[Silhouette]

For general information, the GDPR makes specific provision for processing of personal data in the public interest[1] and in particular for processing of sensitive personal data (including health data) in relation to public health situations[2]. Explicit consent is not necessarily required by the GDPR in such situations[3].

However, there is also an obligation under Article 9 to have "law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy", and more generally the provisions of the GDPR about acceptable processing and protecting data subjects still apply.

Recital 54 also specifically states, "Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies."

So as things stand, it appears that the UK government won't necessarily be in violation of the GDPR by giving personal health data to Palantir, but any processing will only be legal if the required safeguards are explicitly encoded in law and if that data is not being processed by Palantir for any other purposes.

[1] https://gdpr-info.eu/art-6-gdpr/ at 1(e)

[2] https://gdpr-info.eu/art-9-gdpr/ at 2(i)

[3] https://gdpr-info.eu/recitals/no-54/