The Download: What we learned from the unredacted FDP contract

NHS England has faced much scrutiny over its flagship data project, the Federated Data Platform, since it was first announced back in 2022.

One consistent complaint – from people both in and outside the NHS – has centred on a lack of transparency about the FDP, which is one of NHSE’s most high-profile technology programmes.

After some muted grumblings about the contract being awarded to Palantir, critics then took issue with NHSE’s perceived secrecy regarding its contract with the American firm.

The regulator’s contract – published in January – saw 417 of its 586 pages completely redacted. This seemed excessively secretive and NHSE chiefs subsequently committed to publishing a less-redacted contract.

This version was quietly published at the end of March – four months after it was awarded – so what have we learned from it?

Anyone hoping for a smoking gun will be sorely disappointed. Which begs the question: why the secrecy to begin with…

Protection of personal data

One of the main points of contention following the publication of the original redacted contract was a section entitled “protection of personal data”, which – aside from the title – was entirely redacted.

Now that this information has been published in full, perhaps it can provide some reassurance to those who had fears that their data would not be safe in Palantir’s hands.

It largely sets out what we already knew – Palantir as the supplier of the platform is the data processor and NHS organisations are the data controllers, meaning the NHS has the authority over how data can be used.

Without going down technical rabbit-holes, it is safe to say there are numerous safeguards in place (and Palantir are bound by both UK law and the terms of the contract) to ensure that patient data is safe and secure.

For instance, there is a clause that states no personal data from the FDP can be transferred out of the UK except without prior written consent from the NHS and only if several legal conditions are met.

Other points may raise some eyebrows, though.

In its regularly-amended frequently asked questions on the FDP, NHSE states that only “authorised users” – such as NHS staff and those supporting them – will be able to see data in the FDP.

The contract, however, states that “processor personnel” – in other words Palantir staff – may have access to personal data.

NHSE previously stated this may be the case in a privacy notice last updated in March, which sets out that FDP contractors may see data “where it is necessary for them to operate and maintain the FDP”.

While this will inevitably raise concerns among ardent FDP critics, what the contract does do is provide assurance that the supplier is required to “ensure the reliability and integrity” of any personnel with access to data by providing them with adequate training and ensuring they maintain confidentiality.

Ultimately, it feels reasonable to expect those working on a large-scale platform like this to have to look under the bonnet every now and then. Being honest about this and setting out how this will be done securely should be welcomed.

Social value

In addition to the serious business of establishing how personal data will be protected, the unredacted contract also sheds some light on how the FDP’s suppliers will provide social value.

Any public body awarding a major contract is required to consider how what they are buying might improve economic, social and environmental wellbeing.

We already knew that in the case of the FDP, this will primarily be achieved through the creation of a digital and data skills academy in partnership with Palantir.

But there’s more.

According to the contract, Palantir’s social value contribution will also include opening an “office hub” in the north of England by no later than next year.

Additionally, the firm – together with its consortium – will deliver ten hours of “inclusion-focused training” to NHSE leadership which will be used to establish equal opportunity targets.

Finally, one trust will also receive funding from the supplier for an “annual uplift programme” which will review equal opportunities issues and provide digital skills training to 25 BME staff.

So, in summary, the social value element of a flagship £330m contract with the NHS boils down to an office in North England, a day’s inclusion training and increased training for ethnic minority staff in one of the NHS’ 200-plus trusts.

The Download finds the social value offer underwhelming, but then again - we are not experts on how this compares to other large tech companies’ offerings.

Honesty is the best policy

As expected, some aspects of the contract remain redacted due to commercial sensitivity.

But overall, the publication of a largely unredacted contract has provided a level of transparency that the public has not usually been afforded with regards to the FDP.

Perhaps NHSE could have saved itself a headache by publishing this version to begin with.

Ultimately, the concerns around Palantir and a lack of transparency on the FDP did not translate into mass data opt-outs as some feared.

Around 20,000 people opted out of data sharing after the announcement that Palantir had been awarded the contract in December, and 1,000 or so more opted out following the publication of the unredacted contract in January.

But a greater level of transparency moving forward, which NHSE has committed to, may do more to get people on board with the FDP and help ensure it delivers on its aims.