Category Archives: News

carry on Creeping, by NHS England

Ministers promised you’d control your data. The Health Bill and NHS England say otherwise

NHS England is in denial. Story after story after story of NHS staff creeping on patients and victims, the Chief Exec of NHS England has decided the problem is only in hospitals and national systems have no ability or responsibility on access.

It is as if Sir Jim Mackey and his staff, the Secretary of State and the DHSC policy leadership, have looked at the series of abuses, and said the problem is not the coverup but the response to the failed coverup – make the response better but cover up the abuses better too. But there’s a slide so NHSE can claim they did something:

It was only because evidence of the creeping got into the hands of the patient victims that the accesses were shown to be illegitimate. And illegal. And NHS England have decided that patients should remain in the dark when NHS England runs the systems facilitating abuse – NHS England claim their Federated Data Platform can show a patient who has gone creeping, and they refuse to show patients. Maybe that culture of coverup that’s why NHS England is being abolished, but it’s not like abolition is going to help.

Ministers are responsible for the coverup

Hansard records that Ministers have reassured patients and the public about unethical and illegal access to their medical records, saying: [ emphasis added ]

“A receptionist might meet someone at a party, then go back to the practice and try to gain access to the person’s records. I am informed, and I believe, that access rights will not enable those who are not involved in the provision of care to see records. Unauthorised access will be marked on the system, and therefore subject to audit. That is one of the opportunities granted to us by an electronic system.

We have provided the most stringent safeguards for security and confidentiality. We hope that anyone who is concerned about information will be reassured by them. The new system will allow patients to determine whether information recorded in one organisation can be seen elsewhere in the NHS: it will be their choice. Even when patients permit such access, only those involved in their care will have access to their records or to information that identifies them, and they will see only the parts of the record that are needed to inform care. That answers some of the hon. Gentleman’s points about the whole health record, and about the possibility that some people might have access to information that was not appropriate. The system is designed to tackle that. Everyone who may have access will be authorised appropriately, and will need a smart card as well as a password. Crucially, the system will register the identity of everyone who looks at the records. That is important as a safeguard and as an audit trail.

Those statements aren’t about the new Single Palantir Record, however – they are about the Summary Care Record in 2005. (To be clear: the SCR does what the new SPR will do, and the SCR is partially the framework on which SPR will start.)

The NHS never delivered on what Ministers said 20 years ago, and without meaningful protections on the face of this new Health Bill, that pattern is going to repeat again now.

Last week, Ministers promised even less than in 2005, saying: [ emphasis added ]

“…applying advanced cloud-based audit and oversight capabilities, enabling near real-time monitoring of system access and detection of unusual or inappropriate patterns. That will allow NHS security teams to track and detect access patterns, and to quickly intervene if specific records are accessed by staff who have no clinical relationship with the patient in question.”

An audit trail registering the identity of everyone who looks at patients’ records, which supposedly “marked” unauthorised access, failed to prevent 20 years of creeping. And now we are told there’ll be “cloud-based” tracking of “patterns”. In the face of widespread illegal access – only a proportion of which ever come to light – Ministers still refuse to promise that patients, i.e the only people who will know for sure that an access is inappropriate, will see the audit trail of when and where their records were accessed.

“NHS security teams” aren’t a real thing for most patients. It’s like saying the bouncer at A&E on a Saturday night will protect your records from being accessed any time, anywhere else. In reality, the NHS has no way to know whether you walked into the pharmacy that accessed your Single Palantir Record – containing all of your diagnoses, notes and prescriptions, and the “summary” of all of the most sensitive details of your life, in order to “avoid having to tell your story” to different clinicians (or so the spin goes).

As a relentless series of revelations keep showing, the NHS is entirely blind to these abuses. And it will continue to do nothing about them as the Single Palantir Record, “essentially a repository for the story of people’s lives”, widens access to your records even further.

Ministers argue their actions have no possible negative consequences. After 20 years of evidence to the contrary, they are either being utterly disingenuous or wilfully ignorant. And their argument is even less credible because of the way the Health Bill changes who controls what data in hospitals. 

Today, if a hospital notices that its records have been accessed in a questionable way, the hospital considers itself the victim, because it is the responsible actor under data protection and employment law. But the hospital investigates itself – hence coverups – because it is the data controller. 

Under the Single Patient Record, the hospital will no longer be the data controller and will only have responsibility for its staff. And Ministers won’t want to know about the abuses for which they will be responsible, which this Bill does nothing to prevent.

If GPs are to be data controllers for the information in the Single Patient Record, then your GP will be the one who is responsible for auditing access to your record. But GPs aren’t being provided with any mechanism to do this, so GPs and patients will be forced to rely on those most incentivised to cover it all up – the employer of the perpetrators. (Things will get even worse when GPs’ control of their patients’ data is eliminated, when the Secretary of State eventually announces that GP data will be copied into the Single Palantir Record, and not accessed at source as needed.)

Government has seen the abuses of Southport, Nottingham, Cambridge (multiple times), and more, and has decided that the status quo “safeguards” are making bad headlines, so must be reduced. They won’t even share a draft of the Regulations, which suggests they are toothless.


To use the analogy discussed in Committee, should a doctor in Dover look up the records of Andy from Manchester, it would entirely depend upon which Andy as to whether that access ever got checked. (Maybe that Andy did have a pressing need for GP, Ambulance or Pharmacy First while on a walkabout – the NHS simply doesn’t know and NHS England didn’t bother to communicate with any of them on what it sent to hospital CEOs – guidance which allows the hospital to continue to cover up abuses

Any Andy can walk into any pharmacy or front line service anywhere in the country, and the NHS can have no idea whether they actually did, or whether someone just went creeping. The only person who can know for sure whether any particular access needs investigation is the patient.   Indeed, if a patient has concerns, NHS England guidance is that they should  ask every Pharmacy in the country whether their record has been accessed and whether the Pharmacy thinks that was appropriate – the patient gets no information whatsoever. 

Access to patients’ records is being widened, and the demonstrably inadequate protections are unchanged – in effect they’ll be narrowed, given they’ll be known in advance. There’ll be no meaningful protections in the Single Patient Record unless you’re a high profile individual capable of getting the attention of what the Minister pretends are “NHS security teams”. 

The Princess of Wales has armed guards. You shouldn’t need them to know your medical notes are secure.

Ministerial intent

When Mr Streeting spoke in the House of Commons debate, he said:

“Our health, our data, our NHS—patients should control who can access their data, and they should control their own data.”

Even if Mr Streeting’s intent was honest – and it probably was – it is not delivered by the text of the Bill.

Those undertakings were absent in Committee, and they are not what the surviving Ministers have said will happen. Indeed, after Mr Streeting resigned, Ministers have walked back that commitment – if DH officials ever really considered it. According to the text of the current Bill, patients will not control who can access their own data, and they will not control their own data.

If promises about privacy, access and patient control aren’t on the face of the Bill, they will be watered down in future.

While the Minister said “Members from across the House have asked how those safeguards will be built into how the system is designed and operated, which is what we are doing”, what they are doing will still allow creeps and ghouls to stalk terrorism victims or their neighbours – and patients will have no way to know anything about it. 

The fact that a patient is in a hospital does not mean that anyone in the hospital should be able to just take a look, but in practice they can.

When Ministers say data access will be “only for the right reason”, they are stating an intent not a constraint. The patient won’t get to determine the reason, and there’ll be no meaningful constraint unless patients are given access to evidence that means any complaint they make is taken seriously. Without a patient-visible audit trail of access to their records via the NHS app, then that threshold won’t be met unless you’re a high profile victim (and those who creep on you regularly do so again).

Because the draft Regulations have not been published, it’s impossible to know when Ministers say “that is what we are doing” that what they say matches what the former Secretary of State said – or whether what they’re doing will continue to enable creeps, as has been happening for the past two decades.

Patients are being required to trust that the Singe Palantir Record will work in their interest – a terrible place for a new Government to start from. The new Government must give patients a way to see that promises made are what is being delivered.

To be trustworthy, an audit trail must cover everything

Ministers parrot US company Palantir Inc’s assertions that Palantir has audit capabilities that others don’t – but if those capabilities are unavailable to patients, they may as well not exist.

Contrary to what Palantir may believe, “audit” means revealing everything that happened with your health records, not just the things that the NHS would like you to know about.

The Single Patient Record is caught up in political spin, and the Single Palantir Record is something entirely different than what’s being promised – benefitting the creeps, ghouls and Palantir, and creating an even more murky situation for patients, who will be forced by this Bill to accept whatever Ministers and Palantir choose to give them.

==

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates via Substack — free to follow, and we are grateful to all those who can donate to help more of this work.

The Coming NHS They Didn’t Campaign On

A new Prime Minister is coming.

He will have views on what he wants to do. Good intentions always meet unforeseeable events, and some events entirely foreseen from the decisions made by his predecessor’s health secretary.

A new Secretary of State will come in, and ask about the problems everyone has, as all his predecessors have done. 

  • “What do we do about waiting lists?”
  • “What do we do about GP appointments?”
  • “What can we do about A&E?”

Labour are about to have their “grayling reforms” moment.

Waiting lists 

The Department of Health’s logic on waiting lists is simple – about 1.7m people flow onto a waiting list every month, and about 1.7m people flow off, and the stock is 7m backlog. If no new people joined a waiting list, you’d be done in about 4 months. The “single point of access” was designed to get the 1.7m down by about half – which is impossible if it’s doctors, but it’s not going to be doctors. It’s not going to be humans.

In a Single Patient Record world, it’ll be a central AI, which will decide whether the referral goes through, or whether the “NHS Online Hospital” (NHSE expects this to be even more Palantir AI) will monitor you in the community. That doesn’t count as being on a waiting list.

Waiting lists will come down because the AI will only let through the people most in need of care at the capacity that they can flow through. When the Department of Health in England says half the people on a waiting list don’t need to be there, they mean that they can stop them joining. Without any change in productivity, that will mean the waiting list drops to zero in eight months (in theory – 1.7m people flow off per month, but only 0.85m join, and 8 months later the backlog is magically gone, in theory; not all treatments, etc).

That’s the theory from the tech people that Wes Streeting bought wholesale.

GP appointments

The current 8am rush and botched imposition of mandatory online triage has made no one happy. GPs are constrained by what DH/E will let them do, and suppliers are being bullied by NHS England to not improve what GPs can do. It is almost as if it is actively designed to make everyone miserable, including patients.

As the Single Patient Record rolls out (this financial year), you’ll get a new button in the NHS App, which is to ask the NHS AI whether you can have an appointment (running on the NHS AI platform, which forms part of the Federated Data Platform, provided by Palantir). Now, many things don’t need a GP, but it will be up to the patient to explain to the chatbot what’s up with them, and the AI will decide whether you get to see a GP, or maybe you get to see someone less trained. If you don’t use the NHS app, you’ll be at the back of the queue when the NHS national AIs prioritise appointments.

NHS England will say if you “need” to see a GP, then you can. But it is the NHS England AIs deciding if you “need” to. If the AIs that read your Single Patient Record says no, then those AIs running in Palantir will handle like Palantir’s bouncer handles these NHS records.

The roll-out of Single Patient Record will be imposed by the amalgamation of the existing Summary Care Records, existing GP Connect, (all run by NHS England) and the Shared Care Records schemes (over time, currently run by ICBs). Your local GP won’t get a say – in a Single Patient Record NHS, all GP data will be extracted into the Single Patient Record, and since DH/E controls the NHS App, a GP will never see the patients who are routed elsewhere without their knowledge. It’s not that a GP won’t catch something, it’s they’ll never be given the opportunity to.

The notion of “your GP” will become as irrelevant to you as the notion of “your bank branch’s manager” is – you’ll be expected to use the app for everything, and your branch/GP gets closed.

Banning people from walking into A&E

It used to be that you could walk into A&E while bleeding and get care.

The Conservative Governments of 2010-2024 kept trying to dissuade people from doing that, under the banner “111 first”.

Yes, that image on the right is a bunch of phone booths outside of A&E which you should stand and bleed in, rather than walking in the door.  

One of Wes Streeting’s legacies is that you’ll now be faced with an iPad that’ll potentially not let you register at A&E. If you walk in you’ll be given the same triage as 111 would do over the phone.

You can hang up on 111; the iPad just won’t let you open the door to A&E. 

Every new minister is told the next step down this pathway will help, an incremental step of good political intentions that will ever diminish the service to the public. Both will get endlessly cut as AI and algorithms that are designed to benefit the Department of Health in England, not your care.

The Reform/Restore line will be simple: “we’ll revert ‘Burnham’s ban’ and let you phone your doctor or walk into A&E” (actual progress is harder). While current Ministers chicken out of patient accountability on who has accessed records, political leadership can decide to show patients who has gone creeping. They may even promise to reopen your closed GP…

NHS England is looking at closing over half GP practices – if you halve the floor space, you have to close more than half of practices and move the staff to “Neighbourhood Health Centres”. Wes Streeting has set in train a Labour legacy of your GP practice being sold for flats (in the South – they’ll just be another set of neglected buildings where that’s not profitable)

Follow the money

All the outgoing government’s plans are heavily dependent upon the tech working and getting data.

Where is the funding in the 2027/28 ICB budgets for the Shared Care Records schemes? Go look, we’ll wait, you’ll be a while.

Across the NHS, political priorities come first, and the safety, usability, and safeguards that make a service usable and safe for everyone are only promised for later, and often never get delivered. Summary Care Records were supposed to be safe, with audit trails, in 2005, but DH never delivered. Single Patient Records will be no different – as DH/E will side with the creeps and ghouls given any opportunity – accountability and transparency always get pushed every further back behind other priorities. That’s how politically led organisations work.

When DH/E talks about the Single Patient Record having a summary of your medical history so you don’t need to tell your story again and again, that’ll be an AI summary that maybe you’ll be allowed to edit. DH/E will pick the cheapest AI for the job, which can mean grok and the Palantir AI Platform.


The Politics

Wes Streeting’s NHS never clearly articulated what the experience would be – it was just a promise of tomorrow with no description of how to get there or recognition of the trade-offs that are inherent in those decisions (reflective of Mr Streeting and the Government he served in) – akin to Mr Grayling’s reforms of probation services.

They’re the “winter fuel allowance” of the NHS. The administrators think they have an easy thing to do, but there’s a reason it’s never been done.

Mr Streeting’s belief was that if you fix waiting lists and GP practices, it’ll all be wonderful. As with the rest of the culture of the Blair Government in Exile, the assumption was it didn’t matter how things were done. Mandelson’s approach that human rights are an inconvenience, patient choice is an inconvenience.

Government can tell patients that the only way patients get to see a GP is via the app or showing up in person and begging. They can do this because DH/E controls the phone lines, it controls the app, it controls 111 (and then the slimmed down ICBs will be unable to justify keeping so many GP practices open, and they will be forced to close to move to the “neighbourhood health centre” which will be about as local as your nearest job centre – so if you go to knock on the door, you’ll be met with a permanently closed sign).

Mr Streeting assumed that the public will accept what they’re given. His culture has continued after he resigned (speaking of unchanged cultures, this new drivel is supposed to be the Government’s response to the Biobank debacle, guidance which changes nothing)

GPs are apparently data controllers for material in the Single Patient Record, but will not have access to who has looked at the record. Ministers will cover up the records because that’s what always happens

Dr Dash’s Ratner followup

Why didn’t Mr Streeting’s NHS talk about what they were planning? Because when their leadership opened their mouths, they filled them with their own metaphorical foot.

Enthralled by her undisclosed investments AI, the Chair of NHS England had a Ratner moment about doctors. Consequences have been covered elsewhere, some questions:

  • Where will these AIs run?
    • Will the “summary” proposed by Ministers be written by Grok?
    • How will patients know?
  • Who authorised the reuse of “direct care only” records in One London to be copied and sold for secondary uses?  (the ICO will figure out who the data controller is, and so who is responsible for the breach) Because data was taken for care, no opt outs applied to the GP data that is being sold by One London (on everyone in Greater London).
  • While Chair, why did her linkedin appear (click the first name here) on the website of a notorious company which “breaks national [data] guidance”? How did the company Dr Dash advised get their data given those FOIs? 

Under the powers in the new Health Bill to create prizes, will companies who have “unclear” data provenance be able to win prizes out of the NHS budget after their cheating? 

Will Ministers give NHS contracts to companies that stole NHS data and commercialised it?  

According to those same Ministers, the Health Bill means you will have no idea who has accessed your health records even as they are made much more widely available across the NHS (Palantir Inc’s VP for the UK claims “audit” covers only the topics he wants to talk about in the way he wants to talk about them – which isn’t audit it’s just PR)

Why the secrecy and dishonesty?

If Streeting were the politician he believed himself to be, why the secrecy?

If he believed this would work, why not say this is the pathway? We’ll close GPs, ban you from walking into hospitals, AI everything, but care will be better, and you’ll elect me as PM!

Why wasn’t any of this mentioned in advance of the Health Bill with its vague wording and unlimited powers to a Secretary of State who resigned minutes after the Bill was laid – clearly Mr Streeting knew he wouldn’t be around to implement any of this.

Why did the SRO not talk about it in Parliament?

There’s no argument that Government is taking the powers to do what it is claiming. The only question is how to convince patients that once it’s implemented it’s better. Or perhaps they simply hope the “prevention of future deaths” reports will only roll in after the election…

Why did the Minister claim no implementation decisions had been made, only days before it was announced that NHS AIs using the Single Palantir Record will sit between you and your GP, and those AIs will decide whether you should have an appointment. Only if the AI decides you need one will it let you through. If no decision has been made that FDP will remain with Palantir, can they show any contingency planning for this change? Or is the leadership ignoring the topic  until they claim it’s too late to do anything?

Deception and lack of integrity undermines confidence – the way to fix that is absolutely transparency and accountability. Maybe the above will work – Wes Streeting bet the entire NHS on him being right, and he ran away to make sure he wouldn’t be held responsible for the failure. When your GP surgery building has been turned into flats, it can’t be turned back again.

=== 

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates via Substack — free to follow, and we are grateful to all those who can donate to help more of this work.

Critical Intellectual Property of the NHS Canonical Data Model is controlled by Palantir

NHS employers may own the work NHS staff did within the Federated Data Platform, and they do, but when one former former NHS staffer writes “The Canonical Data Model belongs to the NHS, is licensed via the Open Government Licence, and is available to all on GitHub”, but omits to give the link which shows:

  • when you read the PDF, the word “palantir” is nowhere to be found – yet in the Model description itself palantir are everywhere, from:
    • “servers: – url: https://ptukhealth.palantirfoundry.co.uk” (it’s especially notable that this isn’t an nhs.uk address and doesn’t even reference the NHS – this is not NHS owned);
    • “paths: /api/v2/ontologies/palantirukhealth-ontology/objects/Admission”;
    • with over 1000 mentions of Foundry and over 1000 of Palantir, including:
      • “title: Palantir OpenAPI”;
      • “description: The Palantir REST API. Please see https://www.palantir.com/docs for more details.” 

That repository does not say how the PDF is built from the model, so it is impossible to tell (from outside the Palantir office) whether the difference between the PDF and spec is deliberate, an it is why open source matters in standards and specifications.

Some FDP advocates may claim that the ontology is owned by the NHS, but Palantir clearly has scope to disagree – and when it matters, the repeatedly litigious Palantir can and likely will deploy their lawyers to block use elsewhere with which they disagree. 

What to do about it

The NHS could deploy Claude to regenerate the ontology from NHS data, and update all the code, but that’s going around Palantir’s ownership of something the NHS doesn’t own or control – as to quote an FDP advocate: “The CDM would need to be reimplemented”, because the NHS doesn’t own or control it.

The CDM must be reimplemented by the NHS without touching any Palantir IP, and Palantir must certify that there are no Palantir rights engaged, before any NHS body signs any future contract with Palantir. If Palantir wishes to hold patients hostage the way FDP advocates suggest Palantir would hold cancer patients hostage, then that should encourage migration sooner rather than later.

Which is the core practical point of the criticism of Palantir and the current v1 FDP – Palantir can block patient benefits and limit NHS choices if it chose to. There are a few key chokepoints, and they must all be resolved (Cancer360 is the main patient facing one we cover elsewhere.)

===

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates via our free Substack – updates are free to read; we’re very grateful to all who can support our work with a Monthly or Annual subscription, or make a regular or one-off donation.

A Plan for The Medium Goodbye to Palantir

Palantir isn’t magic, but their staff are well paid to work hard to make Palantir irreplaceable. The Commons Science Innovation and Technology Committee recognises this is a risk, and it has been left to a new Health Secretary to figure out what to do next. 

We offer a workable plan to mitigate the (multiple) risks, and to create options for the NHS which can increase accountability and trustworthiness. [added: we more clearly flag a slightly buried risk elsewhere]

Whether moving off Palantir is possible isn’t meaningfully contested. A “former FDP lead” agrees that Palantir can be replaced: “From a technology perspective, there is no lock-in that you couldn’t get out of.” There’s no dispute such a move could succeed – the CEO of Palantir UK agrees “there is no technical lock-in”, although not all forms of lock-in are “technical” – but there are different views on whether it should be done, and whether an attempt would be successful.

At this point, even trying to ensure a level playing field will generate further profit-motive derived subversion and novel PR campaigns – perhaps akin to an ex-PM commenting on current Labour leadership – but the NHS refusing to create options will stoke even more public opposition and continue undermining public trust. The NHS does not exist as a cash cow for suppliers; it exists to provide care – and citizens, patients, and voters all get a say in how that happens.

The NHS frontline ‘plays on hard mode’; if a patient says no to a blood transfusion, they can do that. Technology for care can’t ignore the constraints that the frontline operates on, even if it would make staff or suppliers’ lives easier.

Palantir’s UK lead says both that the Government’s digital ID programme “isn’t one for” Palantir and that he “would not want to live in a world where  unelected tech bosses can decide which government policies can actually be delivered” – speaking out on politically relevant projects he wants to speak on, while remaining silent on issues where he could make identical claims that don’t need a large cheque upfront, or the clunking fist of state-mandated Surveillance Nationalism.

Speaking on Radio 4, Palantir’s UK lead said: “The proposal is that the NHS cancel our contract, but it does not propose an alternative” – because of course he’d say what’s in his commercial interests. Such a plan would come out of the Health Select Committee, which isn’t the one that wrote this report; medConfidential are glad that Mr Mosley seems to agree that such a report should be written. Any pathway has to be grounded in honesty to patients.

When discussing the Palantir platform, DH/E told the National Data Guardian that “access to identifiable patient information would be limited to NHS staff with a legitimate need” – then the NDG discovered Palantir’s staff had ‘unlimited’ access as well, by reading it in the press. That Palantir staff have access is one thing; that DH/E lied about it is quite something else. 

Some Tech companies learn lessons, some don’t

The “P0 Plus Plus” chapter in the recent DeepMind book has a thought experiment on what might have happened with different leadership, and the entire book shows how it would have been different under Demis. What it shows is that it’s not always that someone can’t do what the company wants to do, but rather they can’t because they lack public acceptability due to decisions they made in the past. Those decisions may have been opportune, and got them to where they are – but now they prevent them going any further. Sometimes one company can’t do everything under a single division, with a single person leading everything.

Palantir suffers from the same Tech Bro delusion – their past choices have closed off public acceptance of some future options. They may think they can do anything, but that doesn’t mean they can do everything.

Conversely, something which under one regime is a weakness can become an opportunity under renewed political leadership, where good options can be implemented – the biggest barrier is haste over speed; the more you rush into things, the slower the progress.

All of Palantir’s funding that went to Peter Mandelson, and all of the pre-election ‘education’ of Wes Streeting count for much less than they did on the day before he quit; Streeting hasn’t left any even mediocre options on the table. Wes may say “We learned at terrible cost in Iraq what happens when loyalty replaces judgment”, but the same argument applies to his own ongoing loyalty to Palantir and the Peter Mandelson playbook.

The long goodbye will be sabotaged by political games; a quick quit is currently difficult because it was designed to put patients at risk. To move forward, that risk must be managed first, and removed, before the platform is (potentially) replaced.

Palantir can hold cancer patients hostage 

Palantir claims their tech is better than anyone else’s – if so, they should be willing to prove it in the market and not rely on lock-in, monopoly, and bluster.

Cancer360 (the Palantir-only cancer pathway tool) and Optica (the Palantir-only hospital discharge tool) are the tools by which Palantir implements their vendor lock-in monopoly.  The NHS owns no intellectual property on Cancer360; Palantir decides how and where it works. An intern at Palantir has more unilateral authority over every cancer pathway in the country than any NHS cancer doctor – this is the system as it exists today. 

Turning off Cancer360 means breaking cancer pathways (as FDP advocates admit), and that’s not an option. 

NHS England should immediately require that there are three competing equivalent tools for cancer hospitals to use to manage their pathways. This will provide resilience, it will help competition, and it will help Trusts work how they want to work – and crucially it will remove the ability for a single supplier to dominate a key National Health function. 

As is argued, “The Solution Exchange needs a commercial framework and early adopter engagement now”… “None of this is happening at the pace it should”. The only organisations who can put products on FDP right now are NHS bodies and Palantir. A flourishing platform of choice and innovation, with suppliers competing to meet specific needs and provide the very best products doesn’t exist. It should – it is what was promised – but it doesn’t. On the FDP as it exists today, any supplier competing with Palantir must pay Palantir.

As it is for cancer, so it is with Optica for discharge – although the F1/F2s who keep A&E running are quite used to national decisions making their life harder, so would likely cope with Optica going away temporarily.

Step one: DHSC/NHSE can refuse to allow new monopoly Palantir products until there are multiple competing suppliers for that product. (we talk about the Canonical Data Model elsewhere)

Competition will take a short time – the best time to start this was in 2024, the second best time is now – but competition ensures there’ll be no aspect of FDP that is eternally bound to Palantir.

Re-tender in future

With competitive suppliers for all of the functions on an NHS FDP, the Platform can be re-tendered as and when the NHS chooses. (Noting that creates a long overlap for the kind of dark arts that the Dark Mister Mandelson practiced, prior to his disgrace.) 

The incumbent FDP supplier will have people in every meeting, and will spend whatever it needs in order to keep the underlying platform contract – but whatever is best for patients today and in the long term should win. Vendor lock-in can never be best for patients in the long term.

Of course, patient and public opinion will also have to be taken into account.

Maybe Palantir will say they’ll allow Cancer360 to run on Apache Spark platforms from their competitors. That is entirely possible, technically – and it provides Palantir with the choice to show whether they care more about patient care or their own profits and lock-in. 

It is entirely reasonable for a tech company to choose either way. Apple produces its Music app for both Windows and Android, but doesn’t offer its Garageband application; these are purely business decisions for business reasons. 

Like Apple, Palantir is allowed to choose – but the NHS should not be hostage to Palantir’s choices.

Equally, NHS Trusts should be able to choose the suppliers of their tools. Is there lock-in to FDP apps or not? If not, then they can exercise choice. If there is, then that’s a choice too…

From Palantir’s perspective 

Fujitsu was the tech company of the future once. Palantir and their supporters’ understanding of their tech isn’t wrong – but the choices they make on how to use it are limited by Palantir’s culture, its ideological leadership, and their decisions. If selling out the public Horizon-style met Palantir’s interests, they would act just like Fujitsu.

And that is the underlying generator of lack of trust: that Palantir will do what is in US Palantir HQ’s interests, not the British public’s. Things were much simpler when Palantir’s customers were solely the US Military, who don’t care what those who are on the impact end of a bomb think about the bomb being dropped. The British public demand far more say than that over NHS decisions. 

Palantir got this wrong at the start of the contract, and NHS England’s inaction meant Palantir never had to learn the lesson. Palantir exacerbate the worst instincts of the Department of Health in England: to centralise control and remove autonomy from professionals who understand nuance and local expertise.

Palantir only considers solutions that are entirely compatible with existing and expanding Surveillance Nationalism. When all you have is a hammer, every source of revenue must be treated as a nail – which is the sort of approach Peter Thiel has just fled to Argentina to escape

NHS Code should be portable (and can be made portable where corners were cut)

It’s a common fallacy that the only silo that matters is the one the advocate sits in. There are legitimate analytical needs across the full Reproducible Analytical Pipeline spectrum that should be facilitated. (RAP used to be an unpolluted acronym…) When IT Crowd Tom argues in favour of FDP, or addresses some criticism, that is not the same thing as arguing for Palantir.

He claims all (his) NHS written code is portable without lock-in, so his important but long-neglected basement team has nothing to lose from changing platforms. This is what he argues when he’s not making the conflicting claim that only Palantir can do FDP – Tom can’t have it both ways, no matter how much it makes his life easier to try. FDP is an expensive way to run commodity R/python code owned by the NHS, but it’s the only way to run proprietary R/python code owned by Palantir.

When the neglected deprived kids in a poor neighbourhood are tempted by a free trial and cheap opening offers from the local dealer, the right answer is not to have someone a bit less malign make the same offer. Instead, it’s to help them now – and those services that help them will help all those who follow.

Palantir isn’t magic. It’s just software, and good software is portable, but political decisions are political decisions.

As it operates today, the Platform can tell patients how data about them is accessed and used – Palantir’s FDP is entirely capable of doing that – but NHS England point blank refuses to provide that feature to patients, choosing instead to side with creeps and ghouls who look up the records of people they know and victims of terrorism. FDP could show each patient exactly where their data is used and for what – that logged audit trail exists in Palantir’s software, why isn’t it turned on?

Software can be written to do what is wanted, currently there’s no agreement on what that is.

Available Next Steps

Palantir isn’t a revolutionary force; it is an expensive cage built in software. The true threat to the NHS is not a lack of technology, but the willingness to prioritize vendors over patient dignity and choice. 

The way forward is not an abrupt exit, but a firm insistence on competition that forces accountability. Because when the health of a nation can be managed by the deepest pockets and the slickest playbooks, the patient (and the electorate) hold the final veto.

Step 0: Turn Palantir’s audit trail into patient rights. Immediately enable NHS patients to see exactly where their data is used now – via FDP’s existing logs, to all patients who have automatic access to GP documents in the NHS App – not as a tech feature, but as a public trust mechanism. This should also include GPConnect and Summary Care Record audit logs held by NHS England as an immediate step to track ghouls and creeps.

Step 1: Immediately require 3 competing cancer pathway tools (not just one Palantir monopoly) for NHS hospitals – breaking Cancer360’s lock-in next to prevent using cancer patients as hostages.

Step 2: Mandate competition for all FDP products – no new Palantir tools can launch outside pilot hospitals until at least 2 other suppliers (including non-Palantir) prove they can handle the same workflows.

Step 3: Force re-tendering with competition – NHSE must re-run FDP contracts only after competitive suppliers prove they can deliver better (not just cheaper) patient outcomes than Palantir. Suppliers can provide the Platform or Products, not both.

== 

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates via our free Substack – updates are free to read; we’re very grateful to all who can support our work with a Monthly or Annual subscription, or make a regular or one-off donation.

Biobank’s assurances get broken yet again

Biobank’s Chief Executive told their participants in a personally signed note that UK Biobank “will conduct a comprehensive and forensic Board-led investigation of this incident”, this report is that Review – and it is neither comprehensive nor forensic. Lord Vallance told the House of Lords that “importantly, this needs a complete and robust response”. What follows shows why the report is none of those things. 

Continue reading

Ministers choose silence on coverups and data abuses by Ghouls and Creeps

The Single Patient Record from Palantir was debated in Parliament on Monday, 1st June – we’ve covered what was said in another piece. Here we focus on what was deliberately ignored by the civil servants who wrote the briefings, and by the Ministers who reviewed them and read them out.

Victims of terrorism in Nottingham had their records accessed by hospital staff who had no reason to look. The hospital didn’t check until diligent work by the victims’ families forced an investigation – and then the hospital covered it up until more work by the families forced the hospital to start to come clean. It still hasn’t completely done so.

Victims of terrorism in Southport had their records accessed by hospital staff who had no reason to look. The hospital covered it up until journalists found the paperwork. Only then did the hospital tell the victims, just before the journalists published – which was after the Public Inquiry was over. (The hospital didn’t tell the Inquiry either.)

As HSJ puts it: “When is a cover-up not a cover-up?” Apparently it’s “When the decision to keep something quiet is based on clinical advice” – and almost anything can be supported by clinical advice.

Creepy single doctors look up the medical notes of the women they go on dates with. 

An MP mentioned that a woman’s maternity records were accessed after she started campaigning for better maternity care.

A stalker working at a hospital looked at the GP notes of their victim.

This behaviour is endemic. It is normalised. It is abusive. And it is covered up in the hope that patients won’t find out – a cover-up that normally works.

It may be wrong, but it’s entirely rational for a hospital to hide the abusive actions of their staff – the only thing that will stop such abuses is for patients to see when and where their records were accessed. Because then there can be no cover-up. Staff creep because they think they’ll get away with it, and because their institution will most likely cover it up even if they get caught. 

The Single Patient Record will make complete access to everyone’s entire medical history – prescriptions, notes, locations, and DNA – all readable wherever the NHS logo is seen; not just to doctors, but all those who work there.

The National Data Guardian has also just disclosed that she was told that “access to identifiable patient information would be limited to NHS staff with a legitimate need. However, since then, recent media reporting, and subsequent confirmation from the programme team, indicate that some external contractor staff also have access to identifiable patient information”. The Department of Health in England misleading the Guardian of patient data about what they’re doing undermines all the arguments made about how the Department will protect the Single Patient Record.

The new Health Secretary 

James Murray was appointed Secretary of State in early May. How many times were his medical notes read in the next few days? Does he really believe the number was zero? Does he have a way to know? If he does, why is that not available to all patients? 

Wes Streeting said in debate:

“Some will say that there is a contradiction: that centralising accountability and giving patients more control over their own data pull in opposite directions. But that is precisely the point. For too long, power in the NHS has sat in a no man’s land—an accountability sink, too distant from patients and citizens to be meaningful and just far enough away from Ministers that there is plausible deniability when things go wrong. The Bill takes back power in order to give it away: accountability for Ministers where it belongs, and power for the patient where it belongs, too.

The Government must face down powerful producer interests on patient data. Our health data is precious. Two things matter above all else: that our data is held securely and that it is used ethically. However, the single patient record is one of the most important reforms of the NHS for decades. It is frankly unsafe, as well as absurd, that patients are still being asked to repeat their medical history every time they access a different service. We also have to take on the producer interest of those who think patient data belongs to them rather than to patients. Our health, our data, our NHS—patients should control who can access their data, and they should control their own data.”

That may be what he thought his Bill did – it’s certainly what he said it does – even if he did refer to it as the “NHS Modernisation Bill”, which it isn’t.

However, the Department beneath him was using the SPR and related changes to remove choice from patients and use their data however the Department of Health decides it can. 

Mr Streeting complains it is “producer interests” who want control, because his Department never included in a briefing their assumption that that the Department should take control away from patients and keep it for themselves. Mr Streeting is very aware that no Secretary of State continues forever (at least now he is) and that what he says currently has no more weight than the statements of any of the other MPs that Ministers just ignored.

The Department of Health and Ministers are in denial of the scope of abuses

As HSJ described, the institutional response is to say “clinical advice” and to cover up the access – institutions covering up for creepy staff in their institutions. When DH appoints their new “Director of Privacy and Information Governance”, Jimmy Saville would fit right in.

Many accesses are legitimate, some are not – and the only person who’ll know whether an access was legitimate or creepy is the patient. And ‘Information Governance’ is used as an excuse not to tell patients.

No computer can know why you walked into A&E. It can make a guess based on what you tell the doctor and what’s happened before, and sometimes that guess will be right. But sometimes isn’t good enough.

For a patient with sickle cell disease and nothing else, walking into A&E and asking for morphine is a thing you can do. Straightforward cases are already straightforward.

Does the fact that you got hit by a bus this morning relate to the fact that you’re depressed and have previously had self-harm ideation? A month ago? A decade ago? When does the line get drawn? “Clinical advice” will be that it should always be included because it could at any time be relevant. If you tell your doctor something once, will it become something that is flagged at the top of your summary forever? Is everything that ever appears in a transcript of a consultation suitable for consideration in the summary? Unless the summary is perfect, and even if it is, a doctor is still going to ask a patient why they’re there.

When Ministers say they’re doing what people want, are they sure that the details have been accurately presented to people? And if so, why does the Bill provide no meaningful choice for patients about whether they have this?

It is up to the new Health Secretary (or Parliament)

Given all the news about abuses of patients’ records – current cases being only the latest in a long history of examples – why did Ministers not commit to protecting patients’ information beyond platitudes that are demonstrably insufficient? If the summaries are rich and detailed enough to be perfect in every consultation, they will get used for other things as well.

The new Health Secretary claimed he’ll hold steady and will follow the direction of his predecessor. That may be his intent, but the officials and institutions below him will try to water down the supposed safeguards – always claiming “clinical advice” – to make achieving their own aims easier. 

Without a clear commitment and legal obligations, the long history of creeping on medical records will get ever longer.

Parliament has the opportunity to do something about it.

===

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates via Substack — free to follow, and we are grateful to all those who can donate to help more of this work.

Second Reading of the Health Bill – enabling and empowering Ghouls and Creeps

The Health Bill was debated in the House of Commons

In his first debate in the House of Commons, the new Secretary of State for Health James Murray joined the side of the ghouls and creeps who read medical notes simply because they can. Nottingham victims, Southport victims, others all covered up, and Ministers said nothing beyond platitudes that it’ll all be fine, platitudes that DH officials working on the Bill are already breaking and undermining, deliberately and knowingly.

One MP said: “My constituent, whose family member was brutally murdered, is rightly horrified that victims’ NHS records were shared unlawfully online with NHS workers—she called it “repugnant voyeurism”, and she was right to do so. I hope the Minister will echo the apology of the trust and condemn that kind of behaviour.” Ministers did not echo the apology and did not condemn the behaviour, in fact they propose to exacerbate it.

The Bill debate came straight after MPs debated the new guidance on who can/must have their genitalia checked in order to enter a toilet in a public building. MPs then moved seamlessly on to data sharing such that anyone in the NHS can access any data they feel they need, and it will come down to Ministers to decide what information must be shared, not patients. Indeed, there is no legislative basis for patient control over sharing at all.

SPR means choices being taken away

Layla Moran described a constituent “who described how repeatedly recounting traumatic experiences compounded her own suffering. The single patient record could be transformational for her and others who find recounting traumatic experiences difficult.”

Patients tell their story all too often, but equally they may not wish to share all information with all care providers – do all the staff in your local pharmacy have to see the notes on consequences of prostate surgery?  Or see the reason that you have the prescriptions you do?  Or the full detail of the “traumatic experiences” being shared – the NHS knows all of it, it recorded all of it, including all of the details that the patient wishes no one read about every time they walked in the door. Giving all the information to everyone is no better than giving it to no one if it’s not reliable. Your record will be fed to a Palantir AI and summarised by them. How relevant is the cause of a self-harm incident at 19? or 14? What’s the risk averse summary? Is every event ever mentioned in every transcript of a consultation includable in the summary?

Wes Streeting said in his speech: “Our health, our data, our NHS—patients should control who can access their data, and they should control their own data”. Yet the Bill Mr Streeting introduced does not do that, it’s what he says, but the Bill and his (former) Department does the opposite. Did Wes Streeting mislead the House on what he believes, or did his former Department just ignore him?

Promises keep getting broken

There were promises of safeguards to come – in secondary legislation that the Commons has no ability to amend. 

The clarion example is the Summary Care Record – which already does much of what the SPR is supposed to do. Prescriptions, notes, major details. The Summary Care Record already has an opt out, with a form in the pack of paperwork that you used to get when you registered with a GP. In 2024 NHS England forced GPs to accept online registrations, and low level officials in NHS England absolutely refused to ask patients whether they wanted such a record. Instead this is the text that is shown to patients who might want to opt out – more punishment paperwork because patients want to express a choice. This is the Digital NHS in practice – digital only if you do what Officials want to make easy.

Choices get watered down in the process.

Unless the SPR has a clear statutory opt out, DH officials will water it down at every opportunity, as is currently happening yet again with the National Data Opt Out reform process – where what Wes Streeting said was outright refused by his officials. 

Former Minister Dr Ahmed argued data “must be used for the benefit of patients” and it seems DH believes that is for DH alone to decide that, not patients. 

Secret?

The House was told that the system will be “Critical National Infrastructure”, but that does not protect any of the data in it from those who can use it.

Government classifies some of its plans for the SPR so that MPs and the public don’t know anything about them until the Bill has passed – will the consolidated single patient record be covered by the Official Secrets Act, so that abusing it to creep on neighbours, campaigners and victims of terrorism will be something Whitehall cares about? 

Unlikely, because DH officials are making the policy guess that in return for the NHS staff being allowed to keep creeping on victims, they’ll get to use the data however they want too.

In practice, it would be entirely in line with what Ministers have said that patient data be accessible to anyone without sanction, but the audit trail could be classified so no patient can ever see it.

We’ll have more on the SPR and the Bill debate shortly

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates via Substack — free to follow, and we are grateful to all those who can donate to help more of this work.

A quick look at the proposed English NHS Online Hospital

The reasoning behind the Single Palantir Record is incomplete without considering the National Online Hospital. The NOH is entirely missing from the Health Bill, but is a key part of the 10 Year Plan.

The initial argument for the National Online Hospital is that simple cases, check-ins and monitoring can be done via the App at home by a virtual team of doctors (and eventually AIs) who you don’t need to meet with unless you actually want to. That consultation meeting could have been a text message…

Government may respond today at Second reading of the Health Bill about the ghouls and creeps who abuse hospital (and GP) records, most notably recently of Southport and Nottingham victims, and the abuse was deliberately covered up.

A light touch option for light touch cases? Or for all cases?

If your blood pressure is normal and you do your own readings, there’s no need to go to the clinic for that unless you want to – or if a medic spots something is up.

For some conditions, that’s entirely reasonable and it’s what some patients want. 

Indeed, the first nine specialties being addressed by the National Online Hospital all fall into the ‘measurable at home’ bucket – or where many patients report they fall between different silos of the NHS, where remote specialism care might create a better option with no risk of a postcode lottery.

Even if what you end up needing is a blood test or a physical scan of some kind, the online hospital will book you in to wherever is most convenient to you to have it done: your local Community Diagnostics Centre, hospital, or GP.

Care can be prioritised, but it can also be deprioritised – and decisions about new care pathways are being politicised (e.g. ADHD, trans care) which is only possible at national scale. The consequences of national decision making on General Practice will be bad for your local GP, even if it makes DH feel good. 

Also, dealt with from a distance, the overriding imperatives will be about counting patients and showing that process was followed, rather than actually giving individuals the good care that they want.

The Online Hospital will have to keep records

To make this work, there needs to be a universally visible and accessible patient record – maybe on a Data Platform which is “Federated” across the NHS? Enter the Single Palantir Record.

The NOH is starting with low-hanging fruit where there’s clear desire and patient benefit for the new operating model – which will be highly dependent upon the provider of the EPR to make it work, and to design the pathways. Enter Palantir.

There are many reasons to do a National Online Hospital, as well as Community Diagnostic Centres, but when you put them together in this way, the logic becomes clear.

By definition, the Electronic Patient Record for the new NHS Online Hospital will be the Single Palantir Record, because that’s what DH has decided the SPR is for. Arguing that the NOH should have its own different EPR would undermine the reasoning for both the National Online Hospital and a Single Palantir Record. 

Over time, DH will then argue that having a Single Patient Record with everything in it as well as a separate GP record is duplicative – and so the core funding for GP record systems will be cut off, as DH refuses to pay for the duplicate service. (If GPs want to maintain their own systems, they’ll have to pay for them) 

The NHS has to figure out how to deliver care when the Secretary of State may meddle in every minor structural decision they take. When they’re sure the new Hospital is good, they’ll give it the Royal imprint. But not yet.

===

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates via Substack — free to follow, and we are grateful to all those who can donate to help more of this work.

medConfidential Bulletin, 22nd May 2026

Hello again! It’s been a busy few months since our last Bulletin, and with so much noise in the news we wanted to send an update.

What just happened – Streeting is gone

Mr Streeting, protégé of Peter Mandelson, admirer of Palantir, is now the former Secretary of State for Health. Yay! That doesn’t mean tomorrow will necessarily be better, but it does mean that patient views – and rational, coherent argument underpinned by evidence – stand a better chance of affecting decision making, rather than the main factor being the effect on a bid to get into Number 10.

You may have seen that UK Biobank has been in the news several times over the last few months. They made a series of promises to their members, and to the NHS, and then failed to keep them. They also loudly advocated for the “pandemic only” GP dataset to be used for anything the Secretary of State decides he wants to do with the data. Mr Streeting decided he liked that idea, and in February he tore up the pandemic-only promise.

Mr Streeting’s last act in office was to lay his Health Bill in Parliament. The Bill proposes that you must have his Single Patient Record in Palantir (aka Single Palantir Record) and that politicians will decide how it is then used – any protections you and your data receive being in the gift of the politicians of the day. 

Hmm. How’d that go for the pandemic dataset?

Current chatter in the corridors of Government suggests you’ll have fewer choices about how your and your family’s medical information is used than you’ve had for the Summary Care Record for the last two decades.

What’s next – more talk, not change

Your opt out works today as it always has, but Mr Streeting has announced it will be less effective after his Bill comes into effect. 

That won’t happen immediately, so you still have time to act – but Mr Streeting wants it to be this year. (And he’s quit to have a run at PM, so who knows what will happen…)

www.medConfidential.org/how-to-opt-out 

Labour may speedrun the lessons of the 2006-2010 Summary Care Record roll out, where you finally got a choice – either at GP registration time, or later. NHSE has worked for over a decade to walk this back, just in time for a previous Labour health secretary to reappear on the national scene. Hello again Andy, my old chum!

What you can do

Nothing has changed yet. Your choices are still there today, but the new Secretary of State may follow through on the threats of his predecessor and take away your ability to opt out in future. Before that, a day may come when the opt out will do less than it does today. 

Politicians may also make you opt out again, because they dislike that you did so already.

The rules and standards around access to the Single Patient Palantir Record, as with the Federated Data Platform on which it’ll be built, will be whatever the Secretary of State wants. 

You may wish to write to your MP – the Bill applies UK-wide, not just in England – pointing out that the Health Bill they may vote for will impose a Single Palantir Record on every single one of their constituents, whether they want one or not. (You may also wish to point out that while most people are currently unaware of that fact, MPs cannot rely on no-one finding out.)

We’ll be here.

Phil Booth & Sam Smith
22nd May 2026

coordinator@medConfidential.org 

If you want to hear from us more frequently than our irregular bulletins – they’ll probably be a bit more frequent this year while the Health Bill flounders around – you can join our free Substack, which sends you an email whenever we post something to our website.

P.S. medConfidential currently has zero grants to support our work, so we appreciate every small donation.

Wes Streeting’s final Bill

One day it was named the NHS Modernisation Bill; the next it was published as the Health Bill, with this funny line in Hansard: “Secretary Wes Streeting, supported by the Prime Minister”… oh.

Clause 1 is wonderful: “NHS England is abolished”, but they didn’t stop there.

Below is a short and more technical than normal summary. We’ll go through things a bit more slowly over time (added 28/5: we have some draft amendments for now).

The public engagement process on data has been so distorted by NHS England (which is also being abolished by the Bill) that the purposes that least concern the public will have the most opt outs applied  (bona fide academic research), yet the purposes that most concern the public are likely to have no opt outs applied  (privatisation, commercialisation, and Government uses).

In Parliament, MPs can vote against the programme motion to give more time for assessment and discussion – none of that happened before the Bill was published. Voting down the programme motion is to wait for Andy Burnham to reassess this process, and do the work Mr Streeting never did.

There is no obligation in the Bill for all uses of NHS data to be consensual, safe, or transparent – indeed, many of the provisions allow the opposite.

The main announcement is that you will have a Single Palantir Record containing all of your medical notes, all your prescriptions, and your DNA sequence – all controlled by a politician, accessible and sold to whoever he sees fit. This wasn’t in the briefing Wes gave to make his plans sound good, but if the SPR regulations are unchanged, your GP opt out will be wiped away so he can sell your data.

To those who think going private will help them, there are powers to demand data from regulated private entities in a range of circumstances – which will become a chew toy of the Secretary of State. Registered medical professionals will be told they are unfit to practice if they don’t use the Single Palantir Record, and if they do use it they’ll be forced to write your private health details back into it. 

Andy Burnham’s Greater Manchester NHS has repeatedly shown how FDP would be a step backwards for them – and this is Wes Streeting using his last vestige of political power (for now) to take a system that works for others, and replace it with a product whose supplier paid his mentor. 

Any good intentions are obscured by the power grab and the complete lack of protections for patients. Indeed, there are more protections in this Bill for the ‘Federated Data Platform’ (i.e. Palantir) to burrow deeper into the NHS than there are protections for the patients’ data within it. How very Wes Streeting, who, when introducing the Bill, knew he wouldn’t be the one to wield those powers himself.

Your medical notes, prescriptions, and DNA will be used however a politician decides; you’ll have no say and no choice. 

Line 20 on page 100 is the key: it says the NHS must do whatever politicians decide, with any medical records they have anywhere. The Secretary of State for Health can take any data (s)he chooses and punish those who complain or push back. Patients will have no rights and no choice. [added 28/5:] For clarity: that clause largely continues existing weak limits what the NHS does about publication – any “sharing” or “access” that is not “publication” is entirely outside of the scope of that clause

The Bill also strips away all of the existing statutory processes, and forces all current data flows to happen through Single Palantir Record. The usual requirement of adulthood for social care uses of data is missing – this also applies to vulnerable children. It’s a very Peter Mandelson Bill.

Clauses 47-57 are all about Data. You will have a Single Palantir Record, and you will not have a choice about your data being in the (former) NHS England data platform, known as the Federated Data Platform, that is provided by Palantir. 

  • The test to be met for the Secretary of State to take a copy of your medical notes is if it is “expedient”, or when “the Secretary of State considers that disclosing the information is a proportionate means of achieving a legitimate aim” [Schedule 7 clause 11 (261) (2) (g) & (j)] 
  • Secretary of State will collect all data he wishes about you, and share it as he wishes, and only Secretary of State’s views matter [Schedule 7 clause 5, plus Sch 7 cl 6-10]
  • You may choose not to look at your Single Palantir Record [Sec State can’t make you]
  • You may choose not to look at who in the British Isles has accessed your Single Palantir Record, to the extent that Secretary of State chooses to show you (there’s no punishment if they creep on you) [cl 250E(5)]
  • You shall have a Single Patient Record, and you shall have no opt out [none in the Bill]
  • Your Record will be updated how the Secretary of State or someone else decides. [cl 49(3) & 49(4)]
  • When you talk to one part of the health and care system, the Single Palantir Record will reach into your notes and records at other providers you receive care from, and rewrite those records [page 7 of the impact assessment]
  • Your ability to opt out of research appears to be taken away [Sch7 cl 11(261)(2)(d)]
  • Commercial users are fine, and you’ll have no choice about that either [cl 48(5)(7)(a)]
  • Read and write access reaches “anywhere in the British Islands;” [cl 47(2)205E(c)(ii), also cl 50 & 52]
  • And if your doctors don’t like this, they’ll be fined or punished by regulators [cl 47(2)205E (2)(d), 250F]
  • The “British Islands” reach also applies to research, so a corrupt cartel outside of England – hence outside England-only enforcement powers – can resell any/all of the data placed in Palantir (i.e. every English patient’s data) under the custom rules of a “British Island” but off-shore tax haven. England also takes over a lot of decision making about anything on the platform, overriding devolution by not simply not caring about others’ views and making it a ‘take it or leave it’ offer [53-56]
  • All duties of confidence relating to your records are set aside for whatever purposes the Secretary of State decides [“may” in cl 47(2)250E(3) vs 250E(4) & (5)]
  • There should be rules against abuse, but there’s no legal basis for any punishment [cl 47 (2)250E(2)(5)]
  • All of the existing data flows around the NHS shall be merged into the Single Palantir Record powers above, as has already begun under ‘faster data flows’ [cl 49(3)251ZF & cl 49(4)277G]
  • The Bill extends the scope of NHS data, but does not expand the remit of the National Data Guardian to match. There will be no Guardian with remit over the expansions. {line added 16/5}

Clause 47(2) covers all health and social care – including both adult and children’s social care, despite children’s social care not being a function of the Department of Health. (We assume the Department for Education will have something to say about this.)

Sharing data across government (or beyond) would be covered by it being either “expedient” or a “proportionate means of achieving a legitimate aim” – the lowest of low bars. This is the sort of test that Peter Mandelson and Tony Blair would love.

References to “the British Islands” are weird. This means that data about English patients can be processed in Scotland under Scottish rules – which is an entirely different mess, which we’ll pick up again soon – and the entire Bill ‘goes GB’; it’s UK-wide, with hooks for Northern Ireland too.  The so-called “Secure Data Environments” in England are trying to harmonise themselves so that decisions by one are binding upon them all, but now data can flow over the border and into UK Biobank-style messes enabled by Scotland on English-only data – not forgetting that HDRUK and UK Biobank share a culture. (The tax haven clauses suggest Mr Streeting was assuming his allies would have control in both Scotland and Wales after the recent elections – an assumption that couldn’t have been more wrong, and which undermines other of his recent actions.)

After this Bill passes – if it passes – then cancer care in the NHS will be limited to a false choice of either ‘all your DNA goes into Palantir’ or ‘you die, US style’. Any promises made risk repeating the precedent of allowing UK Biobank to use “pandemic only” GP data however they cho(o)se, which meant it was all for sale in China and freely available on the internet. Any promises made in the next claim of emergency will get broken, and data once taken in an emergency will be retained – because Wes already decided that can happen.

At this point, and given the Bill was published to surprise everyone, the Bill as introduced is so blunt and far reaching that MPs should vote against the programme motion, to allow sufficient time for notification and responses from those bodies who will be obliged to comply with the Bill. 

Mr Streeting took lessons from his political mentor Mr Mandelson in trying to ram this through by imposition. The House of Commons can tell the new Secretary of State to take some more time. 

Because fixing this mess will take time.

Other clauses

medConfidential and others will pick up clauses 2-46 over time, which are most of Wes’s top-down reorganisation written into law – taking even more powers to himself. 

Clauses 4-7 of this Bill will throw Clauses 1 of the NHS Act 2006 into an utter mess. One of the many organisations jockeying for influence should convene a process to take all of the different clause 1 additions to NHSA 2006, and promise an amendment which leaves something coherent after this Bill – there are 4 clauses to play with, and it might turn chaos into some form of order… 

[added 28 May: there has been some (seemingly unpublished) suggestion that “SPR proposals move data sharing from local discretion towards national coordination” and that “The SPR is being introduced for direct care, but there is a need to future-proof wider use”. The Bill is explicitly not just for direct care, so wider use is already in scope, and supposed “national coordination” is local areas, including potentially areas outside of England, making decisions about national datasets of all patients in England.]

Bill work

medConfidential currently has zero funding for this work. Very few funders care about the NHS and protecting data – unless it’s reducing the protections, which is extremely profitable. Can you help?

medConfidential’s newsletter is infrequent – we won’t waste your precious time. We also have a free substack for notifications when we post new information