Seems Legit
I'm sure we have no reason to distrust any minister from the party of Boris Johnson when they give us assurances that the rules will be followed at all times.
A UK health minister has for the first time admitted that information from family doctors is set to be uploaded to the controversial Federated Data Platform (FDP), a set of technologies under a £480 million procurement for which US spy-tech company Palantir is the incumbent supplier. Speaking in the House of Lords, the UK's …
@Brewster's Angle Grinder, "How high can I count? Infinity plus one."
Shouldn't you be busy staffing the check-in desk at Hilbert's Hotel?
"None at all... How bloody stupid are these people?"
They may not be stupid, but something just as bad.... lawyers. Most politicians are lawyers by training and those people are often the most narrowly educated and experienced people in the world. Certainly in anything technical they can barely pronounce most of the nomenclature properly. They also have a sci-fi understanding of what can and can't be done, getting their information from movies and TV. Stuff where the investigators can take some CCTV footage that's better to start with then one ever sees and can infinitely zoom in and enhance to read the model of Rolex watch written on the face. They'll also have some genius on the team that has a host of limitations such as being unable to walk which has lead them along the path to being a hacker that can root any system 3/4 of the way into the 1 hour episode. Guess what politicians, doesn't happen in the real world.
from my GP and end up in the hands of USA corporations, a country that has inadequate data protection, also read Schrems II.
"So my data will escape ...
from my GP and end up in the hands of USA corporations,"
That's by design as the NHS "Shares" the data with their "Partners". The translation being that they are selling the information to whomever has the money to pay. The revenue stream is to enticing to ignore.
"Sure. Locally.
Locally to Palantir, you mean.
And from there to God only knows."
From there to an employee laptop that is stolen from their car or left on a train when they stopped to have a few after work and were too drunk to remember to take it with them when they got off. I never seem to hear what happened to "John Smith", the employee other than perhaps some mention that they were let go. Certainly there won't be any justification about why an employee is allowed to download a huge swath of private data to transport physically to their home "to do work some work over the weekend".
It's like the English (and USArians) somehow seem to think that England is UK whereas before it was England as Brits. In (Hotel California or Caledonia) Scotland ( you can check out any time you like but you can never leave the union seemingly) we don't have NHS England up our kilts, so wordsmiths o' the USA take heed. Nuff said.
> This is all to do with NHS ENGLAND ONLY, yet the story mixes "England" and "UK" interchangeably.
Yupe. He's an English Health Minister - Scotland, Wales, and Northern Ireland (on the occasional times when it has a functioning government) each have their own Health Minister as health is a devolved matter.
Also don't assume ICO will want to help with any Data Protection concerns around FDP and GP record sharing - in a ICO complaint regarding my GP Practice's sharing of my health data with a central system and the GP Practice later being unable to remove this information (for which they were the Data Controller) the ICO case officer stated in her Outcome:
"my view at present is that it is unlikely that <GP Practice> have complied with their data protection obligations. This is because, although they have attempted to remove the data they have shared about you on the NIECR system they have been unable to. As data controllers for that information, we would expect that they should be able to do this."
The ICO however decided to take no action again the GP Practice's failure to delete my personal data and also took no action against the central body (acting as Data Processor for the GP Practice and so legally required to follow 'instructions' from the GP Practice). My personal data remains on the NIECR due to the ICO's inaction regarding clear breachs of data protection law.
tbh I got the same thing when I lived in the Home Counties. A lot of people were at best vague about the differences between northern England (where I'm from) and Scotland and got annoyed if you pointed it out.
Me: "Hello."
Them: "Why can't you talk properly?! Where are you from?!"
Me: "Newcastle."
Them: "Och aye the noo!" (said in a sort of Welsh/Indian accent)
Sigh.
Allowing NHS records to be controlled (and readable) by a US company (such as Palantir), even if "protected" by contracts, means that they are accessible to US courts.
Many US states have passed laws banning all abortions - including ones performed outside the state. And in Texas the law does not even require the state to prosecute: any private individual can prosecute any woman who has an abortion.
So, any pregnant woman from Texas visiting the UK had better make sure they do not have an accident and end up in an NHS hospital which deems it necessary to abort her pregnancy. The NHS records of that would become available to prosecute her once she returns to the US. If Palantir has the data they would be forced to disclose it to the US court, whatever agreements the NHS believe they have entered into.
It is absolutely essential that the contractors, particularly foreign contractors, cannot access NHS data at all - even if there are contracts saying they will not. It isn't just Palantir and the US - similar issues could occur with any foreign contractor subject to the laws of another country.
There are handy loopholes in the GDPR data processor regs.
"You can only process the personal data on instructions from a controller (unless otherwise required by law)"
So, with teh early mentioned Texan having an abortion, if the US requested medical data on that woman, then the UK may oblige (as they tend to say yes to many "law enforcement" requests from the US)
Note I am being kind and assuming the ICO quote means UK / English law (wording does not actually stipulate UK law on the ICO site!),
Also
"International transfers: the UK GDPR's prohibition on transferring personal data applies equally to processors as it does to controllers. This means you must ensure that any transfer outside the UK is authorised by the controller and complies with the UK GDPR’s transfer provisions."
Place your bets on a data controller happily allowing data transfer outside of the UK (who knows may even be slipped into the contracts by default, contracts can contain other data access stuff too e.g. granting processor access to data as part of fault finding / fixing (AKA dealing with bugs) ).