Safety and data processing with Palantir Technologies

Response to this request is delayed. By law, NHS England should normally have responded promptly and by (details)

Dear NHS England,

The Department of Health and Social Care, as well as the NHSX, have been widely reported to be engaging Palantir in the development of a COVID-19 data project (https://bit.ly/2AVdzgr) through UK boutique AI firm, faculty.ai. With scope to spend up to £125 million (https://bit.ly/3eganKJ) towards any potential Palantir products and services, it is clear that Palantir Technologies is a close partner of the government during the COVID-19 health crisis (the government already holds contracts with Palantir reported to be valued at £39m (https://bit.ly/3gdTH8k). In spite of the government’s recent arrangement, which included sharing confidential patient data (https://bit.ly/36qH3y9), there is currently a lack of clarity of exactly how the government intends to engage Palantir products and services, what data will be processed (and why), and for how long. While Palantir has been adamant that they are merely data processors while the NHS are the data controllers within the framework of the arrangement, Palantir would stand, in some conditions, to be granted access to customer data at the discretion of the NHS, as stated in their reply to Privacy International’s open letter dated April 29th 2020:

‘Any access to customer data under any circumstances would be strictly at the direction of customers, in support of legitimate purposes, and in adherence with all applicable rules and regulations’

It is therefore paramount that the NHS provide greater transparency around the level of access provided to Palantir Technologies.

Under the Freedom of Information Act 2000, I am seeking access to the following information:

1) What is the nature of the confidential patient data (https://bit.ly/36qH3y9) shared with Palantir?

2) What are the types of data processed by the Palantir products being tested, piloted or used?

3) In their response to Privacy International’s open letter dated April 29th 2020, Palantir stated that their role in the NHS deal was merely as data processor and that the company "serves as a technical agent to its customers, providing software and services to enable and support them in analysing the data they control". This means the NHS remains the data controller. Given this, can you:
a) List the exact categories of the personal data processed by Palantir products, including whether these include personal data revealing nationality, information contained in asylum applications or applications for international protection, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, data revealing criminal convictions or offences.
b) List any categories of non-personal data that may be processed by Palantir products? Do, for example, process any aggregated data, anonymised or pseudonymised data?

4) Does the NHS have a written contract (or other legal act), as required by the Information Commissioner’s Office, with Palantir that governs the processing of personal data by Palantir? If yes, please provide a copy of such processing agreements/contracts. If not please explain why.

5) Was there a Data Protection Impact Assessment done in relation to each of the Palantir products? If yes, please provide a copy of the Data Protection Impact Assessment Reports for each product. If not, please explain why.

6) Was there an Equality and Human Rights Impact Assessment done in relation to each of the Palantir products? If yes, please provide a copy of the Impact Assessment Reports for each product. If not, please explain why.

**If it is not possible to provide the information requested due to the information exceeding the cost of compliance limits identified in Section 12 of FOIA, please provide advice and assistance, under the Section 16 obligations of FOIA, as to how to refine this request. We would be grateful for any advice and assistance.

If you have any queries please don’t hesitate to contact us via email or phone and we will be very happy to clarify what we are asking for and discuss the request, our details are outlined below.

Thank you for your time and we look forward to your response.

Yours faithfully,
Jacob Zionts
NoTechForTyrants
[email address]