What is happening?
Against mounting pressure on the UK government from numerous organisations including Privacy International, Big Brother Watch, Open Rights Group, medConfidential, Open Rights Group, Foxglove Legal, and NoTechForTyrants, for greater transparency around its secretive COVID19 related dealings with controversial tech company, Palantir, the government has released its contracts as of June 5th 2020.
The NHS ‘data deals‘, which were published in response to the threat of a lawsuit by OpenDemocracy, included contracts with Amazon, Microsoft, Google, Faculty.ai, and Palantir, reanimating what remains a hugely controversial deal with worrying potential privacy and surveillance consequences.
The global COVID-19 pandemic has given rise to a number of emergency measures inscribed not only in policy and law, but also in the technological solutions proposed for public health remedies. In the case of Palantir Technologies, under the auspices of managing the pandemic, the UK government has put residents of the United Kingdom at grave risks in service of experimental technologies that have already drawn scathing criticism globally ¹.
Who are they working with and for how long?
- Palantir, who have worked in collaboration with UK-based boutique AI firm, Faculty.ai (previously known for developing counter-terrorism products for the UK government) ² are the intellectual property owners of any product developed for the NHS datastore project, including databases. This includes the ability to train other products using data processed through this. ³
- The iteration of Palantir’s product, Foundry, provided to the NHS is licensed as what it describes as a “PILOT/TEST” on its pricing list. On its official Foundry price list, Palantir lists the price for this level of the product as ‘based on customer requirements and subject to nominal fee based on SFIA Rate Card’, while defining the scope of the services as being ‘at Palantir’s discretion’. In the NHS contract, Foundry is licensed for a mere £1 ⁴, which should raise questions around what other payment in kind they might be receiving ⁵. Meanwhile, Faculty’s contract amounts to at least £930,000 ⁶.
- While the contract was originally drafted to be active between 12th of March 2020 and 11th of June 2020 ⁷, it is expected that the project will take place over a 12 month period between March 2020-March 2021 ⁸. The contract can, however, following an agreement between Palantir and the NHS, be extended by an additional two periods of 12 month each.
- Although Palantir did not have any subcontractors listed in the contract, they do disclose that they require the use of a cloud subscription with Amazon Web Services ⁹ that they will use Proofpoint for email encryption, and Datadog for telemetry
What do they have access to?
- In short, there are inconsistencies about the data types to which Palantir has access, and the government and the NHS must endeavour to provide greater clarity and transparency to the British public in order to maintain its trust.
- In a previous reply to 10 questions from Privacy International, Palantir claimed they only acted as data processors, while the NHS remained the data controllers. While the contract states that the NHS is entirely responsible for providing all of the data required by Palantir’s platform, once again positioning Palantir as data processor, it also defers safeguarding data protection to Palantir. This means that it is up to Palantir to ensure employees working on this data adhere to Palantir’s security standards ¹⁰.
- The processing activities that data are subject to are very vague: Palantir is permitted to any “activities necessary to…perform its obligations” ¹¹.
- Especially because the processing is said to “primarily focus on data triangulation to support tracking, surveillance and reporting for Covid-19” the huge range of personal data types available to Palantir is worrying. This includes: personal contact details; personal details; work contact + employment details; “any other personal data that may be useful”; and where necessary, race/ethnicity info, political affiliations, criminal history, and physical/mental health conditions ¹².
- Worryingly, the DPIA notes on page 12 that no data related to race/ethnic origin or political affiliation or genetic data or biometric data will be processed. On page 8, however, the DPIA states that there will be “processing of genetic data, data concerning health, sex life, racial or ethnic origin, biometric data, political opinions, religion or philosophical beliefs, or trade union membership” and no processing of data related to criminal history
Is this safe?
- If and when the contract is potentially terminated, Palantir are required to ‘return all Buyer Data including all copies of buyer software, code and any other software’, and to cease using NHS/Buyer Data (this data must subsequently be destroyed within 12 months of contract elimination) ¹³ᵃ. This is good, but there is currently no clear and available process for how this is enforced ¹³ᵇ.
- Under the contract, Palantir is granted access to any third party and background Intellectual Property Rights, to enable the “full use” of its product, including the right of the NHS to publish any of these IPRs as open source. It is likely this includes products developed on the back of UK patient data.
- In theory, Palantir agrees to uphold several of the government’s data protection mechanisms, including: the Security Policy Framework, the Government Security Classification policy, the CPNI’s Guidance on Risk Management, and Protection of Sensitive Information and Assets, the NCSC’s information risk management guidance, the government’s technology code of practice, and the NCSC’s Cloud Security Principles. However, with the discrepancies of personal data collection practice within the NHS’ DPIA, and the Palantir contract, it is evident a human rights impact and risk assessment reports must be made available to the public.
¹ i. Palantir tech used by ICE; ii. Cross-atlantic ICE protests
² Page 13 in Faculty Contract
³ Page 43 in Faculty Contract
⁴ This is not the first time Palantir sells a product for £1. In Hessen, Germany, a Palantir contract was awarded at €0.01 excluding VAT.
⁵ Page 3 in Palantir Contract
⁶ Page 5 in Faculty Contract
⁷ Page 3 in Palantir Contract
⁸ Page 37 in Palantir Contract
⁹ AWS is noted in this case to be hosted in UK Region, however –– the Data Protection Impact Assessment (DPIA) (p 15) says that the data processor (Palantir) will process data both in the UK and outside the UK (though within the EEA)
¹⁰ Page 16 in Palantir Contract
¹¹ Page 37 in Palantir Contract
¹² Includes non-named personal data and aggregated data, though in compliance with Framework Agreement Schedule 4: 4, 5, 12, 13.
¹³ᵃ Page 19 in Palantir contract
¹³ᵇ Page 39 in the Palantir Contract includes guidelines in its “standard clauses” which are purportedly described in a currently unavailable word document titled “SCCs COVID-19.docx”