Government urged to end Palantir contract before single patient record is developed

MPs have urged the Government to end US tech company Palantir’s current NHS contract and ensure the anticipated single patient record has ‘UK-owned’ suppliers instead. 

The House of Commons Science, Innovation and Technology Committee has concluded Palantir’s presence in the public sector was ‘an unacceptable point of weakness’.

It said the Government should ‘commit to wherever possible using UK-owned and UK-based suppliers to develop and implement the NHS Single Patient Record’, and urged the Government to trigger a break clause in Palantir’s contract for the NHS federated data platform (FDP). 

The single patient record will be created through legislation in the Health Bill and it will include GP patient data as well as secondary and social care data. It will give clinicians in England ‘improved access’ to records for 80% of patients by 2027, and patients can access a ‘core set of their data’ in the NHS App by 2028, according to the Government.

Reporting on its inquiry into ‘digital transformation’ in Government, the committee said: ‘Of the small number of technology providers that the UK public sector relies upon, Palantir concerns us most. In the United States it has supplied software for that country’s military and immigration services, supporting highly controversial policies and activities. Its co-founder has criticised the concept of a national health service and the company has issued a manifesto that makes explicitly political arguments, undermining what the head of their UK and European business told us.

‘Our view that Palantir’s increasing presence across the public sector represents an unacceptable point of weakness is not ideologically motivated or driven by concerns about the quality of their products.  

‘The government should retain the ability to pick and choose individual suppliers and safeguard against the risk of vendor lock-in and debilitating dependencies, particularly in areas of critical national importance such as healthcare and national security infrastructure.’

The Government has two months to respond to the committee’s report, which recommended the Government make use of the next break clause to end the Palantir contract. 

It comes after a health minister refused to commit the Government to activating the break clause. Dr Zubir Ahmed, the then-Parliamentary Under-Secretary of State at DHSC, told MPs in April the Government ‘will decide later this year’ whether to extend the contract, ahead of the contract review period in February 2027. 

But the committee report said: ‘The Government should commit to exercising the February 2027 break clause in the Federated Data Platform contract and either develop an in-house replacement or seek an alternative developed by UK-owned and UK-based providers that are more compatible with UK values, and do not pursue either technical or contractual dependencies. It should publish a fully costed exit plan for the Federated Data Platform by the end of 2026.’ 

DHSC has previously said the single patient record will connect with ‘existing systems’ such as the FDP, but it said ‘no single supplier’ would dominate contracts for the single patient record. 

The MPs’ report said: ‘The Government should commit to wherever possible using UK-owned and UK-based suppliers to develop and implement the NHS Single Patient Record, and to awarding all associated contracts via open and transparent procurement processes.’ 

The FDP is intended to link data from across NHS organisations to support both planning and direct care, and began rolling out in NHS trusts in 2024. Palantir – a data analytics company known for its work with US intelligence and security agencies – was awarded a £330m, seven-year contract in 2023 to deliver the FDP.     

Separately, the National Data Guardian, which advises the Government on the use of health data, this week said it is concerned that more Palantir staff had access to the FDP than it previously assumed. 

It said: ‘The DPIA (Data Protection Impact Assessment) we reviewed stated that access to identifiable patient information would be limited to NHS staff with a legitimate need. 

‘However, since then, recent media reporting, and subsequent confirmation from the programme team, indicate that some external contractor staff also have access to identifiable patient information within the National Data Integration Tenant (NDIT) environment. We were not aware of this. We have therefore written to the programme to seek clarification on this inconsistency.’ 

GP leaders and patient data groups have voiced concerns about how confidentiality of patient data would be protected in the single patient record. 

Last year, the committee heard evidence for its inquiry from Palantir’s UK chief Louis Mosley, who accused the BMA of putting ‘ideology over patient interest’ in its opposition to the company’s growing role in NHS data systems. 

The union had raised concerns about how Palantir’s technology has been used in surveillance, policing and conflicts, as well as a lack of transparency around how patient data might be accessed or used. 

Health secretary James Murray has confirmed his department would become a data controller for the GP patient data that is added to the single patient record.

Pulse has contacted Palantir to respond to the committee’s recommendations and the National Data Guardian’s concerns.