NHS data grab

"NHS data grab" is the UK civil-society framing applied to a succession of government and commercial-technology programmes that extracted NHS patient health records without adequate public consent — from the care.data debacle (2013–2016) through the General Practice Data for Planning and Research (GPDPR) controversy (2021) to the Palantir Federated Data Platform procurement (2023). The label characterises NHS health data as being taken from a uniquely trusted public institution and handed to commercial and government actors without a meaningful consent process, and frames patients as the rightful holders of data sovereignty over their own medical records. Its political claim: that NHS patient data is a public asset built on patients' trust in the healthcare system, and that its commercial extraction is a breach of that trust requiring democratic accountability, not merely technical safeguards. Across three distinct procurement episodes, the framing succeeded in forcing government delays, public opt-out mechanisms, legal concessions, and — in 2021 — the indefinite suspension of a programme covering 55 million patients.

Origin

The framing's roots lie in care.data, a programme announced by NHS England in spring 2013 to extract patients' entire GP records via the General Practice Extraction Service, link them with NHS hospital data, and make them available to external organisations for research and commercial use. Initial public communication was minimal — a poster in GP surgeries and an unaddressed leaflet distributed alongside pizza advertisements — and medConfidential, a campaign organisation founded specifically to defend patient confidentiality and consent in NHS data sharing, became the primary opposition voice. The programme's problems accumulated quickly. Freedom of Information requests revealed that NHS officials' claim of a perfect 25-year data-safety record was contradicted by annual data losses. Within 48 hours of NHS assurances that insurers would have no access to GP data, insurers published reports using data from predecessor bodies. A BBC Today Programme head-to-head between NHS England and medConfidential brought the dispute to a national audience. Parliamentary scrutiny intensified; the Health Select Committee's review was highly critical; Parliament restricted the Care Act 2014 to limit data use to healthcare provision or health promotion; and Dame Fiona Caldicott was appointed National Data Guardian in November 2014. care.data was formally cancelled on 6 July 2016, having cost approximately £8.1 million and generated around 1.5 million opt-outs.

The phrase "NHS data grab" entered mainstream discourse in May 2021 with the announcement of the GPDPR programme. NHS Digital published the programme's documentation the morning after the Queen's Speech — in which the programme went unmentioned — and set an initial opt-out deadline of 23 June 2021. medConfidential's coordinator Phil Booth characterised it publicly as "the biggest data grab in NHS history" and "even bigger than care.data": "It's more data, more breadth, more depth — it's the whole fucking deal." Booth noted that NHS Digital had timed the announcement deliberately: "They learned last time that it's the publicity that kills them." The framing spread immediately through The Register, the New Statesman, openDemocracy, and across civil society. The GPDPR would consolidate cradle-to-grave records for 55 million GP patients in England — including diagnoses, symptoms, medications, mental health history, sexual health information, and demographic data on sex, ethnicity, and sexual orientation — and make them available to unnamed third parties including commercial companies. Booth described the linked hospital-plus-GP dataset as potentially "the single most valuable data asset on the planet."

The core argument

The framing makes a structural claim that distinguishes it from generic data-privacy concerns. NHS patient data is not ordinary consumer data: it is collected on the basis of patients' trust in a public healthcare institution, often disclosed under conditions of vulnerability and necessity, and carries categories of sensitivity — mental health history, sexual orientation, reproductive choices, chronic illness — that no patient would share voluntarily with a commercial firm. Extracting this data and making it available to commercial third parties reverses the terms of that trust without the patient's knowledge or meaningful consent.

The framing further argues that pseudonymisation — the NHS's claimed privacy safeguard — provides insufficient protection. The GPDPR data was not anonymised; it was pseudonymised, with identifiers replaced by codes, and the combination of clinical, demographic, and temporal data creates re-identification risk that a chronically under-resourced Information Commissioner's Office cannot reliably prevent. Foxglove's July 2021 public explainer noted that this pseudonymised / anonymous distinction was being collapsed in official communications to produce a false assurance. It pointed to the openSafely platform — which analyses GP data within the NHS systems where it is held, without centralising records — as evidence that research utility and patient privacy were not in fundamental tension: the trade-off was a design choice, not an engineering necessity.

A third strand of the framing targeted the specific commercial actors, particularly Palantir. NHS England contracted Palantir to build and operate the NHS Covid-19 Datastore in March 2020 for £23 million; a December 2020 extension widened the contract to cover Brexit and general business planning, far beyond the initial emergency remit. openDemocracy and Foxglove initiated legal proceedings in February 2021, arguing that introducing a company whose prior commercial history was in law enforcement and border surveillance into the NHS data pipeline "risked exacerbating the trust deficit in these communities when the government needs it most" — implicating vaccine hesitancy in marginalised communities as a downstream consequence of data-trust erosion. Facing the lawsuit, the government conceded: it agreed not to extend Palantir's NHS role beyond pandemic use without public consultation and a new data-protection impact assessment.

The DeepMind episode a decade earlier had set the precedent. In 2015, Royal Free NHS Trust London transferred approximately 1.6 million patient records to Google DeepMind for the Streams app, an acute kidney failure alert system. In July 2017, the Information Commissioner's Office ruled the transfer unlawful under the Data Protection Act 1998: data subjects had not been adequately informed the processing was taking place, and the "direct care" justification deployed by the Royal Free did not hold for data processing conducted at the scale and scope of the DeepMind arrangement. No fine was imposed. Civil-society groups, including Privacy International, catalogued the ruling as a canonical precedent for the gap between the NHS's stated data-governance commitments and its operational practice.

Propagation

The 2021 GPDPR campaign produced the framing's most visible result. The government postponed the original 1 July 2021 start date — first to 1 September, then indefinitely — as more than one million people filed opt-outs and Royal Colleges, medical associations, and civil society organisations amplified the campaign. The government's response also named the framing's political contest directly: Health Secretary Matt Hancock launched a campaign called "Data Saves Lives" in June 2021, positioning data sharing as beneficial medical research. The choice to counter-brand rather than engage the consent and transparency arguments was itself read by civil society as confirmation that the government had no procedural defence of the GPDPR's notice mechanisms.

The 2022 "Data Saves Lives" strategy, produced jointly by the Department of Health and Social Care and NHS England, acknowledged explicitly that the government had made a mistake in 2021 by not doing enough to explain the GPDPR to the public, and proposed a public trust-rebuilding pact: a new transparency statement, information-governance frameworks, and a commitment to ongoing engagement with civil society. The strategy's own existence validated the framing's central premise — that trust had been lost and needed active rebuilding, which implied it had been squandered.

The Palantir thread continued to generate pressure. In November 2023, Foxglove — working alongside Just Treatment, the Doctors' Association UK, and the National Pensioners Convention — sent a letter before claim challenging the £330 million NHS Federated Data Platform contract awarded to Palantir, arguing that the government had no legal basis to proceed without returning to Parliament to account for how data would flow under the contract while complying with existing law. Health Service Journal data showing that only 8 of 36 pilot sites had reported any benefit from the platform added a value-for-money strand to the legal challenge. The Health Secretary's public statements about patient opt-outs had been inconsistent and contradictory, and concerns about potential data access by the Home Office and the Department for Work and Pensions — for purposes with no direct healthcare rationale — raised the prospect that NHS patient records could be used to identify benefit claimants or undocumented migrants.

Why it has carried

The framing has proven durable across three distinct procurement controversies separated by nearly a decade because it anchors a structural argument, not a technical one, about what NHS data is and who it belongs to. Each new programme provided fresh evidence for the same underlying claim: that the NHS and government would attempt to extract patient records without adequate public notice, and that only sustained external pressure from civil society, legal action, and organised opt-outs would force accountability.

The framing also travels across registers in a way that adjacent framings do not. "Data colonialism" and "data is a civil rights issue" describe related structural dynamics but require translation between registers — civil rights law, postcolonial theory, platform economics — that narrows their immediate political audience. "NHS data grab" does not: the NHS is the institution that every person in England interacts with under conditions of vulnerability, and "grab" is a verb that names an action with a victim. The phrase requires no specialist vocabulary to understand and no ideological frame to find offensive. The opt-out mechanism its campaigns produced — the National Data Opt-Out — means the framing has a concrete, actionable channel that channels political concern into a durable administrative protection.

The pattern of government concession rather than persuasion has also sustained the framing. Had any of the three major episodes resulted in a credible public process at the outset — genuine prior consultation, clear consent mechanisms, transparent governance of commercial access — the framing would have had no grip. Instead, each episode followed the same sequence: announced without public consultation, framed as technical or procedural rather than political, labelled a data grab by civil society, delayed or modified under pressure. That structural repetition is itself an argument: not that any specific programme was malicious, but that the institutional default was extraction first, consent later, and that the framing named something real about how UK health data governance worked in practice.