NHS Palantir contract -- processing special category health data for tens of millions. Where's the published DPIA?
he NHS Palantir FDP contract is live across 120+ trusts. It's processing special category health data at scale, on infrastructure subject to US jurisdiction, through a semantic layer that independent experts describe as opaque.
Under UK GDPR, a Data Protection Impact Assessment is mandatory before processing likely to result in high risk to individuals. Large scale special category data. Systematic processing. Significant effect on individuals. Any one of these triggers the obligation. NHS patient records hit all three.
Was a DPIA completed before go-live? Was it published? Did the ICO review it? Who signed off on the residual risks?
And it's not just an NHS England problem. On the Isle of Man, sixteen health-tech vendors are right now working inside Manx Care infrastructure -- every one running on AWS, Azure, or GCP, every one subject to US jurisdiction under the CLOUD Act and FISA 702 -- under a governance framework that hasn't received Royal Assent yet.
Same special category data. Same missing DPIA. Same question.
Full piece: haunted.lighthouse.co.im/articles/wheres-the-dpia/