Hacker News new | ask | show | jobs
by catchmilk 2001 days ago
So then the question is justified - how is it that if I go to gov.uk, the first popup I get is whether I accept cookies for data privacy. Yet they will seemingly get to send sensitive NHS data without consulting the respective owners of that information?

I'm certainly not pretending to be nowhere near knowledgeable about the topic, and it would be great to hear from someone that does, but it seems to me that the public has legal GDPR grounds on which to protest this data transfer? I, for one, certainly don't want Palantir holding my data.
4 comments
agd 2001 days ago
Well it’s not clear which datasets palantir have access to, so I have no idea if this contradicts our data privacy laws or not.
link
Silhouette 2001 days ago
For general information, the GDPR makes specific provision for processing of personal data in the public interest[1] and in particular for processing of sensitive personal data (including health data) in relation to public health situations[2]. Explicit consent is not necessarily required by the GDPR in such situations[3].

However, there is also an obligation under Article 9 to have "law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy", and more generally the provisions of the GDPR about acceptable processing and protecting data subjects still apply.

Recital 54 also specifically states, "Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies."

So as things stand, it appears that the UK government won't necessarily be in violation of the GDPR by giving personal health data to Palantir, but any processing will only be legal if the required safeguards are explicitly encoded in law and if that data is not being processed by Palantir for any other purposes.

[1] https://gdpr-info.eu/art-6-gdpr/ at 1(e)

[2] https://gdpr-info.eu/art-9-gdpr/ at 2(i)

[3] https://gdpr-info.eu/recitals/no-54/

link
SpicyLemonZest 2001 days ago
The GDPR requires data controllers to ensure data processors respect GDPR rights, so the public could protest if they don’t think Palantir will do that. But there’s no GDPR provision requiring user consent to a controller’s choice of processors.
link
DanBC 2001 days ago
> without consulting the respective owners of that information?

What bit of GDPR do you think requires this?

link