track record in the health data space. (The Google subsidiary Deepmind courted controversy with a data-sharing agreement with London’s Royal Free Hospital, which involved 1.6 million patient records. The Information Commissioner’s Office later found that the deal breached the Data Protection Act, although there was no fine.)
Privacy fears Under a recent relaxation of data sharing restrictions private companies can now be granted access to NHS patient data for valid Covid-19 purposes. The standard regulations state that “no person shall process confidential patient information... unless he is a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.” But the health secretary has issued a range of emergency notices to healthcare providers, requiring that data be shared for pandemic-related purposes. A notice to GPs and local authorities in March stated “action to be taken will require the processing and sharing of confidential patient information amongst health organisations and other bodies engaged in disease surveillance.” The data sharing powers will last until September.
Previously confidential NHS data could not be put under the control of anyone who was not a healthcare professional without a legal basis. Doubts are growing around what happens once the coronavirus crisis is over. One insider told the Bureau: “I can understand why they are using Palantir, it has incredible software. But this is a company not known for working in the open.”
They added: “I’d like to see it build a parallel system—so [the Palantir system] can get switched off when it is not needed anymore.” A second insider said that the deal could lead to supplier lock-in. “It’s an opportunity for Palantir to highlight how wonderful they are [while] getting the opportunity to build up knowledge.”
Natalie Banner, lead on the Understanding Patient Data programme at the medical research charity Wellcome, said that the public do not object to private companies working with the health service as long as benefits to patients and the NHS are clearly prioritised. “The NHS can benefit from the capacity and technical expertise of technology companies, for example to build the data store,” she said.
Crucially, technology companies that work with the NHS during this crisis will develop a better understanding of the UK’s health data infrastructure, “which could give them an advantage in future discussions about providing services to the NHS.”
Rachel Coldicutt, former chief executive of the technology ethics think tank Doteveryone, said that: “Public services, funded by public money, must be open to public scrutiny—especially in times of great upheaval when lots of decisions are being made very quickly.
“Publishing the specification that Palantir is working to and appointing an emergency governance committee to give external oversight would help maintain trust in this volatile period.” Palantir did not respond to a request for comment.
New apps It is not just large technology companies that could come out of the crisis in a stronger position. One of the most popular apps is the ZOE Covid Symptom Tracker, which has been downloaded more than two million times. The app was developed by venture capitalist-backed nutritional data company ZOE Globalin conjunction with King’s College London and Guy’s and St Thomas’ hospitals. It came out ahead of the NHS’s own symptom tracker app, which was released on 4th April. Although ZOE’s privacy policy states that the data will not be used for commercial purposes, it will emerge from the crisis with a massively boosted profile.
On 12th April, the health secretary Matt Hancock announced that the government is trialling a contact-tracking app, which will send anonymous alerts to people who have come into proximity with someone who has tested positive for Covid-19. He said that the NHS is working closely with the world’s “leading tech companies” and experts in digital ethics and will publish the app’s source code as part of its “commitment to transparency.”
However, Sky reported that one source who had witnessed work on the app had told it anonymously that the early phase of development was a “hot mess” run by “a hodgepodge of suppliers and contractors” with “no clear voices in the room speaking to the privacy implications of the technology they were using.” In recent weeks, app development has been taken over by Pivotal, a subsidiary of the American software giant VMware.
Phil Booth, of the patient data campaign group MedConfidential, has expressed concern about the involvement of a private cloud services company. He believes that the NHS should publish the contracts for all the initiatives that it is rolling out: “[The NHS] is being given extraordinary leeway in a crisis—to do something it has been trying, and failing, to do for years in normal circumstances. If it wants to retain even a semblance of public trust, it must be fully transparent; we’re not asking to see any data, but rather what it is doing or intends to do with it.
“In a public health crisis, no one is going to complain that the NHS has pulled things together in a hurry,” he said. But, he added, all the normal rules around procurement and transparency have seem to have been “thrown out the window”.
“It’s not just the data [that the NHS] must delete when the emergency is over,” he said. “It’s the cobbled together system itself.” To manage things such as seasonal flu, for example, tools must be commissioned “properly from the ground up, following all the correct rules and procedures.”
According to Wired, some 40 tech companies were present at a meeting with No 10 advisor Dominic Cummings in Downing Street on 12 March. Among their ranks were reportedly several who have got the Covid-related health contracts. Also reportedly there was the AI start-up Babylon Health—a company, where the Bureau of Investigative Journalism previously revealed Cummings had done some consultancy work the year before he came into government. Health secretary Matt Hancock has recently been a public enthusiast for Babylon’s GP at Hand app.
A spokesman for NHS X, the digital arm of the health service, said that the decision to partner with Palantir and Faculty AI was made in accordance with proper processes. He told us that data protection impact assessments—designed to identify and minimise data protection risks—have been completed for all data required to support Covid-19 analysis: “Strict data protection rules apply to everyone involved in helping in this critical task. The companies do not control the data and are not permitted to use or share it for their own purposes… At the end of the coronavirus public health emergency their work will either be deleted or returned to the NHS.”
NHS X did not respond to a request for more detail about the process of awarding these deals, the financial terms of the contracts and when the project specifications will be published in full.