NHS England has granted external staff from companies including Palantir “unlimited access” to identifiable patient data while working on a part of its flagship data platform.

The change, first outlined in an internal briefing note seen by the FT, relates to the National Data Integration Tenant, described as a “safe haven for data” before it is “pseudonymised” and transferred to other systems.

The NDIT is an area within the Federated Data Platform, a tool that connects disparate NHS data into a single system, which Palantir won a £330mn contract in 2023 to build.

Under the plan, NHS England has agreed to create an “admin” role, which the briefing acknowledges “permits unlimited access to non-NHSE staff” to the NDIT and the identifiable patient information held within it.

As well as Palantir employees, this could include staff from consultancy firms who have been drafted in to work on the FDP.

The change marks a significant departure from the current practice, which requires any individual working with the NDIT to apply for clear data access for specific data sets.

The briefing document, written by a senior NHS data official in April, acknowledges that granting enhanced permissions could mean there is a “risk of loss of public confidence” when it comes to “safeguarding patient data and ensuring appropriate use and access to it”.

While all-round access was originally intended only for NHS England employees with security clearance, the briefing noted that external workers had requested the same permissions “as it is too inconvenient to apply for all of the necessary individual CDAs”.

It added:

“This is not only about Palantir, hence we have referred to non-NHSE staff, but there is currently considerable public interest and concern about how much access to patient data Palantir/Palantir staff have.”

The note recommends that a cap be placed on the number of external admins with access to the NDIT, which should also be time-limited and regularly reviewed.

Officials confirmed that the recommendation in the briefing note had been accepted in recent weeks but said it would apply to only a small number of non-NHS staff.

Martin Wrigley, a Liberal Democrat member of the House of Commons technology committee, said:

“This somewhat cavalier attitude to data security demonstrated how this whole [FDP] project does not have security by design at its heart. The public will be rightfully concerned that data privacy is not the first concern.”

NHS England has committed to five “data promises”, which include transparency about who can access data and what they can see.

Referencing the pledge, the briefing warned that “being sure exactly who is accessing what patient-identifiable data at any one time” is a top concern.

“The more people have unrestricted access, the less that aim can be met,” it added.

An NHS England spokesperson said:

“The NHS has strict policies in place for managing access to patient data and carries out regular audits to ensure compliance — including monitoring the work of engineers helping to set up the central data collection platform that will track NHS performance and help improve care for patients.
Anyone external requiring access must have government security clearance and be approved by a member of NHS England staff at director level or above.”

Palantir’s involvement in creating the FDP has increasingly become controversial because of its work in the US defence sector and immigration enforcement.

Its co-founder and chief executive, Alex Karp, has been an outspoken supporter of Donald Trump, and some NHS staff have refused to work on the FDP due to ethical concerns about the company.

Supporters of the FDP have praised its ability to bring together operational data, such as waiting lists and operating theatre schedules, and improve patient outcomes.

A Palantir spokesperson said:

“To the NHS, and all our customers, we are designated by law as a ‘data processor’, with our customers “data controllers”.
That means that Palantir software can only be used to process data precisely in line with the instruction of the customer. Using the data for anything else would not only be illegal but technically impossible due to granular access controls overseen by the NHS.”