Privacy advocates demand clarity over Covid-19 datastore

Privacy campaigners are demanding more information from health secretary Matt Hancock about how the NHS Covid-19 datastore will be used, citing the involvement of private technology firms and a lack of government transparency as major concerns.

In an open letter directly addressed to the health secretary, civil society organisations, privacy advocates and academic researchers urged Hancock to give the public more information about the datastore and take appropriate measures to reduce data-sharing risks and keep it under democratic control.

“Emergencies require rapid responses, but these responses should also be appropriate, lawful and just,” said the letter. “It’s unlikely that the NHS’s current plan to build a large-scale Covid-19 datastore meets those principles.

“We understand the need for better health information, but maintain that the public should be consulted throughout the development of the datastore and be able to obtain adequate information about the data-sharing agreements in place.”

In late March, the government announced in an NHSX blogpost plans to build a data platform so that organisations working on the Covid-19 pandemic response could have access to “secure, reliable and timely data – in a way that protects the privacy of our citizens”.

In the same announcement, the NHS promised to provide transparency around its plans, and said all data would remain under the control of NHS England and NHS Improvement, which were commissioned by the government alongside digital innovation unit NHSX to run the project.

The project will, however, be supported by a range of private technology companies – including Microsoft, Amazon Web Services, Google, data-mining firm Palantir and London-based artificial intelligence (AI) company Faulty – which will assist in the development of the datastore, as well as the processing of data.

The open letter said: “The partners the NHS has chosen to work with on the datastore are not without their problems. The public has a right to know what they have been promised (now and in the future), both financially and in terms of data access.”

Signatories urged the NHS to provide answers to a number of pressing questions, and not to proceed any further with the datastore’s development until the public has had a say.

Questions about the involvement of private sector actors generally related to details of the agreements the NHS has with each company, which are already processing large volumes of confidential UK patient data, according to a Guardian report.

This included the value of the contracts, the specific data each party will have access to, what terms govern their data usage, to what extent their access will be audited, and whether a data protection impact assessment (DPIA) has been conducted for each partnership.

Campaigners also asked “whether outsourcing large parts of the datastore’s development shifts the balance of power away from the public sector to the private sector and in what way?”

The letter added: “Will the datastore make use of software controlled by one of its private partners? What software? What intellectual property may be created throughout the development of the datastore? Who will hold these rights?”

Privacy International, Big Brother Watch, medConfidential, Foxglove and Open Rights Group, all of which signed the open letter, have previously sent Palantir 10 questions about its work with the NHS during the public health crisis, many of which overlap with the latest queries.

These include: “Is Palantir obtaining access to any databases and/or records held by the NHS, such as online prescription systems, patient records, general practitioners’ files, etc?”, “Will Palantir retain the NHS data analysis or insights gleaned from this contract once this exercise is over?” and “Will Palantir be able to use the product trained under the agreement with NHS to improve other future products provided by Palantir?”

In response, Palantir said the campaign groups had betrayed a misunderstanding of “the nature of our software and our role as a data processor for the NHS”.

But according to a legal opinion cited in the letter, which was authored by some of the UK’s foremost experts on data protection, “at present it is entirely unclear how such data sharing [with private companies] is intended to take place, and whether the characterisation of the sharing in the NHSX blogpost is how the data will be shared with those private companies.”

The letter also put specific questions to the government about the datastore, including what problems it actually helps to solve and whether alternatives have been explored.

It also asked how the data itself will be protected and what the government’s exit strategy from the project is, for which the government is yet to provide criteria.

“When estimating the risk of data-sharing efforts, it’s not enough to rely on individual consent alone, nor can we rely on de-identification as a sufficient strategy for anonymising data,” the letter said. “We need to take account of the negative externalities of data sharing.

“For what duration is the data collected and what happens when that period ends? If the exit strategy depends on the pandemic ending, then what criteria are used to determine when the pandemic is indeed over (ie when is the promised destruction of the datastore triggered)?”

The letter concluded by questioning what public-facing documentation the government will provide to properly explain the datastore and its various data sources.

“So far, information about the datastore has been scarce,” it said. “We need to understand what information will be made available and who the public can hold accountable.

“While we understand that resources are limited, these questions are fundamental to maintaining public trust in the NHS and to help keep high-risk personal data about UK citizens safe at a time when we need that the most. Lack of transparency and opacity in which these agreements are made do not help in building this trust.”