Stephen Delahunty reports on concerns about credit agencies being used by health bodies when processing patient data.
The Department of Health and Social Care is remaining tight-lipped about its decision to award a contract to the UK subsidiary of a multi-billion dollar US credit reporting agency that checks patient data when attempting to book a Coronavirus home test online.
Tens of thousands of people have already visited the Government website to book their test. Users are told that, in order to confirm their identity, they need to share their information with TransUnion. It is the smallest of the three largest credit agencies, along with Experian and Equifax.
Individuals unwilling to share their credit data are asked to start the process again and advised to choose the drive-through test option. It is unclear what possible COVID-19-related reason there would be for the Government to grant the company access to UK citizens’ information.
Privacy and civil liberties campaigners have already warned about tech firms getting their hands on patient data in the battle against the Coroanvirus.
NHSX – a NHS subsidiary focused on digital innovation – and NHS England Improvement reported at the end of March that they had engaged Palantir alongside Microsoft, Google and London-based artificial intelligence (AI) firm Faculty to build a “data platform” to make their COVID-19 response as efficient and effective as possible.
Data is gathered from sources, including 111 calls and COVID-19 test results. Privacy International, Big Brother Watch, medConfidential, Foxglove and Open Rights Group sent Palantir 10 questions about its work with the NHS during the public health crisis. The four privacy campaigning groups say that they are “primarily interested in if and how Palantir will retain and use the data analysis gleaned from this work with the NHS”.
Privacy International added: “As Palantir says, in the spirit of ‘open and critical discussion’, we have asked them for key details about their current work with the NHS. It would be misleading and cynical for Palantir to offer services to the NHS without being fully transparent about how the company may benefit from the data analysis gleaned in this work, which they can then go on to profit from and strengthen their proprietary systems.”
Palantir and Faculty are highly controversial either because of links to the CIA and the Donald Trump administration; or to Dominic Cummings, the Prime Minister’s chief advisor and the former head of the Vote Leave campaign during the 2016 EU Referendum, which was found to have breached UK electoral law by overspending.
TranUnion is a subsidiary of TransUnion LLC. The US company collects information on more than a billion people and has profiled almost every ‘credit-active consumer’ in the US.
In 2017, a San Francisco federal court awarded $60 million in damages to consumers who accused the company of falsely reporting that they were on a government list of terrorists and other security threats. The award came after a six-day trial over whether TransUnion failed to take reasonable steps to prevent errors when it reported that consumers were on the blacklist, maintained by the US Department of Treasury’s Office of Foreign Assets Control.
In the past, NHS England Improvement had urged hospitals to work with credit reference agency Experian to check whether patients could receive free treatment, in an effort to tackle health tourism. However, a report by the Health Service Journal reveals that the NHS body admitted it had not carried out its own assessment of whether the move would break data protection rules.
In January, Lewisham and Greenwich Hospital Trust admitted that using a credit score company to check if patients were eligible for free NHS treatment “was not the right choice”. The information shared with Experian included a person’s name, address, date of birth, NHS number, email and phone number, and was run on every patient referred to the trust. But people were unaware their data was being shared with the third party, sparking a backlash that led the trust to set up an independent inquiry and cut its ties with Experian.
In response to questions about what data is collected, how it is stored, and whether it shares information with third parties, a spokesperson for the company said: “TransUnion is supporting the NHS response to the COVID-19 pandemic in its provision of testing kits to key workers, and others, that have shown symptoms of COVID-19.
“TransUnion is conducting stringent identity checks on behalf of the NHS to help ensure testing kits are sent to the correct recipients and to minimise the risk of fraud. The identity verification uses information from an individual’s credit report. TransUnion does not collect or retain data on individuals that book tests, other than a record of processing.”
The Department of Health and Social Care refused to answer questions on the length and nature of the contract, when it was awarded, or how it was tendered. A spokesperson, however, defended the department’s procurement practices and offered assurances that due diligence had been done.
They said: “Appropriate checks were undertaken and the contract will be published in due course on Contracts Finder.”