Duncan McCann: Streeting has betrayed us on health records

Last month, health secretary Wes Streeting quietly put out a directive on health data requiring NHS England to enable “certain information held in general practice (GP) health records to be collected and disseminated” for research. And with this brief, technical note, Streeting blew a hole in patient trust.

This “certain information” is a huge trove of personal health information that was taken back to the early days of the pandemic. On March 20 2020, as Boris Johnson scrambled to close down pubs, gyms and theatres, Matt Hancock took a snapshot of all our health data. The NHS COVID-19 Data Store was created to help politicians and health professionals struggling to contain the outbreak.

Working with Microsoft, Amazon, Google and Palantir, Hancock used emergency powers to ride roughshod over legal protections on sharing our data. An “unprecedented challenge” needed an unprecedented response. But it was firmly ringfenced by promises that as soon as the crisis had passed, the data would be deleted.

“Once the public health emergency situation has ended,” the health department said, “data will either be destroyed or returned in line with the law and the strict contractual agreements that are in place between the NHS and partners.”

But it wasn’t.

Johnson lifted the last remaining Covid restrictions in February 2022. And four months later the emergency provisions under which the NHS could “receive and process the confidential patient information that is necessary for Covid-19 purposes” quietly rolled over.

This massive cache of emergency data is so valuable to the NHS and the companies who want to use it that the permissions kept on rolling over until last month, when Streeting formalised this data grab and told GPs there was no need to inform their patients.

In healthcare, data is essential. To make the right decisions about our care, doctors and nurses have to rely on information about both the patient in front of them and the system around them.

And data relies on trust. To share our most intimate information with doctors and nurses, we have to trust they will keep it safe and stick to their promises about how they’ll use it.

With Palantir looming like a malevolent cloud over health systems and the UK government, trust is under threat as never before. This spy-tech company has enabled genocide in Gaza, and ran a predictive policing project that was accused of entrenching racism and failing to reduce crime. And the government has handed them the keys to our data.

When we ask Streeting, he says that no-one can connect health data with individuals because it’s pseudonymised. He tells us that Palantir only has “limited” access. He tells us that it will only be used for vital research. And he assures us that it won’t be shared around the government or reused by bodies like the police.

These risks aren’t hypothetical. In the age of big data, you can identify individuals from pseudonymous data by combining it with other datasets: your entry on the electoral register, your credit rating, your Tesco Clubcard. In 2024, the Guardian reported claims from a fringe group advocating theories that intelligence is based on race that they had obtained a “fucking large” haul of sensitive NHS data. And Palantir’s whole business model is based on connecting data together – just look at how they’re already using health data to target people for ICE in the US.

When we ask Streeting for the technical details and contracts that would show how the NHS is dealing with our data, he says it’s commercially sensitive information. He’s asking us to take it all on trust.

But how can you trust a man who suggests GPs can ignore their legal duties to patients? Who rips up a cast-iron commitment to delete data that was only collected for an emergency?

Our data belongs to all of us. We need to know how the NHS deals with our data. We need the right to say no. No to sneaky data grabs and no to Palantir.