back to article UK health department republishes £330M Palantir contract with fewer ██████

The UK health department has republished its contracts with US spy-tech company Palantir, blanking out fewer sections, following a warning from legal campaigners. In February, the Good Law Project, a political non-profit company, said publication of heavily redacted contracts meant the public was "unable properly to understand …

  1. Paul Smith

    An IT system for £1

    What could possibly go wrong?

  2. Anonymous Coward
    Anonymous Coward

    Enough Levels of Sub-contractors and "Trusted Partners" Becomes World+Dog Can Copy/Use Your Data

    From TFA: "where it is necessary for them to operate and maintain the FDP"

    The words "necessary", "operate", and "maintain" are not defined in this (at least, not in the parts we can see). While this may sound like Bill Clinton saying, "define the word, 'is'", ordinary English word-meanings are stretched to the outer limits by solicitors, and thus must be specifically-defined in such contracts. "Common sense" has little effective place in the legal world.

    Similarly, only under "the written instructions" from user organizations, which include national or local "instances." could (and likely-would) be interpreted by a solicitor as Palantir calling up some local provider, asking, "Can we use some data?", the local provider replying, "Okay," and then Palantir saying, "We'll send you a FAX. Please sign it and FAX it back," and the local provider saying, "Okay," and doing so. Said FAX from Palantir will be brief and non-threatening-looking, and will reference documents in Palantir's possession which will not be included in the FAX, nor ever seen by the local provider. Those referenced documents will say, effectively, that Palantir can do anything with the data.

    1. yetanotheraoc Silver badge

      Re: Enough Levels of Sub-contractors and "Trusted Partners" Becomes World+Dog Can Copy/Use Your Data

      One fax to rule them all. Photocopies all around.

    2. Anonymous Coward
      Anonymous Coward

      Re: Enough Levels of Sub-contractors and "Trusted Partners" Becomes World+Dog Can Copy/Use Your Data

      In the US, the phrase typically used is "or as permitted by law". Since US law doesn't generally prohibit haring, that translates to "and any other way we want".

  3. Anonymous Coward
    Anonymous Coward

    ICO slams failure to comply with FoI request

    ██ ████ ████████ :o

  4. john.w

    I am completly reassured.

    "Only authorised users will be granted access to data for approved purposes..."

    No doubt they will have the same rigorous controls in place to ensure that anyone who wants access will be given it, just like the DVLA does with our personal data.

    1. Brewster's Angle Grinder Silver badge

      Re: I am completly reassured.

      "Will you authorise me to access this data?"

      "Yes."

      "Great. Now I'm an authorised user!"

    2. collinsl Silver badge

      Re: I am completly reassured.

      > "Only authorised users will be granted access to data for approved purposes..."

      Just like Fujitsu with Post Office branch account data...

      1. Eclectic Man Silver badge

        Re: I am completly reassured.

        And the UK's Electoral Commission. https://www.ncsc.gov.uk/news/china-state-affiliated-actors-target-uk-democratic-institutions-parliamentarians#:~:text=Separately%2C%20the%20compromise%20of%20computer,Electoral%20Register%20during%20this%20time.

        "Separately, the compromise of computer systems at the UK Electoral Commission between 2021 and 2022 has also been attributed to a China state-affiliated actor. The NCSC assesses it is highly likely the threat actors accessed and exfiltrated email data, and data from the Electoral Register during this time."

  5. elsergiovolador Silver badge

    Circular Reasoning

    "Only authorised users will be granted access to data for approved purposes, for example, NHS staff and those supporting them, such as administrators, bed managers or care coordinators, and staff in social care supporting the move from hospital care."

    It is baffling that these kind of responses are accepted. It's a classic tautology and someone giving such crap as an answer should be sacked.

    What are the criteria for being an authorised user and what are these approved purposes for starters.

    What if to become an authorised user you need a brown envelope and another one to add your purpose to the approved list...

    1. Elongated Muskrat Silver badge

      Re: Circular Reasoning

      I suspect that these are the sort of people who do not know the difference between authentication and authorisation, and in practice, anyone who is authenticated, which probably includes everyone in the building, cleaners and all, will end up with authorisation.

      The problem is, that they do not define criteria for authorisation, or whether such authorisation will be granular, and time limited. How will they deal with bad actors who gain authorisation but then abuse it? How will such data breaches be handled? How will they determine the scope of any breach, and what remedial action can or will be taken to protect the people whose data is leaked? What powers will they have to go after perpetrators of a breach, and endure leaked data is deleted? Not only within UK jurisdiction, but also US jurisdiction, and jurisdiction in other territories, including those of hostile governments, or where adequate data protection law or relevant treaties are not in place?

      1. collinsl Silver badge

        Re: Circular Reasoning

        Well of course the way this will be handled is ███ ████ █████ ██ ████ ██ ███ ███ ██████ ██ ███ ████████ with plenty of ████████ and we'll use ██████ broomstick up their ████ .

      2. WonkoTheSane
        Headmaster

        Re: Circular Reasoning

        "these are the sort of people who do not know the difference between authentication and authorisation"

        I'm pretty sure they get confused between arse & elbow, too.

    2. captain veg Silver badge

      Re: Circular Reasoning

      Isn't it obvious? Unauthorised users can do what they like so long as it is for unapproved purposes.

      -A.

  6. Anonymous Coward
    Anonymous Coward

    I don't get why this data is regarded as so valuable in terms of advertising drugs. Approaching 50-odd percent of the UK is obese and probably pre-diabetic or diabetic. The age profile is shifting to the right, people living longer with fewer kids on average. You dont need to be a genius to work out how to make money out of healthcare offerings here. I suppose it becomes more valuable in a fully privatised USian style system, where targetted ads interrupting the stream you are watching (and their 30-page disclaimers of possible side effects) are probably marginally more effective than blanket ads on broadcast TVs that we don't watch anymore.

    Too bad the pre-packed food industry doesn't have similar possible side effect listings for the collection of E-numbers and sugar peddled as "food" in possibly the loosest sense of the word only.

    1. Jason Bloomberg Silver badge

      I suppose it becomes more valuable in a fully privatised USian style system

      And anyone paying attention will know what trajectory this government is on, is trying to lock future governments into.

      1. Jedit Silver badge
        Stop

        "is trying to lock future governments into"

        They don't need to try. The Tories haven't fully privatised the NHS only because they know they lack the political capital to survive it, and right now they also no longer have the time so the fact that they won't survive anything doesn't matter. Only Labour can do the job - so it's lucky for the Tories that Kid Starver and his PHC-funded shadow health secretary Wes "McShitter" Streeting already fully intend to do it with no need for any external intervention.

        1. John Robson Silver badge

          Re: "is trying to lock future governments into"

          What are you smoking?

          1. Gordon 10

            Re: "is trying to lock future governments into"

            TBF hes not wrong on Streeting.

            No mainstream politician has the answer to funding the NHS because the costs are increasing year on year in line with an aging population, and the cold hard reality is that funding has to come from higher taxes.

            Until Labour (maybe) or the Tories (no chance) break ranks and start talking about using taxes for adequate funding for a decent service the NHS is f*cked.

            1. Elongated Muskrat Silver badge

              Re: "is trying to lock future governments into"

              There's an element of this, and an element of the Tories deliberately making the NHS both more expensive and more difficult to access in order to justify pushing people onto private healthcare, in which a number of them have financial interests. It's the age-old story of "follow the money".

              Examples include repeated management reorganisations, creation of QUANGOs to manage it ("NHS England" being the most recent incarnation), and policies around GP appointments such that GPs have to implement a system where you call them at 8am to maybe get an appointment in the next two weeks, but nothing today, unless it's an emergency, in which case you have to call again in the afternoon, and no appointments are "open" beyond that moving window. This is done in the name of "convenience" so that "everyone can get an appointment", but this is clearly not the purpose of that system.

              Yes, there is genuinely a problem with an ageing population, and the obvious answer to this is preventative healthcare, which is the exact opposite of what the Tories want, because it is cheaper and more effective than the sort of privatised healthcare where they can charge a fortune for diagnostic tests, and lifelong treatments. Those snouts need to keep their trough filled.

            2. Jedit Silver badge
              Flame

              Re: "is trying to lock future governments into"

              I'm not wrong about Starmer either. He claims to want to make the NHS strong, but he's explicitly ruled out raising taxes or seizing the billions stolen by the Tories during the pandemic to lavish upon their donors for huge (and frequently unfulfilled) PPE contracts at ripoff prices. Instead he's talking about using AI to shorten waiting lists. This is not my opinion - it is a fact, and you can find it in transcripts of his speeches on the Labour Party's own website.

              That said, you really don't need to look much past Streeting being funded by private health care initiatives and openly supporting greater privatisation of the NHS. Starmer's appointing him as Shadow Health Secretary - which most likely leads to him taking the cabinet post if Labour enter government - indicates clearly that this is also what Starmer thinks should happen. You don't give someone a job if you don't like the way they want to do it, do you?

              1. John Robson Silver badge

                Re: "is trying to lock future governments into"

                No he hasn't ruled out reclaiming money lost to fraud.

                And as for the not raising taxes... he doesn't need to, the tories have already raised them massively, he just needs to cut out some of the tax breaks which mean that the ultra wealthy don't actually pay their fair share.

                What he does need to do is win the election.

              2. Elongated Muskrat Silver badge

                Re: "is trying to lock future governments into"

                To be fair to Starmer (and I do have some strong doubts about him), if he were to say, in the year of an election that he intends to seize the ill-gotten billions from various bad actors, how quickly do you think that they would decide to spend a small fraction of those billions on a disinformation campaign to discredit him?

                His primary task, at the moment, is to unseat the Tory government. Major policies are not going to be made public until manifestos are published, to do otherwise would literally be giving ammunition to the opposition, as it gives them time to prepare attack lines. Expect not to hear any major policy announcements until an election campaign is underway.

                I still have the creeping feeling that Starmer will disappoint us, however, this is due to the fact that our electoral system is fatally flawed with FPTP, so we are stuck with politicians who can win FPTP elections, not ones who can actually solve our country's myriad problems. It is saddening, yet completely understandable, that Starmer is also opposed to us moving to a system of PR, despite the majority of Labour members, delegates, and unions supporting it.

                1. John Robson Silver badge

                  Re: "is trying to lock future governments into"

                  "Starmer is also opposed to us moving to a system of PR, despite the majority of Labour members, delegates, and unions supporting it."

                  Publicly...

                  As you say, he needs to win first. I suspect that PR will be a second term manifesto item.

            3. Alan Brown Silver badge

              Re: "is trying to lock future governments into"

              The fastest and easiest way to solve the NHS funding problem is to abolish the cap on NI

    2. Anonymous Coward
      Anonymous Coward

      You can probably predict health issues before they become issues. It'll be more use after the NHS has been privatised.

      1. Mike 137 Silver badge

        "You can probably predict health issues before they become issues"

        Only statistically. Human physiology being so complex and varied at the detail level, individual outcomes are essentially unpredictable with any certainty until there are already specific markers present, at which point it becomes diagnosis. (Just for example, even lifelong smoking doesn't guarantee you get cancer, and total abstinence doesn't guarantee you won't -- which is why we have screening programmes).

        Of course, as it's a matter of statistics, an entire department will probably be created to stuff our medical records through ChatGPT.

      2. captain veg Silver badge

        predicting health issues

        The likes of Johnson & Johnson really don't care. They just want to sell stuff. Diagnoses, medical outcomes? Not interesting. Identifying potential customers susceptible to advertising? Gold dust.

        -A.

      3. Boris the Cockroach Silver badge
        FAIL

        Predict, then deny coverage when we have to have private medical insurance.

        I've seen all those bupa et all adverts on TV promising a golden age of health for you when you take out covarage with them. in the small print they all say "pre-existing conditions not covered"

        1. Gordon 10

          TBF Bupa are one of the better ones. A non-profit for a start. The acceptable face of private healthcare..... unlike the others.

          1. Anonymous Coward
            Anonymous Coward

            I work for a software supplier, one of whose clients is Bupa. When it comes to knowing what they are doing, and general competence, I wouldn't rate them highly...

            (posting AC for obvious reasons)

        2. John Robson Silver badge

          No insurance company will cover you for something that's already happened.

          Oh my house burned down, can I have some house insurance please, yes I'd like fire coverage.

          1. Anonymous Coward
            Anonymous Coward

            Health insurance has to work differently, otherwise it's far too easy for coverage to be denied for any significant health issue. Have a heart attack? Your insurance company dropped you as a bad risk the moment you arrived at the hospital, and any other will disallow care related to that preexisting condition.

            In the US, preexisting conditions are covered if the patient was insured for them (by someone else) at the time the condition was noted/diagnosed.

            1. John Robson Silver badge

              "In the US, preexisting conditions are covered if the patient was insured for them (by someone else) at the time the condition was noted/diagnosed."

              As they are by BUPA in the UK... 35 years on and they're still covering, despite me being off book for several periods when my (varied) employers used different providers.

    3. Alan Brown Silver badge

      "I don't get why this data is regarded as so valuable in terms of advertising drugs."

      That's not why they want it. Medical insurers salivate at this kind of data as it allows them to increase premiums and deny cover

  7. ScottishYorkshireMan

    Have ITV got a script yet?

    Just wondering which tory SB's have had their personal coffers enhanced by this deal and whether or not ITV have a script for the future 6 parter?

  8. Anonymous Coward
    Anonymous Coward

    Meanwhile the ongoing NHS NIECR farce in Northern Ireland gets more surreal

    NHS England? Bah, mere amateurs, let me introduce you to HSC NI (aka "NHS Northern Ireland"):

    So after several years of HSC NI trying to fix GDPR/UK DPA 2018 non-compliance for the Northern Ireland Electronic Care Record (NIECR), with the help of the ICO's NI Office apparently, the Department of Health NI wrote to all NI private Opticians (who do "NHS" work, i.e. "free eye tests") in October 2023 to get them to sign a "Northern Ireland Electronic Care Record (NIECR) Data Processing Agreement". That letter contained such fun statements such as:

    "Each Community Optometry Contractor has always been recognised as a stand alone Data Processor within the definitions of the Data Protection Act".

    What's with the word "recognised"? Either they're a Data Processor or they're not. In order to be a Data Processor they must have signed a contract together with the Data Controller(s) that meets the GDPR-defined legal requirements for such a Data Processor engagement to be valid. I'm hearing echos of "1984" ("we have always been at war with...").

    "As such each Practice[sic] is required to sign the revised Data Processing Agreement."

    I think instead of "Practice" they meant to say "Community Optometry Contractor". Details are important, folks... Also "revised Data Processing Agreement" - hmm, so "revised" implies there has been at least one previous version of a NIECR DPA in place with Data Processors - well in almost 4 years of digging into NIECR I've yet to see *any* previous DPA for Processors despite numerous FOI Requests. Also the "revised" DPA document sent along with that letter is "Version 1.0" dated "27th October 2023"...the "1.0" kind of implies there has never been a previous (non draft) version of a/this DPA. So is this a replacement DPA (in which case why replace rather than revise a previous DPA?) or a new DPA where no previous one existed? (in which case "revised Data Processing Agreement" are weasel words)

    "It is important that this latest version is signed, and the relevant signature section is returned by Friday 10th November 2023."

    "Please note that failure to agree acceptance to the DPA and return of same may call into question the legal basis for the Practice[sic] to continue to access NIECR."

    Why might the legal basis for Opticians (companies) be called into question if they didn't sign this DPA by 10th Nov but wouldn't be called into question if they did sign by this date? What's so magical about the 10th Nov 2023? Why doesn't any alleged previously-existing DPA address any legal concerns? Have ICO actually told HSC NI "if you finally sort out this legal mess by 10th Nov we won't take any action"?

    Also I note that the DPA only lists *some* of the Joint Data Controllers but purportedly points to a list of :

    "The GP Practices listed at Find a GP practice | nidirect"

    except the provided "Find a GP practice" URL is a search page for Practices, not an actual list of practices. The URL that I believe they intended to specify in the DPA is indeed a list of NI GP Practices, however it is "point in time" (continually updated) list - the contents of the list on the day a particular Opticians (company) signed the NIECR DPA is not likely to be the same if it is consulted 1 day, 1 week, 1 month, or 1 year later. Therefore how can the DPA signed by a particular Opticians represent a valid legal contract if the DPA *itself* (or Addendums to it) does not define *all* the parties to the DPA?

    The organisations running the NIECR appear to think that DPAs are magical documents which, once signed, don't just cover (undefined) parties at the time of signing but also cover new (undefined) parties being automagically added from then onwards without any Addendums or equivalent to the signed DPA being required or for the Opticians to be informed of any new parties to the agreement they previously signed. In particular GDPR Article 30(2)(a) *requires* a Data Processor, in their Records of Processing Activities (ROPAs), to contain the details "of *each* controller on behalf of which the processor is acting" - it's a bit hard for a Processor (Opticians) to do this if the Opticians doesn't know who all the Data Controllers are at any point in time.

    The provided DPA, despite the "help" of ICO's Belfast Office, also fails to include some information *required* by GDPR Article 28 to be present in such a contract, so therefore even when signed it's not a valid Data Processor engagement.

    So the legal mess that is the NIECR continues...

  9. captain veg Silver badge

    sic

    Trivial, I know, but

    "As such each Practice[sic] is required to sign the revised Data Processing Agreement."

    Isn't "practice" the normal spelling for the noun form?

    Otherwise, uptick. I guess you have good reason for posting AC.

    -A.

    1. Anonymous Coward
      Anonymous Coward

      Re: sic

      > Isn't "practice" the normal spelling for the noun form?

      It is spelt correctly, the reason I put the "[sic]" was mentioned directly below in my previous post: "I think instead of "Practice" they meant to say "Community Optometry Contractor"." This letter was obviously modified from a previous letter to GP Practices (a letter around the same timeframe when they had GP Practices, as joint Data Controllers, sign a "revised" Data Sharing Agreement to deal with "legal issue" of no DSA actually having been in place for the past 10 years that NIECR existed) and they forgot to replace some of the uses of "Practice" with "Community Optometry Contractor".

      > Otherwise, uptick. I guess you have good reason for posting AC.

      You mean other than wishing to remain anonymous? lol.

      Lindsay (@ The Register) knows who I am as I contacted him (and had a phone call to explain things) almost 3 years ago hoping he'd write a story about some of this but he appeared to lose interest and I last heard from him in June 2021. If The Register still has any interest in writing some sort of a story around this (i.e. "Whole of Northern Ireland's populations' health data continues to be shared in legally non-compliant way between 600+ organisations after more than 11 years!") I've collected an ever growing mountain of related evidence.

      In related news a well-known UK high street brand has admitted in a FOI Response that their Opticians "arm" (separate group company from their Chemists "arm") has being using the NIECR since October 2018 (5 1/2 years!) but they don't know what their data protection role actually is/has been (Data Controller or Data Processor) with regard to NIECR and have had no contract of any sort in place for this NIECR use... so they've effectively admitted they've breached GDPR on an ongoing basis for more than 5 1/2 years.

      Their Chemists "arm" did indicate they started using NIECR in July 2021, that they're a Data Processor for this use, that they *have* signed a DPA (though this DPA suffers from many of the same problems as the Opticans one I mentioned in my earlier post and so I also believe it is not a valid Data Processor engagement contract per GDPR) in November 2023 (more than 2 years *after* they began acting as a Data Processor!), and that they did create a DPIA regarding their use of NIECR but are refusing to provide it to me:

      "We consider the completed DPIA to be an internal document and commercially sensitive so therefore, do not considerate it to be appropriate to share with you as part of your FOI request. We are withholding this information under exemption ‘Section 43(2)’."

      So their Chemists "arm" have also admitted that they've breached GDPR. There's no point me telling the ICO about any of this as I can't make a personal complaint myself (I have not used them for either NHS eye test or perscription services) and the ICO don't care about general reports of non-compliance apparently unless "sufficient" people make the same complaint.

      Another small local opticians company repeatedly used the "non-answer answer" phrase:

      "Information is not held which would inform a response to this question"

      throughout their FOI Response to avoid admitting any non-compliance.

  10. Claverhouse
    Meh

    In Some Cases...

    "Large sections of the documents were blacked out, including most of the section describing "protection of personal data."

    It is at least heartening that they fully recognise the need to protect personal data.

  11. s. pam
    Thumb Down

    My Bullshit detector just broke

    Normally with UK.Gov contract disclosures it hovers between 8->10 however in this case it's exploded and laying in pieces on my office floor.

    What could possibly be so sensitive it needs to be redacted at all?

    PS: El Reg needs to add a new icon to the library, of a bull taking a shit!

    1. Korev Silver badge
      Pint

      Re: My Bullshit detector just broke

      > PS: El Reg needs to add a new icon to the library, of a bull taking a shit!

      As Paris is no more and there's a gap; maybe we can have a competition to chose the replacement

  12. charlieboywoof
    Megaphone

    GLP?

    Keep them away from my children.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like