Dutourdumonde - Fotolia

News

Met Palantir pilot: The DPIA that raises more questions than answers

We examine the Data Protection Impact Assessment for the Metropolitan Police’s Palantir Foundry pilot, and the governance gaps it exposes around surveillance, transparency and staff consultation

Antony Adshead
By
Published: 26 Jun 2026 13:45

An eight-to-12-week pilot that stretched to six months. Highly sensitive employee data – health records, criminal offence information, details of vulnerable individuals – processed by artificial intelligence (AI) across more than 50,000-plus current and former staff. A decision not to consult the workforce whose data was being sucked into the platform. No competitive evaluation of alternative suppliers. And a second tranche of questions the Metropolitan Police now refuses to answer.

These are the fault lines that run through the Metropolitan Police Service’s Data Protection Impact Assessment (DPIA) for its Palantir Foundry pilot, obtained by Computer Weekly. They illustrate how a key UK police force balanced speed of deployment against governance obligations that protect officer and staff data from misuse. The way they did it raised many questions, and produced a “no comment” set of responses from the Met along the way.

The pilot’s immediate context was the 2025 BBC Panorama documentary, Undercover in the police, which exposed serious cultural failings in the force. According to the DPIA, completed on 3 November 2025, the project’s explicit purpose is “to respond to the gravity of recent events and Panorama documentary on MPS Culture” through intelligence collection across a vast sweep of officer and staff data.

The pilot, formally titled, the Culture Standards and Integrity Ecosystem (CSIE), forms part of the Met’s New Met for London (NMfL) reform plan. It adopts what the DPIA describes as a “public health approach to reducing complaints, corruption and misconduct”, analysing data across three tiers of prevention: primary, secondary and tertiary. The stated ambition is to create “an enterprise data observatory containing cultural, professional standards and organisational health intelligence”, built on a schema of approximately 90 metrics drawn from 90 data sources.

In response to our first round of questions to the Met, a spokesperson-attributed statement said: “Our pilot with Palantir allows the Met for the first time to bring together data it already lawfully holds in one place to identify potential standards, welfare or cultural concerns. It also allows us to identify early issues so we can act more fairly and consistently, ensuring officers receive support or face appropriate action before problems escalate.”

The speed at which the pilot delivered results was dramatic. Within a week of Palantir’s roll-out, according to the BBC’s April news article, the Met’s Professionalism Directorate had identified hundreds of potential misconduct breaches and several alleged criminal offences, including abuse of authority for sexual purposes, fraud, sexual assault and misconduct in public office. Two officers were arrested, with a further two suspended and under investigation. Some 98 officers were being assessed for misconduct, with another 500 receiving prevention notices after being flagged for abusing the IT duty-rostering system.

The Met spokesperson added: “The Met is stepping up its use of data and technology to strengthen professional standards, root out misconduct and increase public confidence.”

But the DPIA – a 34-page document obtained by Computer Weekly – reveals significant gaps between the operational speed of the deployment and the governance infrastructure designed to protect the rights of the individuals whose data it processes.

The high-risk processing the DPIA admits

The DPIA’s initial screening questions confirm the project was set to process special category data, criminal offence data, data concerning children under 13 and other vulnerable individuals, and data on a large scale. It includes tracking, monitoring, and surveillance in public areas, the use of AI, automated decision-making, and profiling of individuals. The assessment explicitly acknowledges the processing as “high-risk”.

In section Q2.25, the DPIA states that “the processing of personal data” would be considered “potential high-risk processing” in that it concerned “special category data, criminal offence data and vulnerable individuals … In particular, sensitive health data will be processed by collating and analysing the data for trends related to adverse sickness leave patterns.”

The scale is substantial. The assessment covers more than 50,000 current employees plus some former employees. It notes that “the processing involved in Foundry is heavily focused on the personal data, and actions, of MPS employees”, warning that if data were exfiltrated, it “could cause harm” and identify individuals.

Despite this risk profile, the DPIA acknowledges that multiple security and governance controls remained incomplete at the time of documentation. Automated access controls were marked “partially implemented”. Access logging was “planned but not yet in place”. Performance tests had not been planned. The system’s capability to manage data review, retention and disposal had “not been conducted”. No documentation existed for the flow and transformation of data throughout its lifecycle.

Computer Weekly received the DPIA on 3 June. The covering email described it as “an evolving document so continues to be updated”. The latest date entry in the DPIA is 31 March. 

The Senior Responsible Officer’s comments, dated 3 November 2025 – the date the DPIA was first written – acknowledge this tension directly: “While full testing has not been completed in the usual manner (i.e. deploying Palantir on a pre-production system first), I understand this risk has been partially mitigated through testing in situ. This reflects a balance between maintaining the speed of the pilot and ensuring appropriate safeguards. I am satisfied with the testing to date.”

The consultation gap

Perhaps the most striking single entry in the DPIA appears at question Q2.29, which asks whether the project team planned to consult with individuals whose personal data would be processed. The response was: “Considered and not required.”

This determination was made despite the project processing sensitive health data, sickness absence patterns, professional standards records from the Centurion system – a widely used platform for recording public complaints, conduct allegations, grievances and civil claims – and information relating to disabled employees, stop and search interactions, and custody-related issues.

The Met’s own Data Protection Officer (DPO) subsequently recommended precisely the opposite approach. In the DPIA’s Advice and Recommendations section, dated 31 March 2026, the reviewer states: “I recommend transparent communication with the individuals whose data will be processed. I recommend that a document explaining the purpose and scope of this project is produced and disseminated to MPS employees (staff and officers). I recommend producing an FAQ document with any concerns that may be raised by MPS employees (staff and officers).”

The DPO also highlights a purpose limitation concern: “The original purpose of collecting data for each system mentioned in the System Requirements spreadsheet is different to the envisaged purpose of this pilot. As such, this constitutes a change in purpose which will require telling MPS employees (staff and officers) of the change, as well as the lawful basis for processing.”

Computer Weekly put questions to the Metropolitan Police Federation regarding its consultation with the Met, the transparency of communications to staff, and concerns around data retention. No response was received.

What we do know is that Matt Cane, general secretary of the Metropolitan Police Federation, had told the BBC in April that staff “were never informed that the upgrade would include the deployment of Palantir’s artificial intelligence”.

Alternatives that were not evaluated

The DPIA states that alternatives to Palantir Foundry were “considered but not viable”, yet it names no other suppliers, provides no evaluation criteria, and offers no comparative assessment. The Met’s own in-house platform, the Enterprise Data Platform (EDP), is described in the DPIA as “an inhouse platform that ingests data”, with systems integration and data ingestion “ongoing under phase 2 of the Data, AI and analytics capability programme”.

The DPIA notes that Palantir offers “more enhanced capability than what EDP is currently able to do, and this pilot is validating that”. It also says Palantir was “faster and was able to produce an MVP to the timeframe that we needed. The AI capability offered by Palantir Foundry is not available with the EDP.”

The EDP was not yet capable of delivering the AI-driven analytics that Foundry could provide – but it was also conceived as the central architectural layer through which data would flow. The DPIA itself flags a “risk of lock-in with multiple data sources routing outside of EDP”, suggesting the Foundry pilot diverges from the Met’s own data infrastructure strategy.

A properly competitive process could potentially have evaluated other AI analytics providers in or alongside the EDP framework, but no such process is documented.

When Computer Weekly asked the Met to provide a list of other suppliers evaluated, the evaluation criteria used, and the business case detailing why Palantir was chosen, the force declined to engage further.

The timeline that kept slipping

What was planned as an 8-to-12-week pilot became a six-month project with no fixed endpoint.

14 October 2025: Contract with Palantir begins, due to end 13 January 2026.

3 November 2025: DPIA completed; connectivity with first MPS system (EDP) in place.

18 December 2025: MPS data injection into Palantir goes live.

8 January 2026: Pilot period extended to 31 March.

9 January 2026: DPIA notes: “Palantir are not in a position to actually start a pilot as more data is being ingested. User testing to start once MVP is available from 30/1/2026.”

13 January 2026: Original contract end date – data due for deletion.

22 January 2026: DPIA notes: “The MVP is planned for 1st April.”

4 March 2026: Pilot extended to end of April 2026.

12 March 2026: DPIA notes: “The MVP is not available to be tested yet whilst more data is being ingested and dashboards are still being developed.”

31 March 2026: Contract extended to 30 April 2026; DPO and DDAT reports submitted.

The references to a missing minimum viable product (MVP) are significant. As of mid-March 2026 – more than four months into a pilot originally scheduled to conclude in January – the core system had not reached a testable state. Throughout this period, data continued to flow into the platform.

What is the Bank Mellat test?

The Bank Mellat test is a four-stage proportionality framework established by the UK Supreme Court to determine if an action that restricts fundamental rights is legally justifiable.

In the context of data protection – specifically the processing or monitoring of employee data – this test requires employers to demonstrate that their actions strike a fair balance between their business interests and the privacy rights of their staff. 

The questions the Met did not answer

Computer Weekly submitted a second tranche of questions to the Met, addressing the gaps identified in the DPIA. These covered the absence of a competitive tender, the justification for sharing “not essential” data under the Bank Mellat proportionality test, the status of incomplete security controls, the evaluation of jurisdictional risk given Palantir’s status as a US-headquartered company, and the final disposition of MPS data held by Palantir after the pilot.

The Met’s response was a single sentence, declining to engage: “Following further conversations, we are not going to provide this level of detail and have nothing further to add to our previous statement.”

Several of these unanswered questions carry significant legal and operational weight. 

The DPIA’s own DPO section recommends that further questions be addressed, specifically: “What will Palantir do with the data after the trial ends (i.e., will Palantir retain a copy of the data or will any MPS data held by Palantir in relation to this trial be securely deleted)? If Palantir is planning to retain MPS data at the end of the trial, what is Palantir’s intended use of the data? If Palantir is planning to use MPS data to train its models, we assume that Palantir positions itself as an independent controller for this further processing.”

The DPO also notes: “It is not currently clear what will happen to the data at the end of the trial. If Palantir is planning to retain/use the data for its own purposes, it is important that we understand this so that we are able (a) to assess and articulate Palantir’s lawful basis for any further processing and (b) to be transparent with officers/staff about the fact that this will happen.”

On data minimisation, the DPO states: “As per the spreadsheet provided to do with System Requirements, there is a considerable amount of data to be shared with Palantir. This raises conflict with this principle, particularly around adequacy (the data collected should be sufficient to fulfil the intended purpose), relevance (only data that is directly related to the purpose should be processed) and necessity.”

The DPIA itself acknowledges at Q4.12 that data sharing with Palantir goes beyond the strictly necessary: “Due to the nature of the Palantir Foundry solution, and the broad nature of the use cases for the CSIE Palantir pilot, we are sharing additional data with the supplier in order to support the more holistic views/insights, etc for more proactive investigations.”

And on the fundamental question of purpose limitation, section Q5.06 is unambiguous. Asked whether personal data is being used strictly for the purposes for which it was originally collected, the response is simply: “No, the data is used for additional purposes not originally specified.”

A precedent for UK policing

The Met’s Palantir pilot does not exist in isolation. It sits within a broader landscape of UK police forces operating under the Police Digital Service and National Enabling Programmes model, predominantly on Microsoft-centric cloud infrastructure. The decisions made in this pilot – about procurement, transparency, data minimisation and jurisdictional exposure – are likely to reverberate across other forces considering similar deployments.

To what extent the DPIA’s internal recommendations have been resolved is unknown. The DPO calls for clear policy on data handling, training and awareness for staff using Foundry, auditing to enable full traceability and accountability, and clarity on what happens to data once the pilot ends. 

The Bank Mellat proportionality assessment notes that “if the objective is preventing misconduct, then analysing certain relevant data may be rationally connected”, but warns that “transferring all data we hold is not rationally connected unless we can show why each category of data is necessary”.

The Met’s refusal to engage with questions about alternative suppliers, jurisdictional risk and data disposal leaves significant governance questions unanswered. 

For a pilot that processes the personal data of more than 50,000 individuals – including health information, criminal offence data and information about vulnerable people – the gap between the speed of deployment and the maturity of safeguards is the story the DPIA tells, even when the Met will not.

Read more about the Metropolitan Police and Palantir

Read more on IT suppliers