Dear Cabinet Office,

To whom this may concern,

I am writing to you on behalf of Privacy International, under the Freedom of Information Act 2000, I am seeking access to the following information:

1. Do you have any current or past agreement(s)/contract(s) with Palantir? If yes please provide contracts of each of those.

2. Are any Palantir products or services used – or will be used or have been used – in contexts of immigration enforcement, border control, or policing/prevention or detection of crime? If yes, please specify which contexts and since when.

3. Specifically, do any of these products process (including collecting, retaining, sharing, storing or otherwise making available) personal data? If so,
a) What are the categories of personal data, including any metadata, processed by the Palantir products being tested, piloted or used? Please list the specific categories.
b) Can you list the exact categories of special-category personal data processed by Palantir products, such as personal data revealing among others nationality, information contained in asylum applications or applications for international protection, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, data revealing criminal convictions or offences.

4. Does the Cabinet Office have or used to have a written contract(s) (or other legal act), as required by the Information Commissioner’s Office, with Palantir that governs the processing of personal data by Palantir? If yes, please provide a copy of such processing agreement(s)/contract(s). If not please explain why.

5. Do Palantir products process any non-personal data? If yes, can you list the categories of non-personal data that may be processed by Palantir products? Do, for example, process any aggregated data, anonymised or pseudonymised data? If so, does the Cabinet Office control or process the non-personal data processed by the Palantir products?

6. Was there a Data Protection Impact Assessment done in relation to each of the Palantir products? If yes, please provide a copy of the Data Protection Impact Assessment Reports for each product. If not please explain why.

7. Has the ICO been notified in relation to the use of each of the Palantir products, including by communicating Data Protection Impact Assessments (DPIAs) to it and/or seeking its views on data processing matters in relation to any of the Palantir products?

8. Was there an Equality and Human Rights Impact Assessment done in relation to each of the Palantir products? If yes, please provide a copy of the Impact Assessment Reports for each product. If not please explain why.

10. Please provide any communications (meeting recordings, emails or other) between Palantir and the Cabinet Office in the past 12 months relating to the above.

**If it is not possible to provide the information requested due to the information exceeding the cost of compliance limits identified in Section 12 of FOIA, please provide advice and assistance, under the Section 16 obligations of FOIA, as to how to refine this request. We would be grateful for any advice and assistance.

If you have any queries please don’t hesitate to contact us via email or phone and we will be very happy to clarify what we are asking for and discuss the request, our details are outlined below.

Thank you for your time and we look forward to your response.

Yours faithfully,

Dr Ilia Siatitsa
Programme Director and Legal Officer
Privacy International

Dear Cabinet Office,

To whom this may concern,

Following your letter on 16 October 2020, I have now revised the questions to limit the scope of the request as indicated in your correspondence.

In accordance with Section 16 obligations of FOIA your office should provide advice and assistance on how to limit the scope of the request. If it is still not possible to provide the information requested due to the information exceeding the cost of compliance limits identified in Section 12 of FOIA, please provide advice and assistance as to how to further refine this request.

On behalf of Privacy International, under the Freedom of Information Act 2000, I am seeking access to the following information:

1. Have you currently or in the past tested, piloted, or used any products or services developed by Palantir? If yes, could you list which ones, when and for what purpose, i.e. immigration enforcement, border control, or policing/prevention or detection of crime?

2. Could you list the categories of personal data processed by any of the Palantir products or services corresponding to question 1 above, including special-category personal data processed by Palantir products or services, such as personal data revealing among others nationality, information contained in asylum applications or applications for international protection, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, data revealing criminal convictions or offences.

3. Does the Cabinet Office have or used to have written contract(s) (or other legal act such agreements), as required by the Information Commissioner’s Office, with Palantir that governs the processing of personal data by Palantir? If yes, please provide a copy of such processing contract(s)/agreement(s).

4. Was there a Data Protection Impact Assessment done by the Cabinet Office in relation to each of the Palantir products? If yes, please provide a copy of the Data Protection Impact Assessment Reports for each product. If not, please explain why no data Protection Impact Assessment was done.

5. Please provide any communications (meeting recordings, emails or other) between Palantir and the Cabinet Office from 01 April 2020 until 31 October 2020 relating to the above.

**As mentioned above if it is not possible to provide the information requested due to the information exceeding the cost of compliance limits identified in Section 12 of FOIA, please provide advice and assistance, in accordance with Section 16 obligations of FOIA, as to how to refine this request.

If you have any queries please don’t hesitate to contact us via email or phone and we will be very happy to clarify what we are asking for and discuss the request, our details are outlined below.

Thank you for your time and we look forward to your response.

Yours sincerely,

Dr Ilia Siatitsa
Programme Director and Legal Officer
Privacy International

Dear Cabinet Office,

Dear Eirian Walsh Atkins,

I write on behalf of Privacy International to request an internal review of your decision dated 1 December 2020 (FOI Reference: FOI2020/17304).

On 18 September 2020, PI wrote to the Cabinet Office’s FOI Team seeking information, pursuant to the Freedom of Information Act 2000 (the “Act”), relating to the Cabinet Office’s use of products or services supplied by the company Palantir Technologies UK, Ltd (“Palantir”). The FOI Team responded on 16 October 2020 informing PI that the Cabinet Office was unable to comply with that request, for the cost of dealing with it would exceed the appropriate limit set by regulations at £600 for central Government. On 9 November 2020, PI accordingly wrote back to the Cabinet Office’s FOI Team with revised questions.

On 1 December 2020, the Cabinet Office’s FOI Team confirmed that the information requested was held by the Cabinet Office, and proceeded to answer some of PI’s questions. While we welcome the Cabinet Office’s efforts to reply to our questions, we consider that some of the responses raise concerns and further questions. Taking each response in turn, we set out these concerns and further corresponding requests for information:

1. Our request

Have you currently or in the past tested, piloted, or used any products or services developed by Palantir? If yes, could you list which ones, when and for what purpose, i.e. immigration enforcement, border control, or policing/prevention or detection of crime?

Your response

The Cabinet Office has previously tested Palantir's Foundry Platform in December 2019 to support planning for a potential no deal exit from the EU. The Cabinet Office is currently using the Foundry platform to support Government and key border stakeholders to monitor, minimise and manage disruption to the flow of goods and people at the border at the end of the Transition Period

In addition, the Government Digital Service (GDS), which is part of Cabinet Office, contracted with Palantir between 2015 and 2016 to analyse and learn more about security attacks across government. In collaboration with CERT-UK GDS developed a trial platform to aggregate data collected by protective monitoring solutions across the public sector and analyse it for patterns. This created a clearer strategic view of the overall public sector threat picture. You can read more about this on the security profession blog on GOV.UK.

Our response

Can you please confirm that the collaboration with Palantir described in this response as “The Cabinet Office is currently using the Foundry platform to support Government and key border stakeholders to monitor, minimise and manage disruption to the flow of goods and people at the border at the end of the Transition Period” is governed by the documents accessible through the first link included in your response to question 3, and in particular the document called “Bid Pack – Attachment 3 – Statement of Requirements – Contract Reference-Provision of the Foundry Data Connector through a Technical Feasibility Evaluation and Provision of the Foundry Service to develop and deliver the Border Flow Tool – CCSO20A80” (the “Technical Specifications”)?

2. Our request

Could you list the categories of personal data processed by any of the Palantir products or services corresponding to question 1 above, including special-category personal data processed by Palantir products or services, such as personal data revealing among others nationality, information contained in asylum applications or applications for international protection, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, data revealing criminal convictions or offences.

Your response

No personal data has been processed by a Palantir product or service.

Our response

This response seems to contradict the contents of your response to question 3. The first link included in response to question 3 leads to a notice of contract awarded by the Cabinet Office to Palantir on 31 August 2020. Having reviewed the two documents attached on the page, namely “G-Cloud 11 Call-Off Contract (version 4)” (the “Contract”) and the Technical Specifications, a number of provisions would seem to indicate that personal data is being, or intended to be, processed under the partnership with Palantir. We list here some of these provisions:

a. In the Contract:

i. Additional Buyer Term “Personal Data and Data Subjects”, p.9;
ii. Schedule 7 (“GDPR Information”), p.46: completion of Annex 1 to this Schedule would seem to indicate that personal data is intended to be processed as part of this agreement;
iii. “Type of Personal Data”, p.47: “the Supplier will process the Personal Data provided or made available to the Supplier in relation to the Agreement”;
iv. “Categories of Data Subject”, p.47: “Data Subjects […] may include […] member[sic] of the public”.

b. In the Technical Specifications:

i. Clause 1.4: “The supplier will establish the appropriate data sharing agreements and governance with departments to ensure compliance with GDPR.”
ii. Clause 3.3: “BPDG is delivering a Border Impact Centre (BIC) for the end of the transition period, which would provide government with an enduring function to analyse the flow of trade and passengers across the UK border.” This clause would seem to indicate that some form of data about natural persons (“passengers”) will be processed by Palantir’s Foundry Data Connector.
iii. Clauses 3.5 – 3.6: “Currently, data related to border management and flow of goods, people and services is collected by numerous Government departments and public bodies but only used for very specific purposes. Effective sharing of data that government already collects and holds will enable Government to provide better services”. Again, this would seem to envisage processing of data about “people”, and therefore personal data.
iv. Clause 3.8: “The TFE will […] [e]stablish appropriate governance with HMG departments in scope to enable data transfer via the Foundry Data Connector which is compliant with GDPR.”
v. Clause 7.1, Milestone 3 description: “Put in place appropriate data sharing agreements contractual protections and restrictions around the processing of personal data”, followed by “Timeframe or Delivery Date” indicated as “Within week 3 of Contract Award Date”.

We appreciate that the Contract may work as a framework agreement intended to govern the general relationship between the Cabinet Office (and other potential Government departments) and Palantir, with technical details of specific collaborations left to be worked out in separate documents.

However, the Technical Specifications appear to set out details of a specific project with the Border and Protocol Delivery Group (“BPDG”), and clauses listed above suggest that this project will involve the processing and sharing of personal data and require compliance with the GDPR. In particular, clause 7.1 of the Technical Specifications requires that “appropriate data sharing agreements contractual protection and restrictions around the processing of personal data” be put in place “within week 3 of Contract Award”, which, taking the date of Contract Award as 30 August 2020, we understand to have been required to occur by 20 September 2020.

In addition, the second link included in response to question 3 leads to a contract previously awarded to Palantir by the Government Digital Service. The contract attached at the bottom of the page named “WP990 Palantir Redacted Contract” repeatedly refers to personal data, through various defined terms such as “Customer Personal Data”, “Order Personal Data” or “Service Personal Data”. We thereby infer that personal data was, or was intended to be, processed as part of this agreement with Palantir. While this contract has now ended, if personal data was processed this would fall to be disclosed within your answer to question 2.

Accordingly, we respectfully request that you reconsider your answer to question 2, or that you provide an explanation as to why the Technical Specifications require agreements, contractual protections and restrictions around the processing of personal data to be put in place if no personal data is or will be processed by a Palantir product or service.

3. Our request

Does the Cabinet Office have or used to have written contract(s) (or other legal act such agreements), as required by the Information Commissioner’s Office, with Palantir that governs the processing of personal data by Palantir? If yes, please provide a copy of such processing contract(s)/agreement(s).

Your response

The information is exempt under section 21(1) of the Freedom of Information Act. Section 21 exempts information if this information is reasonably accessible to the applicant by other means. Section 21 is an absolute exemption and the Cabinet Office is not required to consider whether the public interest favours disclosure of this information.

The information can be found here:

https://www.contractsfinder.service.gov.... f2d5b346fd29?origin=SearchResults&p=1

https://www.contractsfinder.service.gov.... e738010d35b8?origin=SearchResults&p=1

Our response

As explained above, our reading of the information you linked to in your response to question 3 suggests that personal data is or will be processed by Palantir, and that agreements, contractual protections and restrictions are required to be put in place to govern such processing. If it is the case that personal data is or will be processed, a data sharing agreement or similar document must have been put in place by the date required by the Technical Specifications. If such a document exists, it is not currently accessible to us by means other than requests such as the present one, and we therefore request that you provide a copy.

4. Our request

Was there a Data Protection Impact Assessment done by the Cabinet Office in relation to each of the Palantir products? If yes, please provide a copy of the Data Protection Impact Assessment Reports for each product. If not, please explain why no data Protection Impact Assessment was done.

Your response

A Data Protection Impact Assessment has not been completed as no personal data has been processed by a Palantir product or service.

Our response

As explained above, our reading of the information you linked to in your response to question 3 suggests that personal data is or will be processed by Palantir, and that agreements, contractual protections and restrictions are required to be put in place to govern such processing. If it is the case that personal data is or will be processed, we re-iterate question 4 and its associated requests, namely to be provided with a copy of all relevant privacy or data protection impact assessments.

5. Our request

Please provide any communications (meeting recordings, emails or other) between Palantir and the Cabinet Office from 01 April 2020 until 31 October 2020 relating to the above.

Your response

I must inform you that the Cabinet Office is unable to comply with your request. Section 12 of the Freedom of Information Act relieves public authorities of the duty to comply with a request for information if the cost of dealing with it would exceed the appropriate limit. The appropriate limit has been specified in regulations and for central Government this is set at £600. This represents the estimated cost of one person spending 3 1/2 working days in determining whether the Department holds the information, and locating, retrieving and extracting it.

The reason that your request exceeds the cost limit is that relevant information could be contained in very many files. Searching all those that might contain relevant information to determine whether the Cabinet Office holds any information relevant to your request will exceed the appropriate limit laid down in the regulations. If you wish, you may refine your request in order to bring the cost of determining whether the Cabinet Office holds relevant information, locating, retrieving and extracting it, below the appropriate limit. Bearing in mind that our records are classified by broad subject areas, I consider that we will not be able to carry out a search for information unless you can relate the information you seek to a definite context such as a particular policy or region or a notable event or initiative. I must also inform you that if the Cabinet Office does hold any information, it may be subject to one or more of the exemptions contained in the Freedom of Information Act.

Our response

You have estimated that complying with our request for “any communications (meeting recordings, emails or other) between Palantir and the Cabinet Office from 01 April 2020 until 31 October 2020 relating to the above” would exceed 24 hours of one person’s time. Based on our knowledge of existing, common email clients and document management software used by most organisations, we had not envisaged that a search of exchanges between Cabinet Office and Palantir email domains over a seven-month period would require more than a few hours of time. It would have been useful – as recommended by the ICO’s guidance* on requests where the cost of compliance exceeds the appropriate limit to explain how you have calculated this cost estimate by explaining your search strategy (for example, whether you have carried out any searches for the requested information, which departments or members of staff have been contacted, and the search terms used when querying electronic records), how the information is stored, how many files, documents, records or emails need to be reviewed, and the average length of time it would take to review each file and the number of staff required.

*ICO Guidance: https://ico.org.uk/media/1199/costs_of_c...

While you have recommended that we “relate the information [we] seek to a definite context such as a particular policy or region or a notable even or initiative”, we do not consider that this is in line with the code of practice** issued by the Secretary of State under section 45 of the Act, which provides guidance to public authorities as to the practice which it would be desirable for them to follow in connection with the discharge of their functions under Part I of the Act. In particular, in relation to your obligation under section 16 of the Act, the code of practice provides that appropriate assistance “might include providing an outline of the different kinds of information which might meet the terms of the request” or “providing access to detailed catalogues and indexes, where these are available, to help the applicant ascertain the nature and extent of the information held by the authority”.

**Code of practice: https://assets.publishing.service.gov.uk...

That being said, in the interests of avoiding further exchanges, we have refined our request as follows, which we trust complies with your instructions to relate the information we seek to “a particular policy […] or a notable […] initiative”:

Please provide any minutes or recordings of meetings between Palantir and the Cabinet Office having taken place between 1 April 2020 to 31 October 2020 relating to the provision of Palantir’s Foundry Data Connector Tool to develop and deliver the Border Flow Tool.

If you consider that information falling within the above refined request is subject to one or more of the exemptions contained in the Act, please specify which exemptions you seek to rely on, in relation to which specific information.

For the reasons outlined above, we respectfully submit a request for an internal review of your handling of our request, and ask that the Cabinet Office re-considers its response dated 1 December 2020.

If you have any queries, please don’t hesitate to contact us via email or phone and we will be very happy to further clarify any concerns or requests. Our details are outlined below.

Yours faithfully,

Dr Ilia Siatitsa
Programme Director and Legal Officer
Privacy International

CORRECTED VERSION

Dear Cabinet Office,

Dear Eirian Walsh Atkins,

I write on behalf of Privacy International to request an internal review of your decision dated 1 December 2020 (FOI Reference: FOI2020/17304).

On 18 September 2020, PI wrote to the Cabinet Office’s FOI Team seeking information, pursuant to the Freedom of Information Act 2000 (the “Act”), relating to the Cabinet Office’s use of products or services supplied by the company Palantir Technologies UK, Ltd (“Palantir”). The FOI Team responded on 16 October 2020 informing PI that the Cabinet Office was unable to comply with that request, for the cost of dealing with it would exceed the appropriate limit set by regulations at £600 for central Government. On 9 November 2020, PI accordingly wrote back to the Cabinet Office’s FOI Team with revised questions.

On 1 December 2020, the Cabinet Office’s FOI Team confirmed that the information requested was held by the Cabinet Office, and proceeded to answer some of PI’s questions. While we welcome the Cabinet Office’s efforts to reply to our questions, we consider that some of the responses raise concerns and further questions. Taking each response in turn, we set out these concerns and further corresponding requests for information:

1. Our request

Have you currently or in the past tested, piloted, or used any products or services developed by Palantir? If yes, could you list which ones, when and for what purpose, i.e. immigration enforcement, border control, or policing/prevention or detection of crime?

Your response

The Cabinet Office has previously tested Palantir's Foundry Platform in December 2019 to support planning for a potential no deal exit from the EU. The Cabinet Office is currently using the Foundry platform to support Government and key border stakeholders to monitor, minimise and manage disruption to the flow of goods and people at the border at the end of the Transition Period

In addition, the Government Digital Service (GDS), which is part of Cabinet Office, contracted with Palantir between 2015 and 2016 to analyse and learn more about security attacks across government. In collaboration with CERT-UK GDS developed a trial platform to aggregate data collected by protective monitoring solutions across the public sector and analyse it for patterns. This created a clearer strategic view of the overall public sector threat picture. You can read more about this on the security profession blog on GOV.UK.

Our response

Can you please confirm that the collaboration with Palantir described in this response as “The Cabinet Office is currently using the Foundry platform to support Government and key border stakeholders to monitor, minimise and manage disruption to the flow of goods and people at the border at the end of the Transition Period” is governed by the documents accessible through the first link included in your response to question 3, and in particular the document called “Bid Pack – Attachment 3 – Statement of Requirements – Contract Reference-Provision of the Foundry Data Connector through a Technical Feasibility Evaluation and Provision of the Foundry Service to develop and deliver the Border Flow Tool – CCSO20A80” (the “Technical Specifications”)?

2. Our request

Could you list the categories of personal data processed by any of the Palantir products or services corresponding to question 1 above, including special-category personal data processed by Palantir products or services, such as personal data revealing among others nationality, information contained in asylum applications or applications for international protection, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, data revealing criminal convictions or offences.

Your response

No personal data has been processed by a Palantir product or service.

Our response

This response seems to contradict the contents of your response to question 3. The first link included in response to question 3 leads to a notice of contract awarded by the Cabinet Office to Palantir on 31 August 2020. Having reviewed the two documents attached on the page, namely “G-Cloud 11 Call-Off Contract (version 4)” (the “Contract”) and the Technical Specifications, a number of provisions would seem to indicate that personal data is being, or intended to be, processed under the partnership with Palantir. We list here some of these provisions:

a. In the Contract:

i. Additional Buyer Term “Personal Data and Data Subjects”, p.9;
ii. Schedule 7 (“GDPR Information”), p.46: completion of Annex 1 to this Schedule would seem to indicate that personal data is intended to be processed as part of this agreement;
iii. “Type of Personal Data”, p.47: “the Supplier will process the Personal Data provided or made available to the Supplier in relation to the Agreement”;
iv. “Categories of Data Subject”, p.47: “Data Subjects […] may include […] member[sic] of the public”.

b. In the Technical Specifications:

i. Clause 1.4: “The supplier will establish the appropriate data sharing agreements and governance with departments to ensure compliance with GDPR.”
ii. Clause 3.3: “BPDG is delivering a Border Impact Centre (BIC) for the end of the transition period, which would provide government with an enduring function to analyse the flow of trade and passengers across the UK border.” This clause would seem to indicate that some form of data about natural persons (“passengers”) will be processed by Palantir’s Foundry Data Connector.
iii. Clauses 3.5 – 3.6: “Currently, data related to border management and flow of goods, people and services is collected by numerous Government departments and public bodies but only used for very specific purposes. Effective sharing of data that government already collects and holds will enable Government to provide better services”. Again, this would seem to envisage processing of data about “people”, and therefore personal data.
iv. Clause 3.8: “The TFE will […] [e]stablish appropriate governance with HMG departments in scope to enable data transfer via the Foundry Data Connector which is compliant with GDPR.”
v. Clause 7.1, Milestone 3 description: “Put in place appropriate data sharing agreements contractual protections and restrictions around the processing of personal data”, followed by “Timeframe or Delivery Date” indicated as “Within week 3 of Contract Award Date”.

We appreciate that the Contract may work as a framework agreement intended to govern the general relationship between the Cabinet Office (and other potential Government departments) and Palantir, with technical details of specific collaborations left to be worked out in separate documents.

However, the Technical Specifications appear to set out details of a specific project with the Border and Protocol Delivery Group (“BPDG”), and clauses listed above suggest that this project will involve the processing and sharing of personal data and require compliance with the GDPR. In particular, clause 7.1 of the Technical Specifications requires that “appropriate data sharing agreements contractual protection and restrictions around the processing of personal data” be put in place “within week 3 of Contract Award”, which, taking the date of Contract Award as 30 August 2020, we understand to have been required to occur by 20 September 2020.

In addition, the second link included in response to question 3 leads to a contract previously awarded to Palantir by the Government Digital Service. The contract attached at the bottom of the page named “WP990 Palantir Redacted Contract” repeatedly refers to personal data, through various defined terms such as “Customer Personal Data”, “Order Personal Data” or “Service Personal Data”. We thereby infer that personal data was, or was intended to be, processed as part of this agreement with Palantir. While this contract has now ended, if personal data was processed this would fall to be disclosed within your answer to question 2.

Accordingly, we respectfully request that you reconsider your answer to question 2, or that you provide an explanation as to why the Technical Specifications require agreements, contractual protections and restrictions around the processing of personal data to be put in place if no personal data is or will be processed by a Palantir product or service.

3. Our request

Does the Cabinet Office have or used to have written contract(s) (or other legal act such agreements), as required by the Information Commissioner’s Office, with Palantir that governs the processing of personal data by Palantir? If yes, please provide a copy of such processing contract(s)/agreement(s).

Your response

The information is exempt under section 21(1) of the Freedom of Information Act. Section 21 exempts information if this information is reasonably accessible to the applicant by other means. Section 21 is an absolute exemption and the Cabinet Office is not required to consider whether the public interest favours disclosure of this information.

The information can be found here:

https://www.contractsfinder.service.gov.... f2d5b346fd29?origin=SearchResults&p=1

https://www.contractsfinder.service.gov.... e738010d35b8?origin=SearchResults&p=1

Our response

As explained above, our reading of the information you linked to in your response to question 3 suggests that personal data is or will be processed by Palantir, and that agreements, contractual protections and restrictions are required to be put in place to govern such processing. If it is the case that personal data is or will be processed, a data sharing agreement or similar document must have been put in place by the date required by the Technical Specifications. If such a document exists, it is not currently accessible to us by means other than requests such as the present one, and we therefore request that you provide a copy.

4. Our request

Was there a Data Protection Impact Assessment done by the Cabinet Office in relation to each of the Palantir products? If yes, please provide a copy of the Data Protection Impact Assessment Reports for each product. If not, please explain why no data Protection Impact Assessment was done.

Your response

A Data Protection Impact Assessment has not been completed as no personal data has been processed by a Palantir product or service.

Our response

As explained above, our reading of the information you linked to in your response to question 3 suggests that personal data is or will be processed by Palantir, and that agreements, contractual protections and restrictions are required to be put in place to govern such processing. If it is the case that personal data is or will be processed, we re-iterate question 4 and its associated requests, namely to be provided with a copy of all relevant privacy or data protection impact assessments.

5. Our request

Please provide any communications (meeting recordings, emails or other) between Palantir and the Cabinet Office from 01 April 2020 until 31 October 2020 relating to the above.

Your response

I must inform you that the Cabinet Office is unable to comply with your request. Section 12 of the Freedom of Information Act relieves public authorities of the duty to comply with a request for information if the cost of dealing with it would exceed the appropriate limit. The appropriate limit has been specified in regulations and for central Government this is set at £600. This represents the estimated cost of one person spending 3 1/2 working days in determining whether the Department holds the information, and locating, retrieving and extracting it.

The reason that your request exceeds the cost limit is that relevant information could be contained in very many files. Searching all those that might contain relevant information to determine whether the Cabinet Office holds any information relevant to your request will exceed the appropriate limit laid down in the regulations. If you wish, you may refine your request in order to bring the cost of determining whether the Cabinet Office holds relevant information, locating, retrieving and extracting it, below the appropriate limit. Bearing in mind that our records are classified by broad subject areas, I consider that we will not be able to carry out a search for information unless you can relate the information you seek to a definite context such as a particular policy or region or a notable event or initiative. I must also inform you that if the Cabinet Office does hold any information, it may be subject to one or more of the exemptions contained in the Freedom of Information Act.

Our response

You have estimated that complying with our request for “any communications (meeting recordings, emails or other) between Palantir and the Cabinet Office from 01 April 2020 until 31 October 2020 relating to the above” would exceed 24 hours of one person’s time. Based on our knowledge of existing, common email clients and document management software used by most organisations, we had not envisaged that a search of exchanges between Cabinet Office and Palantir email domains over a seven-month period would require more than a few hours of time. It would have been useful – as recommended by the ICO’s guidance* on requests where the cost of compliance exceeds the appropriate limit to explain how you have calculated this cost estimate by explaining your search strategy (for example, whether you have carried out any searches for the requested information, which departments or members of staff have been contacted, and the search terms used when querying electronic records), how the information is stored, how many files, documents, records or emails need to be reviewed, and the average length of time it would take to review each file and the number of staff required.

*ICO Guidance: https://ico.org.uk/media/1199/costs_of_c...

That being said, in the interests of avoiding further exchanges, we have refined our request as follows, which we trust complies with your instructions to relate the information we seek to “a particular policy […] or a notable […] initiative”:

Please provide any minutes or recordings of meetings between Palantir and the Cabinet Office having taken place between 1 April 2020 to 31 October 2020 relating to the provision of Palantir’s Foundry Data Connector Tool to develop and deliver the Border Flow Tool.

If you consider that information falling within the above refined request is subject to one or more of the exemptions contained in the Act, please specify which exemptions you seek to rely on, in relation to which specific information.

For the reasons outlined above, we respectfully submit a request for an internal review of your handling of our request, and ask that the Cabinet Office re-considers its response dated 1 December 2020.

If you have any queries, please don’t hesitate to contact us via email or phone and we will be very happy to further clarify any concerns or requests. Our details are outlined below.

Yours faithfully,

Dr Ilia Siatitsa
Programme Director and Legal Officer
Privacy International

Dear Ms Anderson,

I write on behalf of Privacy International with regards to FOI Reference: FOI2020/17304 and internal review request reference IR2021/02017.

Thank you for the letter we received from your FOI Team on 26 February 2021.

Having perused it, we note that your response only addresses question 5 of our FOI request, and only references our original FOI request number (FOI2020/17304), rather than the number you assigned to our internal review request when acknowledging it (IR2021/02017).

Please therefore confirm whether we should be expecting a separate response to our internal review request. We also note that the deadline to respond to our internal review request has now passed and would therefore be grateful for a prompt response.

Yours sincerely,

Dr Ilia Siatitsa
Privacy International