NHS England grants Palantir staff 'unlimited access' to patient data

NHS England has granted external staff, including employees from Palantir and various consultancy firms, unlimited access to identifiable patient data within the National Data Integration Tenant (NDIT). The NDIT, which is part of the controversial Federated Data Platform (FDP), provides a secure environment that consolidates NHS data into a single system before it is pseudonymised and transferred to other systems. Previously, individuals were required to apply for specific access to individual data sets. However, the latest plan creates a new administrative role and "permits unlimited [NDIT] access to non-NHSE staff" and the identifiable patient information held within it.

Internal documents acknowledge that granting unrestricted access to non-NHS staff poses a risk of eroding public confidence in data safeguarding. While the permission was originally intended solely for security-cleared NHS employees, officials confirmed the policy change has been accepted for a limited number of external workers. These individuals must possess government security clearance and director-level approval.

NHS England maintains that strict policies and regular audits remain in place to monitor data usage. Palantir has stated that it acts strictly as a data processor under NHS instruction. Despite these assurances, internal briefings warn that increasing the number of people with unrestricted access may undermine transparency pledges regarding who can view patient-identifiable information.

Following the news, MPs warned against granting NDIT access to Palantir staff, calling the move "dangerous" and saying it could ignite public concerns that data protection is not being prioritised.

£ - The Financial Times article requires a subscription.

A version of this article is available without subscription in The Register.

Training Announcement: The IAPP Certified Information Privacy Technologist (CIPT) is a privacy-focused professional IT certificate from the IAPP that addresses data protection requirements and controls within complex technological environments. It explores the data lifecycle, privacy risk models and frameworks, the principles of Privacy by Design, and the role of privacy-enhancing technologies within the organisation. Find out more.