NHS England has quietly granted external staff from Palantir and other contractors “unlimited access” to identifiable patient data within its flagship data platform – overturning a previous system requiring individual approval for specific datasets – in a change that NHS England’s own internal briefing acknowledged risked “loss of public confidence” in how patient data is safeguarded.
The change was first outlined in an internal briefing note seen by the Financial Times, written by a senior NHS data official in April. It relates to the National Data Integration Tenant – described in NHS documentation as a “safe haven for data” before it is pseudonymised and transferred to other systems. The NDIT sits within the Federated Data Platform, a system that connects disparate NHS data into a single database, for which Palantir won a £330 million contract in 2023 to build.
What changed – and why it matters
Under previous arrangements, any individual working with the NDIT was required to apply for specific data access approval for each individual dataset they needed to work with. The new arrangement creates an “admin” role that, in the words of the briefing note itself, “permits unlimited access to non-NHSE staff” to the NDIT and the identifiable patient information it holds.
The change applies not only to Palantir employees but also to staff from consultancy firms drafted in to work on the Federated Data Platform. The briefing note is explicit about the reason for the change: external workers requested the expanded permissions “as it is too inconvenient to apply for all of the necessary individual CDAs” – that is, the individual data access approvals required under the previous system.
In other words, the protection that existed to ensure that identifiable patient data was only accessed on a specific, approved, case-by-case basis was removed because contractors found the approval process inconvenient.
The briefing note, written by a senior official who was aware of the political sensitivity, acknowledged directly: “This is not only about Palantir, hence we have referred to non-NHSE staff, but there is currently considerable public interest and concern about how much access to patient data Palantir/Palantir staff have.”
The NHS’s own warnings – ignored
The internal briefing contained explicit warnings about what the change would mean. It stated that granting enhanced permissions could mean there is a “risk of loss of public confidence” when it comes to “safeguarding patient data and ensuring appropriate use and access to it.” It noted that “being sure exactly who is accessing what patient-identifiable data at any one time” was a top concern under NHS England’s own data promises. And it acknowledged directly: “The more people have unrestricted access, the less that aim can be met.”
Those warnings were noted. The recommendation was accepted anyway. Officials confirmed the briefing note’s recommendation had been accepted in recent weeks, while saying it would apply to only a small number of non-NHS staff and would be subject to a cap on the number of external admins, time-limiting and regular review.
NHS England committed publicly to five “data promises” when the Federated Data Platform was announced, including transparency about who can access data and what they can see. The new arrangement sits in direct tension with those promises.
Who Palantir is – and why this matters beyond the NHS
As we documented in detail in our investigation into Palantir’s revolving door with UK government officials, Palantir is not a neutral technology company. It was co-founded by Peter Thiel, a close ally of Donald Trump. Its chief executive Alex Karp has been an outspoken Trump supporter. Its software is central to ICE’s immigration enforcement operations in the United States – operations that have involved the detention and deportation of migrants, including in controversial circumstances.
The company has been awarded £670 million in UK government contracts across health, defence and security. The MoD’s head of AI strategy met Palantir nine times in his government role before joining them as chief geostrategy adviser. The NHS’s own head of AI left to become Palantir’s director of health and AI. Thirty-two senior UK government officials have moved to or from Palantir in the past decade.
Some NHS staff have refused to work on the Federated Data Platform on ethical grounds related to Palantir’s work in US defence and immigration enforcement. The company’s chief executive has been publicly critical of those concerns.
Martin Wrigley, a Liberal Democrat member of the House of Commons technology committee, said of the unlimited access change: “This somewhat cavalier attitude to data security demonstrated how this whole FDP project does not have security by design at its heart. The public will be rightfully concerned that data privacy is not the first concern.”
What Palantir and NHS England say
NHS England said: “The NHS has strict policies in place for managing access to patient data and carries out regular audits to ensure compliance – including monitoring the work of engineers helping to set up the central data collection platform that will track NHS performance and help improve care for patients. Anyone external requiring access must have government security clearance and be approved by a member of NHS England staff at director level or above.”
Palantir said: “To the NHS, and all our customers, we are designated by law as a ‘data processor’, with our customers ‘data controllers’. That means that Palantir software can only be used to process data precisely in line with the instruction of the customer. Using the data for anything else would not only be illegal but technically impossible due to granular access controls overseen by the NHS.”
Both responses address the legal framework. Neither directly addresses the specific change described in the internal briefing: that the previous individual approval requirement for each data access request has been replaced with an admin role granting unlimited access, because contractors found the approval process inconvenient.
The broader context
The timing of this revelation is politically significant. As we reported in our coverage of Wes Streeting’s private health donations and the NICE drug pricing power grab, questions about who is shaping NHS policy and in whose interests sit at the centre of the current Labour leadership debate. Streeting has taken £372,000 from private health-linked donors. Palantir has moved 32 government officials through its revolving door. And now an internal NHS briefing reveals that identifiable patient data – the medical records of millions of British people – has been made accessible to Palantir and other contractors on an unlimited basis, because the previous safeguards were considered too inconvenient.
The question the briefing’s own author identified – “being sure exactly who is accessing what patient-identifiable data at any one time” – is now, by that author’s own analysis, one that can no longer be answered.
