Can Patients Trust Palantir with Their Health Data?
The UK’s National Health Service says Palantir’s Federated Data Platform can reduce delays and improve patient care. But concerns over consent, confidentiality and digital dependency raise a deeper question about who controls Britain’s health infrastructure.
Written by Edward Penrose – 08/06/26
For patients, the use of data within the NHS rests on an implicit bargain. People disclose intensely personal information because they believe doing so will help clinicians treat them, and that their information will remain protected by duties of care and confidentiality. Palantir’s growing role in the health service tests that bargain.
The controversy centres on the NHS’s new Federated Data Platform, or FDP, which uses Palantir’s Foundry software to connect information held across separate NHS systems. The dispute surrounding its rollout has raised larger questions about who should build the digital infrastructure of the modern state, who controls it once it becomes embedded, and whether public institutions can realistically disentangle themselves from the private platforms on which they increasingly depend.
Technology Secretary Liz Kendall has said the government is reviewing “every single aspect” of NHS England’s contract with Palantir. The deal is worth up to £330 million over a potential seven-year period, although only the first three years are initially committed. Ministers must decide before the March 2027 break point whether to end the arrangement after that initial term or allow it to continue.
In June 2026, the House of Commons Science, Innovation and Technology Committee described Palantir’s expanding presence across the public sector as an “unacceptable point of weakness” and called for a fully costed exit plan. Its concern was not primarily the quality of the software, but the risk of vendor lock-in: that a single US-headquartered supplier could become so deeply embedded within a critical public service that replacing it would become increasingly difficult, expensive and disruptive.
This question was central to Dominic Bowen’s recent conversation with Phil Booth, coordinator of medConfidential, on The International Risk Podcast. For Booth, the dispute is about more than security or efficiency. It is about whether patients understand what is happening to their information, whether they have meaningful choices, and whether the NHS retains genuine control over the infrastructure on which it depends.
The Pandemic Origins of Palantir’s NHS Role
Credit: Rwendland / Wikimedia Commons, CC BY-SA 4.0.
Palantir began working with the NHS during COVID-19, when Foundry helped allocate ventilators and protective equipment and support the vaccine rollout. In November 2023, a Palantir-led consortium won the contract to deliver the FDP, which formally began in March 2024.
There is a substantive case for the platform, which NHS England sets out in its quarterly NHS Federated Data Platform Uptake and Benefits publication. NHS information is fragmented across systems that often communicate poorly. Foundry brings data together, standardises how it is presented and gives authorised staff near-real-time information. This can help coordinate operating theatres, validate waiting lists, follow cancer pathways and discharge medically fit patients with the appropriate support, freeing up scarce inpatient beds.
By the end of February 2026, 123 hospital trusts and all 41 integrated care boards were live on the FDP, while 168 trusts had signed agreements to join. NHS England reported that trusts using the Inpatients Care Co-ordination Solution had delivered 110,078 additional patients undergoing procedures in theatres by the end of December 2025, compared with the previous period without FDP use. OPTICA, its discharge product, had supported 297,943 patient discharges by the same point. OPTICA was associated with reductions of roughly 15 per cent in delayed days for longer-stay patients.
These are significant reported gains in a health system struggling with backlogs, limited capacity and exhausted staff. The Patients Association guide supported the principle of using a federated platform to improve patient care, while stopping short of endorsing Foundry itself. That distinction raises a larger question, one Dominic put to Booth: whether the primary concern is Palantir itself, the governance model surrounding the platform, or the broader technological evolution of health-data systems.
The Official Safeguards
NHS England says Palantir does not own NHS data and cannot commercialise it, derive new supplier products from it or use it to train AI models. NHS organisations remain the data controllers and determine who can access information, while Palantir acts as a data processor under their instructions. Nevertheless, these contractual protections have not settled the debate.
The official position is that data is stored and processed in the United Kingdom and that access is restricted according to a user’s role and purpose. Local NHS organisations manage their own platform instances, while NHS England operates the National Data Integration Tenant, a national environment used to integrate information for some FDP products.
In May 2026, reporting based on an internal NHS briefing note said that a new administrator role would permit a small number of external contractors, including Palantir personnel, what the document described as “unlimited access” to identifiable information within the National Data Integration Tenant. NHS England said that such access would require government security clearance, approval from a director-level official and regular auditing. Palantir said that unauthorised use would be illegal and technically prevented by restrictions controlled by the NHS.
The dispute therefore lies partly in the gap between contractual limits and the practical requirements of administering the system. Palantir may have no right to sell or independently use a patient’s record, but some of its personnel may still require extensive access to identifiable information. The questions requiring clearer public answers are how often such access occurs, why it is necessary, who authorises it and whether the arrangements can be independently verified.
Booth also disputes how clearly the contract separates ownership of NHS data from the commercial value Palantir may gain by working with it. He points to Cancer 360 and OPTICA, two Foundry-based applications used in NHS workflows. Cancer 360 combines information from cancer registers, diagnostic systems, hospital bookings and treatment-management systems to help staff coordinate cancer pathways. OPTICA uses real-time patient tracking and task management to coordinate hospital discharge and reduce avoidable delays.
For Booth, their significance extends beyond their immediate clinical purpose. He argues that, by developing applications around the movement of patients and information through the NHS, Palantir gains commercially valuable knowledge about healthcare workflows and operational processes. That expertise, he contends, could inform products offered to healthcare systems elsewhere even if Palantir neither owns nor sells the underlying NHS patient data. NHS England, however, maintains that Palantir cannot use NHS data to derive new supplier products.
Booth further argues that the technical safeguards available through Foundry have not been made sufficiently visible to patients. The platform appears capable of providing greater transparency, potentially including a way for individuals to discover who has accessed their information through subject access requests. Booth said he believed that such a function had been developed, but had not been adequately communicated by NHS England. His criticism is not simply about whether these controls exist, but whether patients have been clearly told what is available, how it operates and how they can exercise their rights. Trust, in this view, cannot rest solely on assurances from the institutions operating the platform.
Consent Without Meaningful Choice?
Consent is equally complicated. Patients generally expect their records to support direct care and treatment, but may be less aware that the same information supports operational management, service planning, population analysis or future AI-enabled systems. While the FDP is primarily an operational platform rather than an external research database, that distinction may mean little to patients who do not understand how widely their information already moves through the health service.
For Booth, the issue is not only ownership, but whether patients understand and can meaningfully object to wider uses of their data.
Existing opt-outs do not provide a simple answer. Booth points to the Type 1 opt-out, through which patients can instruct their GP practice not to release confidential information for purposes beyond their direct care, and the national data opt-out, which allows patients to opt out of confidential patient information being used for research and planning. Neither provides a blanket means of refusing FDP processing or rejecting Palantir specifically.
NHS England’s FDP privacy notice says that Type 1 opt-outs and the national data opt-out do not currently apply to products used in the FDP. It says Type 1 opt-outs do not apply because national FDP products do not process confidential patient information from GP practices, while confidential patient information used in local FDP products is used for individual care. It also says the national data opt-out does not apply because national FDP products do not process confidential patient information to which the opt-out would apply, while local FDP products use confidential patient information for direct care. The National Data Integration Tenant privacy notice adds that directly identifiable patient data may be collected by NHS England, but says this information is de-identified before being processed by NHS England teams or made available through dashboards.
That position may be legally coherent, but it leaves patients unable to accept the clinical purpose of a system while separately objecting to the supplier or governance model used to deliver it. Booth argues that this weakens meaningful control when a patient’s concern is not the use of data in principle, but the organisation processing it or the infrastructure through which it passes.
He is also sceptical of the extent to which pseudonymisation can provide sufficient protection in the new system. Replacing names and NHS numbers with codes reduces the risk of immediate identification, but it does not automatically make information anonymous. The Information Commissioner’s Office says pseudonymised personal data remains personal data where it could be attributed to an individual using additional information. Detailed records linked across time and different settings can therefore remain identifiable, particularly to organisations that possess, or can obtain, the additional information needed to reconnect them to individuals.
The history of care.data hangs over the debate. Launched in the 2010s, the programme sought to extract information from GP records and link it with hospital data for planning and research. It was abandoned in 2016 after the National Data Guardian’s review of data security, consent and opt-outs, and after sustained opposition from patients, clinicians and privacy campaigners who argued that NHS England had failed to explain clearly what was being collected, who might receive the data and how people could opt out.
The FDP differs from care.data in its design, purpose and legal structure. Nevertheless, the earlier programme demonstrated that technically useful health-data projects can fail when public consent is treated as a communications problem to be managed afterwards, rather than as a condition of public legitimacy. Campaigners calling for greater transparency and safeguards, including Booth and medConfidential, are not arguing that health data should never be used beyond the consultation room. They argue that such uses must be clearly explained, properly governed and accompanied by meaningful choices wherever possible. Patients should have clearer ways to understand who has accessed their information and how their data is being used beyond their direct care. medConfidential frames the test in a simple phrase: health-data systems should be “consensual, safe and transparent”.
The Palantir Problem
Palantir’s involvement is controversial partly because healthcare is only one part of its business. The company also supplies defence, intelligence and law-enforcement organisations, and has worked with immigration authorities. Booth argues that this creates an ethical tension when the same company becomes embedded in civilian healthcare, while other parts of its business support surveillance, military decision-making and war-related operations. The concern is not that NHS records are necessarily being transferred into military, policing or immigration systems. It is that the reputation and wider relationships of a health-service infrastructure provider can affect public trust in an institution built on neutrality and confidentiality.
The British Medical Association and civil-liberties groups have raised related concerns, warning about the effect that distrust could have on the relationship between doctors and patients, and on patients’ willingness to disclose sensitive information. Medact and partner organisations have urged NHS trusts and integrated care boards to refuse Palantir’s software and called for NHS England to terminate the contract at the upcoming review. Some NHS data leaders have also argued that existing local systems are already better suited to their needs.
Booth gives the example of a patient in the UK seeking care from a health service whose data infrastructure is partly provided by the same company whose technology may have been used by another customer in military operations affecting their family or friends abroad. “If you’re serving, on the one hand, a bunch of customers that are trying to kill people, and on the other hand, customers that are about preserving life, sustaining life, you are going to find some serious conflicts,” he told The International Risk Podcast. Palantir agreed a strategic partnership with the Israeli Ministry of Defense in 2024, saying its technology would support Israel’s war effort, while human-rights groups have cited that relationship in their campaign against its NHS role.
This matters because health systems depend on more than technical security. They depend on patients believing that they can speak honestly to clinicians without information being used in ways they did not expect or do not understand. If people begin withholding details about their health, immigration status, mental health, reproductive history or substance use because of distrust, a crisis of data governance can become a clinical and public-health risk, creating harms larger than the operational problems Palantir was brought in to help solve.
The Deeper Risk: Dependency
The strongest criticism of the FDP may not be that Palantir could misuse data. It is that the NHS could gradually lose the ability to function without Palantir and therefore struggle to walk away from the arrangement. Booth links this to a wider failure to invest in public capability. The NHS is one of the largest organisations in the world and, he argues, should be able to develop, maintain and adapt more of its own essential digital infrastructure. That argument echoes the wider lesson of the Goldacre Review, which emphasised the need to invest in people, teams, platforms and modern data infrastructure. Outsourcing may solve an immediate skills gap, but it can deepen that gap if knowledge, tools and decision-making gradually migrate towards the supplier.
NHS England says it has protected against this outcome and that the contract includes safeguards against vendor lock-in. It points to data-export and migration requirements, “step-in” rights, NHS ownership of intellectual property in commissioned material, contractual exit provisions and efforts to develop internal NHS engineering and analytical capability. However, Palantir retains the intellectual property in Foundry itself.
Booth argues that contractual exit rights do not necessarily amount to operational independence. Once staff are trained on one platform, workflows are redesigned around it, and dashboards, data models and performance measures are built inside and around it, changing supplier can become institutionally disruptive and financially expensive, even if it remains legally possible.
The House of Commons Science, Innovation and Technology Committee has recommended using the early-2027 break clause and developing an in-house replacement or alternative UK provider. Leaving, however, carries risks of its own. Removing a functioning platform without a credible replacement could disrupt hospital operations and sacrifice genuine improvements.
The 2027 review will therefore test whether the promised exit protections are real. The question will not simply be whether the FDP works. It will be whether the NHS still possesses the knowledge, leverage and credible alternatives required to choose freely. The review should test more than contractual compliance. It should publish independently assessable evidence on benefits, contractor access, audit arrangements, patients’ practical rights, ownership and portability, and the cost of moving elsewhere.
The relationship between Palantir and the NHS represents a wider international risk. Governments worldwide increasingly rely on private platforms to provide the speed, scale and analytical capacity their own institutions struggle to build. But once those platforms shape how public services see problems, organise information and make decisions, efficiency can become inseparable from dependency before citizens realise that a strategic choice has been made. The decisive test is whether the public can verify what these systems do, and whether institutions such as the NHS still have the knowledge, leverage and alternatives required to say no. Public institutions must remain the masters of those systems, rather than becoming dependent users of infrastructure they no longer fully control.
