The NHS Just Handed Palantir the Keys to the Building

An NHS contractor used to fill in a form to see a specific dataset. Now, according to an internal briefing reported by the Financial Times and Digital Health, Palantir staff get an 'admin' role with 'unlimited access' to identifiable patient records inside the system that feeds the Federated Data Platform. This is not a procurement footnote. It is a quiet redefinition of who controls the most sensitive personal data the British state holds.

The mechanism matters. The National Data Integration Tenant is the holding pen where raw NHS data sits before it gets pseudonymised and pushed downstream — the briefing calls it a 'safe haven for data'. 'Safe haven' is doing a lot of work in that sentence. Until now, contractors had to request access to specific datasets, one at a time. Now they've asked for, and reportedly received, the same standing access as an NHS employee with clearance.

NHS England's defence is procedural: anyone external needs government security clearance and sign-off from a director or above. Palantir's defence is legal: it is a 'data processor', not a 'data controller', and can only act on instruction from the NHS. Both statements can be true. Neither answers the actual question.

The question isn't legality. It's leverage.

When you give a single private vendor standing, admin-level access to the data pipes of a national health service, you are not just hiring a contractor. You are creating a dependency. The £330 million contract Palantir's consortium won in 2023 was sold as plumbing — link the fragmented systems, help with research, spot trends, improve care. Plumbing is a useful metaphor right up until the plumber owns the water.

The NHS's own briefing, written by a senior data official in April 2026, concedes the obvious: enhanced permissions carry a 'risk of loss of public confidence' in how patient data is safeguarded. The same document recommends capping external admin access and making any such permissions time-limited and subject to regular review. Read that twice. The people writing the policy are flagging the policy.

Polling cited by The Guardian found more than two-thirds of the UK public are concerned about Palantir's growing roster of public contracts, and 40% don't trust the company to stay out of NHS patient data — even though Palantir says it cannot and will not access it. Some NHS staff have already refused to use the FDP on ethical grounds. That is not a comms problem. That is a workforce telling its employer something.

Who you contract with is a political choice

Procurement loves the fiction that vendors are interchangeable. They are not. Palantir's co-founder Peter Thiel has said the NHS 'makes people sick'. Its UK arm is run by Louis Mosley, grandson of British fascist leader Oswald Mosley. The company's other clients include US Immigration and Customs Enforcement and a string of military and intelligence projects. You don't have to think any of that disqualifies them to think it's relevant context for handing them admin rights over millions of people's medical records.

And the data-processor framing — the legal shield Palantir keeps holding up — is thinner than it sounds. Access is access. Once an engineer can see identifiable records inside the tenant, the controller/processor distinction is a paperwork question, not a physical one. Audit logs are reassuring. They are also retrospective.

What's striking is how little of this is being decided in public. There is no evidence of a formal consultation on the permissions change. The story exists because an internal briefing leaked. The MPs calling it 'dangerous' are reacting, not legislating. The default setting of British digital infrastructure is now: a contract gets signed, a permission gets widened, a journalist finds out, everyone argues for a week, the system keeps running.

Data sovereignty is not an abstract phrase. It's the answer to a concrete question: if you wanted to revoke this access tomorrow, could you? With the FDP wired the way it now is, the honest answer is — it would hurt. That's the deal. That was always the deal. The unlimited-access memo just put it in writing.

The NHS didn't sell your records. It did something quieter and harder to undo. It gave someone else a key and trusted them not to use it.