How to raise concerns about Palantir with your GP
NHS patients have made it very clear that we do not want our private and personal health data to be managed by US spy tech company Palantir.
Over 80,000 patients have already raised concerns about Palantir with their local NHS Trusts. Now, we want to apply pressure at a GP level too.
This toolkit has been created to guide NHS patients through how to raise concerns about your GP data being shared with Palantir's Federated Data Platform (FDP). We have adapted it from a local template made by our friends at Sheffield Medact, so that patients all across England can take action too.
Why is my GP data relevant?
There is currently a lack of clarity regarding how GP practice and patient data is being used in Palantir's FDP. Initially, the government stated that GP data would not be included in the FDP. However, recent developments indicate that GP data is being transferred onto the FDP by Integrated Care Boards (ICBs).
What can writing to my GP achieve?
As it stands*, GPs are official 'data controllers', meaning they can control how data flows into other parts of the health system, and can therefore prevent GP patient data from entering Palantir's FDP.
This can be done through the updating of data sharing agreements (DSAs), which are agreements between GP practices and local NHS ICBs. Therefore, if a practice updates their DSA to say that patient data cannot be extracted into the FDP without explicit consent, then that consent would need to be sought. It would apply to the practice as a whole rather than on a patient-by-patient basis.
* The government's proposed new Health Bill seeks to revoke GP practices' role as primary data controllers and instead transfer responsibility and controllership to the Department of Health and Social Care. This proposal has caused widespread concern about the powers it will grant the government to share data with researchers and third parties without robust patient consent mechanisms.
How do I take action?
Below you will find a template letter that you can use to raise concerns with your GP about Palantir and the FDP.
This letter asks GP practices to change their Data Sharing Agreements with ICBs to prevent data flowing into Palantir's platform. It also requests practices to raise further concerns about Palantir with the local ICB, and asks them whether they support or oppose the proposals in the new Health Bill to transfer data controllership over to central government.
Follow these steps to get your letter sent:
- See whether your GP practice has a direct email address or whether it needs to be done via a complaints/feedback portal. You should be able to find this on their website, or you could call or email them to clarify.
- Copy the template letter below and change the details in bold to include yours and your GP practice's.
- If emailing, also CC in your local NHS Integrated Care Board (you can find email addresses for ICBs here).
- If possible, please then fill in this form so we can keep track of how many patients have taken action and which GP practices have been contacted.
[Your Name]
[Your Address]
[Your Phone Number]
[Your Email]
[Your Date of Birth]
[Date]
[Name of GP Practice]
[Address of GP Practice]
Subject: Urgent: Data Sharing Agreements, Palantir, and the NHS Federated Data Platform (FDP)
Dear Practice Manager and Practice Partners,
I am writing to you as a registered patient to formally raise my concerns regarding the extraction of GP patient data into the NHS Federated Data Platform (FDP).
I oppose Palantir's involvement in the NHS, and I share the significant ethical, privacy, and security concerns raised by The British Medical Association (BMA), legal bodies, patient groups, health charities and human rights organisations.
My trust in the NHS and my doctor is at risk knowing Palantir may be processing and storing my health data. I want to ensure I take any opportunity I have to deny them access to my data.
I am deeply concerned by the lack of a straightforward, comprehensive patient opt-out. It is now clear that the National Data Opt-Out scheme does not protect my data from being processed within the FDP, as NHS England can apply legal directions to bypass it.
Under UK data protection laws, the GP Partners at this practice are the legal Data Controllers of my primary care medical record. You hold the ultimate responsibility for ensuring my data is processed lawfully, transparently, and safely.
The British Medical Association (BMA) has recently highlighted the risks surrounding the secondary use of patient data and has advised GP practices to rigorously review, and potentially withdraw from, voluntary Data Sharing Agreements (DSAs). In light of this, I am respectfully asking that your practice undertake an audit of your current DSAs with the local Integrated Care Board (ICB) and decline to participate in any data extractions that feed patient data into the FDP, unless stringent privacy safeguards and clear patient opt-outs are legally guaranteed.
An article by health charity, Medact, has recommended that the following wording can be added to practice DSAs with ICBs:
- Patient records, practice datasets and any other data shared by the practice must not be stored, processed or analysed in any instance of the Federated Data Platform and its associated products.
- Any changes to the storage and analysis platforms, data use cases or data requirements for GP practice datasets will be discussed and explicitly agreed upon in writing with the practice on a case by case basis.
I would also welcome any information you can share regarding the practice's current stance on signing DSAs related to the FDP, and share details of any relevant DSA.
Furthermore, there is increasing attention around the break clause in Palantir's contract with the NHS. When you contact the ICB during the review of your DSAs I would appreciate you raising concerns relating to the NHS's contract with Palantir. Please ask the ICB to explicitly recommend the UK Government to exercise the contract's break clause.
Finally, I am aware that the government's proposed new Health Bill seeks to revoke GP practices' role as primary data controllers and instead transfer responsibility and controllership to the Department of Health and Social Care. This proposal has caused widespread concern about the powers it will grant the government to share data with researchers and third parties without robust patient consent mechanisms. Can you clarify whether your GP practice supports or opposes these major changes, and how you intend to uphold my data privacy rights when responding to any request for a change in data controller responsibilities at your practice?
General Practice plays a key role in building patient trust in the NHS and impacts how patients interact with the remainder of the health service. I rely on you, as my Data Controller, to protect my most sensitive information and my ability to trust you, your colleagues, and the wider NHS.
Thank you for your time, hard work, and dedication to your patients during what I know is an incredibly pressured time for General Practice.
Yours sincerely,
[Your Name]
With thanks
This toolkit was adapted from a local template created by our friends at Sheffield Medact, so that patients all across England can take action too.