The NHS just quietly handed Palantir "unlimited access" to your identifiable patient data. This isn't a data breach. It's a policy choice. And that's the more alarming part.

by Kasun Illankoon, Editor in Chief at Tech Revolt

[For more news, click here]

Palantir Technologies, an American data analytics company whose roots are planted deep in US military intelligence and immigration enforcement, now have what internal NHS documents describe as "admin" level access to identifiable patient data. Not pseudonymised records. Not anonymised aggregates. Real, identifiable information sitting in a system called the National Data Integration Tenant, the so-called "safe haven for data" that exists before records are cleaned up and passed through to other systems.

The Financial Times broke the story. NHS England confirmed it. And now MPs, patient groups, the British Medical Association, Amnesty International, and cybersecurity experts are all asking the same question: how did we get here?

The answer is a story about pandemic-era contracts, aggressive lobbying, murky procurement, and a slow institutional capitulation to a company that the NHS's own internal documents warned could trigger "a risk of loss of public confidence."

The Foot in the Door

Palantir did not arrive at the NHS through a competitive tender. It arrived through a crisis.

In 2020, during the Covid pandemic, the company secured a series of short-term NHS contracts worth a combined £60 million, awarded without competition. The emergency justified the speed. But those pandemic contracts gave Palantir something more valuable than money: a position inside the system, relationships with NHS leadership, and a working proof-of-concept that made them the default frontrunner when the real prize came up.

That prize was the Federated Data Platform, or FDP. Designed to connect data across NHS organisations, reduce waiting list backlogs, and bring the health service into the data age, it was billed as the NHS's most ambitious digital transformation project. The contract, worth £330 million over seven years, was awarded to a consortium led by Palantir in November 2023, also including Accenture, PwC, Carnall Farrar, and NECS.

The procurement process drew immediate criticism for being shorter than usual and less transparent than expected. When campaigners and journalists requested the contract, NHS England initially released a version with 417 out of 586 pages completely blanked out. Following a legal challenge by the Good Law Project, substantially unredacted versions were released. What they revealed was striking: parts of the contract, including a section on the protection of personal data, were still being negotiated after the deal had already been signed.

What Palantir Actually Is

To understand why so many people are alarmed, you need to understand what kind of company Palantir actually is.

Founded in 2003 with early funding from the CIA's venture arm In-Q-Tel, Palantir built its name on data surveillance tools used by intelligence agencies and the military. Its Gotham platform is used by the US military, NATO allies, and police forces worldwide. Its Foundry platform, the civilian-facing product, is what powers the NHS FDP. But as a 2020 review by Privacy International and No Tech For Tyrants found, the two products share the same underlying architecture.

Palantir also supplies tools to US Immigration and Customs Enforcement, ICE, which uses them to track and detain migrants. The company has contracts with the Ministry of Defence and the Financial Conduct Authority in the UK. An investigation published in January 2026 found at least 34 current and past state contracts across at least 10 UK government departments.

More recently, Palantir's public posture has shifted in ways that have unsettled even those who were previously neutral. The company's official X account published a 22-point manifesto calling for universal national military service and the advancement of "AI weapons." Duncan McCann, technology and data lead at the Good Law Project, framed the core tension plainly: "Palantir is perceived as a defence contractor. If they had just stayed in that lane, I think people might accept that. But a defence company has inherently different values than the NHS, and that's where this concern was created."

The Access Question

When the FDP contract was signed, NHS England offered firm assurances. Palantir would not own the data. It would not control the data. It could not use NHS data for its own purposes. Under the original framework, any Palantir staff member needing to access the NDIT had to apply for clearance to access specific datasets, on a case-by-case basis.

That rule has now changed.

Under the new arrangement, Palantir staff and consultants from other firms working on the FDP can receive an "admin" role with broad, standing access to the NDIT and its identifiable patient data. The NHS insists that anyone granted this access must have government security clearance and be approved by a director-level NHS England staff member. But the shift from case-by-case access to standing "admin" access is precisely what critics warned against.

Cybersecurity experts have pointed out that increasing the number of people holding administrator-level access raises the probability of a serious breach through insider threats, stolen credentials, or malware targeting high-privilege accounts. And there is a second, less-discussed risk: aggregation. Two senior Ministry of Defence systems engineers warned in March that by combining data across different government datasets, Palantir could theoretically generate top-secret intelligence from entirely unclassified sources.

Sarah Simms, senior policy officer at Privacy International, put it in terms that should resonate with every NHS patient: "Trust is essential to delivering healthcare and the NHS. People should be able to trust that their data is being handled securely and ethically."

The Resistance

The backlash has been significant and, crucially, it has not come only from campaigners.

Around 50,000 patients have written to local NHS trust boards urging them not to adopt the FDP, through the Good Law Project's "Say No to Palantir" campaign. The British Medical Association passed a motion at its 2025 AGM opposing the FDP rollout, and in February 2026, announced it would tell doctors to limit engagement with the platform. Amnesty International is actively campaigning for NHS trusts and Integrated Care Boards to refuse Palantir's technology, ahead of the contract's renewal date in February 2027. Medact published a detailed briefing in March 2026 calling on trusts to urgently decline implementation of any Palantir products.

The one region that has held its ground longest is Greater Manchester. Its Integrated Care Board, which manages health services for 2.8 million people, is the only ICB in England to have formally declined to join the FDP. It built its own analytics platform over six years and has concluded that the FDP does not currently offer the same or better functionality. This week, Greater Manchester confirmed that its review of that decision is off the table. It is staying out.

In Parliament, the debate has sharpened. MPs have pointed out that after spending £330 million, the NHS owns no software and retains no intellectual property. Only about half of the 200-odd NHS trusts are live on the FDP, and only a quarter of those report actual benefits from using it.

Where This Ends

The government is now signalling that it is weighing an exit. Health Minister Zubir Ahmed told Parliament that the contract could be reconsidered if other firms "can do the job better," and that the break clause review is set for spring 2027. He also acknowledged the obvious: despite spending £330 million, the NHS has acquired no software ownership and no intellectual property.

But the architecture of this situation makes a clean exit difficult. The FDP is already embedded in hundreds of trusts. The NHS is simultaneously exploring plans for a Single Patient Record, a unified patient data system that, according to analysts, is likely to involve the FDP either as a data store or as core infrastructure, regardless of who nominally runs it.

The Definitive Answer

Here is what the evidence says, clearly: the NHS should not have signed this contract in this form with this company. The procurement was rushed, parts of it were agreed after signing, and the key data protection methodology was kept hidden from public scrutiny. The assurances about data access have already been quietly walked back. The company holding the data has publicly declared values that are categorically misaligned with public healthcare.

None of this means the FDP itself is a bad idea. It isn't. The NHS desperately needs better data infrastructure. The question is not whether the NHS should modernise its data systems. The question is whether a surveillance-technology company with contracts spanning military, immigration enforcement, and intelligence should be the one doing it, with standing admin access to the records of 56 million people.

The break clause in 2027 is not a guarantee of change. It is an opportunity. The question is whether the government has the political will to use it, or whether inertia, sunk costs, and the quiet gravitational pull of deep institutional embedding will win out, as it so often does.

Your data is already in the system. What happens to it next is a political decision.

Related Articles

• Most Organizations Were Hacked Through Stolen Identities Last Year, AI Is About to Make It Much Worse

• The Pentagon Is Punishing Anthropic for Refusing to Build a Killing Machine on Demand

• France Moves to Remove Microsoft from 2.5 Million Government Computers in Push for Digital Sovereignty