NHS Data Privacy Row Deepens as Palantir Access Raises Questions About Patient and Staff Security

NHS Data Privacy Row Deepens as Palantir Access Raises Questions About Patient and Staff Security

The controversy surrounding Palantir's role within NHS England has reached a new level of intensity, with revelations about the extent of system access granted to the US technology firm's engineers prompting urgent calls for a parliamentary inquiry and a fundamental review of the governance arrangements underpinning the NHS Federated Data Platform contract.

Background

The NHS Federated Data Platform represents one of the most ambitious and controversial technology projects in the health service's history. Designed to integrate patient data across NHS trusts in England, enabling more efficient care coordination and better use of health data for research and planning, the platform was awarded to Palantir in 2023 after a procurement process that attracted significant criticism from privacy advocates, NHS staff unions, and some members of parliament.

Palantir's background — the company was founded with seed funding from the CIA's venture capital arm, In-Q-Tel, and has extensive contracts with US intelligence and defence agencies — has made it a particularly controversial choice for a contract involving sensitive NHS data. Critics have argued that the company's opacity about its data practices, its connections to the US national security apparatus, and its track record in other jurisdictions make it an inappropriate partner for the UK's public health system.

The government and NHS England have consistently defended the contract, arguing that Palantir's technology is best-in-class, that robust data governance arrangements are in place, and that the platform will deliver significant benefits for patients and the health service. However, the latest revelations about the access granted to Palantir engineers have reignited the debate and raised new questions about whether the governance arrangements are as robust as claimed.

Key Developments

An investigation published in April 2026 revealed that Palantir engineers have been issued official NHS email accounts, with internal sources warning that this access may extend to a comprehensive staff directory of up to 1.5 million NHS employees. The revelation has sparked alarm within the health service, with staff unions and privacy advocates describing the situation as a significant breach of the data governance principles that were supposed to govern the Palantir contract.

The Information Commissioner's Office has been asked to investigate whether the access arrangements comply with UK GDPR requirements. Several MPs have written to the Health Secretary demanding an urgent explanation of what data Palantir engineers can access, under what circumstances, and what oversight mechanisms are in place. NHS England has not publicly confirmed or denied the specific details of the access arrangements, citing commercial confidentiality — a response that has itself attracted criticism from those who argue that transparency is essential when public health data is involved.

Why It Matters

The Palantir controversy matters because it goes to the heart of a fundamental question about the future of the NHS: who controls the data that the health service generates, and in whose interests is it used? The NHS holds some of the most sensitive personal data in existence — detailed records of people's health conditions, treatments, medications, and mental health histories. The governance of this data is not merely a technical or legal question but a deeply political one, touching on issues of trust, accountability, and the proper boundaries between public services and private enterprise. For context, the NHS's previous attempt to create a centralised patient data system — the care.data programme, launched in 2013 — was abandoned in 2016 after a public backlash over data sharing arrangements that patients had not been adequately informed about. The Palantir contract risks repeating the mistakes of care.data if the governance arrangements are not sufficiently transparent and robust.

Local Impact

For NHS patients and staff across England, the Palantir controversy raises immediate and practical concerns. Patients who have not consented to their data being accessed by a private US technology company may feel that their privacy has been violated, even if the access is technically lawful under the existing governance arrangements. NHS staff — particularly those in sensitive roles — may be concerned about the security of their personal and professional information. In Northern Ireland, where the health service operates separately and has not entered into equivalent arrangements with Palantir, the controversy has prompted questions about the data governance frameworks for any future digital transformation projects. The PSNI has also been asked whether the exposure of NHS staff data creates any security risks for personnel working in sensitive areas.

What's Next

The Information Commissioner's Office is expected to respond to requests for an investigation within weeks. Parliament's Health and Social Care Select Committee has indicated it will call NHS England executives to give evidence on the Palantir contract arrangements. The government faces a difficult balancing act: defending a major technology investment while addressing legitimate concerns about data privacy and corporate accountability. A parliamentary debate on the issue has been requested by several opposition MPs and is expected to be scheduled for May 2026. Watch for the ICO's initial response and any announcements from NHS England about changes to the access arrangements.

Sources: The Guardian — NHS Health, April 2026; Wired