
Britain gave Palantir access to sensitive COVID-19 patient records in £1 deal - AndrewBissell
https://www.cnbc.com/2020/06/08/palantir-nhs-covid-19-data.html
======
ocdtrekkie
Headline could use some help, dang, it's really not representative of the full
story:

"The contract, known as a data-sharing agreement, was published Friday by
politics website OpenDemocracy and law firm Foxglove alongside similar
contracts with Google, Microsoft, and U.K. AI start-up Faculty."

"The contracts show Palantir charged only £1 ($1.27) for use of its Foundry
data management software while Google offered “technical, advisory and other
support” for free."

This is about a lot more than just Palantir. And the NHS has been in hot water
for handing out sensitive patient data to tech firms before. :/

~~~
an_opabinia
> And the NHS has been in hot water for handing out sensitive patient data to
> tech firms before.

Without the perspective of someone who works in the NHS with Palantir's
software, it's impossible to say if the NHS and the public got a good deal.

~~~
mschuster91
No matter how usable and helpful the software is for the front line workers,
the fact remains that Palantir has extensive access to the medical and
according to the article also criminal history of everyone in the UK.

Who can promise that there are no side channels to the USA or no covert
exfiltration using "backups" or "integration systems"?

~~~
nojito
Why would palantir risk their EU business by breaking the trust of the
contract and move information to the US?

~~~
TheOtherHobbes
Because the NHS is about to be sold off as part of Brexit, and they can profit
hugely from a slice of that action, while pretending they followed the rules
until Brexit was completed.

~~~
dekhn
I haven't seen any plans to privatize NHS as part of Brexit (and it's not
clear why the two would be related, anyway).

~~~
baylisscg
The removal of EU legislation from British law and the UK-US trade deal. With
the US demanding it's healthcare and pharma unfettered access to the NHS on
terms equivalent to current US not UK standards. The UK is not, technically,
slapping a FOR SALE sign on the NHS they've just put themselves in a position
where pretty much anyone and everyone can demand a slice. Of course this
assumes that the current gonverment doesn't view the NHS as an asset to be
strip mined which I'm damn sure they do.

~~~
DanBC
> With the US demanding it's healthcare and pharma unfettered access to the
> NHS on terms equivalent to current US not UK standards.

They already have that. Read the Lansley reforms. They mostly don't take it up
because they can't afford to run healthcare for the pittance paid by UK
government, but there are large bits of the NHS run by non-NHS providers. See
for example Priory Group or Cygnet Health Care.

------
code4tee
The data for use in model training is worth far more to Palantir. They can
spin it as being nice and helping with COVID-19 but in reality Palantir
couldn’t buy this data even if they wanted to... so they got the U.K.
government to give it to them! Clever.

~~~
draugadrotten
Just wait a year or two and you'll find that somebody with influence on the
decision gets a well paid cushy job in the private sector. Perhaps one of
those 200K-per-appearance type jobs as a "senior advisor" for a bank.

------
Barrin92
Honestly borders to me on being de-facto undemocratic because I doubt a lot of
British citizens are aware of this or that there has been any sort of
meaningful consent given by patients to outsource their data to a foreign
intelligence firm.

When it comes to how to solve this I really think we need to fundamentally
rethink data ownership both on a legal as well at a technical level. I was
recently reading up on Tim Berners-Lee's SOLID and I think something like that
should be the default for all our data. We store our own healthcare data in
something akin to a pod, when the NHS uses that data they get access to it
granted by the patient in a way that puts formal limits on what they can do
with it and how long they have access to it, and I as the patient have both
the right and technical ability to revoke that access. We really need to push
for data ownership and strong guarantees for data rather than this through the
backdoor process of shoving private health data to unaccountable firms.

Maybe this is something where all these smart contract and decentralisation
technologies can play a meaningful role rather than being primarily used for
speculative currencies.

~~~
ran3824692
> in a way that puts formal limits on what they can do with it and how long
> they have access to it, and I as the patient have both the right and
> technical ability to revoke that access

If that's what SOLID is, its a scam and more of his DRM promotion. There is no
technical way to "revoke my access." Unless you have a memory erasing implant
in my brain, if the data gets onto my screen, I can copy it and access it
forever. Period. Fuck Tim Berners-Lee.

~~~
ozborn
Data use agreements often specify under what terms the data is held and
destroyed. While people may still remember some data, the usual use case is
large databases that can't be memorized. If someone revokes that data, that
data would need to be removed from the database and all associated downstream
copies. Failure to comply would open the door to legal penalties, which is the
real stick.

Imagine for example, if the US or UK governments took corporate misuse of
personal health data ([https://www.theverge.com/2019/6/27/18760935/google-
medical-d...](https://www.theverge.com/2019/6/27/18760935/google-medical-data-
lawsuit-university-of-chicago-2017-inappropriate-access)) as seriously as they
currently takes video copyright violations by individuals....

------
physicsguy
In English Law (and in many other jurisdictions) it's only a legal contract if
"consideration" is given by both parties; i.e. Palantir here must charge
something in return for it to be an enforceable contract.

~~~
kjaftaedi
The UK is still under EU law, as they haven't fully exited yet.

The citizens would still have to agree to allowing their personal data to be
processed by third-parties and consent for their data to be processed outside
the EU.

Is there any evidence that this consent was given?

~~~
secfirstmd
The UK government may try to wiggle out of it by using the GDPR exemptions
related to research and/or national security [https://gdpr-
info.eu/art-23-gdpr/](https://gdpr-info.eu/art-23-gdpr/)

------
nickff
The article text seems to indicate that Palantir was offering data analysis
software/services to the British government for a nominal fee. It doesn't seem
like NHS was selling the data, they just needed some services, and paying £1
was required to bind Palantir in a contract.

This title really seems like click-bait.

~~~
cool_dude85
So the NHS wasn't selling the data to Palantir, just giving it away?

~~~
seesawtron
The £1 deal is is not relevenat because I am sure people will be annoyed
despite it being a free deal or one that costs thousands of pounds. The only
thing that matters is whether the data privacy was ensured.

~~~
PeterStuer
The token amount is just there in the contract to notarize on paper the NHS as
the 'client' in the contract, because you anticipate this will be questioned
as a dodgy deal.

------
ng12
From my understanding Foundry (the Palantir product in question) is just a
data management platform. I don't understand why this is so nefarious: they
gave software they usually charge for to a public health agency for free.

~~~
lostlogin
The section on controversies is a primer. It certainly seems worth questioning
the intent.
[https://en.m.wikipedia.org/wiki/Palantir_Technologies](https://en.m.wikipedia.org/wiki/Palantir_Technologies)

~~~
ng12
Palantir already works with a a huge number government agencies is my point.
They're basically a contracting firm. If they had charged the NHS at least a
few hundred thousand pounds it wouldn't have been newsworthy.

------
bhupy
How is this any different from Amazon offering the NHS Amazon RDS licenses for
free/£1?

Is the argument against this that the NHS not be allowed to use any cloud
infrastructure, and that everything ought to be on-premise?

~~~
zentiggr
Rather than being some ostensibly neutral cloud, Palantir was/is CIA funded.
So data straight into CIA/NSA/whomevers hands.

~~~
bhupy
As far as I'm aware, Palantir is basically a SaaS data analytics provider for
governments all over the world.

Why would any government consent to working with Palantir if they had any
suspicion that their data might be used by US government clandestine agencies?

------
thedudeabides5
Funny how no one wants to talk about the reason that the NHS is doing these
deals.

Of all the competent devs / data analyst in the UK, how many do you think
actually want to work at the NHS?

So lots of demand / need (healthcare is a mess in part because of data
management via paper) and no supply / interest of talent.

~~~
marcinzm
I think many people talk about it but from a different context. The NHS is
being de-funded by the same politicians whose friends benefit from these
deals. Hard to hire competent people when your budget keeps getting cut.

~~~
google234123
£136.7 billion seems like a lot. It also seems like it's been exponentially
going up since 1950.

~~~
ben_w
“Exponential” is almost certainly a good approximation, as I expect it to
match the product of wage inflation and population.

------
surfsvammel
Disturbing. When you cannot even trust your own health-care system and
government to even have the ambition to safeguard your sensitive data. What
are citizens supposed to do? It’s tragic how democracy have been so deeply
undermined by private interests. This is not how it was supposed to work.
Truly a disgrace.

------
gentleman11
The UK is trusting an American national security-related firm with patient
data, one that has to secretly accept any data access requests from the
Americans. The UK should stick with their own companies for this sort of work
- same for other countries

------
xenospn
Has Palantir had any type of positive headline associated with it, ever?

------
seesawtron
I do not see in the contract uploaded that UK govt is sharing personal contact
details as the article claims. Can someone see if this has actually happened
or is CNBC exaggerating?

------
6c696e7578
Why are some pages scanned and some plain text?

~~~
gpvos
Two documents pasted together?

------
jamesRaybould
Has anyone tried to do a GDPR request yet to either see what data they
actually hold, or to test the right to erasure?

~~~
L_226
Actually good question, I would like to know how these requests are handled
post Brexit. Do A.13 GDPR requests still have to be honoured by the UK up to
the Brexit date forever?

~~~
djaychela
GDPR is still in force until the end of the transition period (I think Dec
31). What will change after then, who knows? I don't think I've seen anything
coherent on any front from the government at this point.

~~~
desas
The Data Protection Act 2018 essentially copies the gdpr into UK law, tweaks
the corners where allowed under gdpr and adds afew other things.

~~~
fyfy18
This is the case for many EU laws - depending on the area [0], laws agreed
upon in Brussels don't actually mean anything on their own, but member
countries are required to write them into their own law. After Brexit happens
such laws will still apply, as they have been written into UK law.

[0] [https://ec.europa.eu/info/about-european-commission/what-
eur...](https://ec.europa.eu/info/about-european-commission/what-european-
commission-does/law/areas-eu-action_en)

------
soufron
Pseudo-patronage, or charity-software, it's the new model being pushed by
GAFAM (and Palantir) in order to access to digital public services markets in
the EU. It's quite certainly illegal though - procurement regulations, etc.,
but nobody seems to care, especially not in the local software industry. No
wonder the EU are so much behind when it comes to digital industry. They don't
even try to fight.

------
sbeedge
This makes me really f*cking angry.

