Making the rounds on Twitter is news of the UK government’s release of the “massive data-sharing contracts” that it has entered into with various tech companies, relating to Covid 19.
According to the OpenDemocracy website, this release occurred only after pressure from openDemocracy, and “hours before” they were due to issue legal proceedings to demand their release.
The web page linked above has on it links to what are said to be the contracts that the UK government released. The contracts are with Google, Faculty, Palantir and Microsoft, respectively. According to openDemocracy, the contracts are concerned with an:
‘unprecedented’ transfer of personal health information of millions of NHS users to these private tech firms.
IP Draughts thought it would be interesting to take a look at these contracts and consider what, if anything, they tell us about the processing of health data, and more generally what they tell us about government contracts.
IP Draughts’ first reaction, having downloaded the four contracts, is “where’s the beef”?
The first contract is with Google, and is described as a “confidentiality and consultancy agreement”. It is 3 pages, plus signatures. It says that Google will:
provide technical, advisory and other support (the ‘Support’) to NHSX [two national NHS bodies and the Department of Health] regarding efforts to tackle COVID-19 (the ‘Project’).
No further details of the Support are given. Clause 5 states, inter alia:
The parties acknowledge and agree that it is not their intention to collect, access, share, use or otherwise process any personal data…
Much of the rest of the contract consists of boilerplate clauses, eg on anti-bribery , disclaimer of warranties, etc.
If there is a scandal associated with this contract, it is not evident from the text of the contract.
Faculty is allegedly a company that has connections with Dominic Cummings, and has received several government contracts. OpenDemocracy alleges that the disclosed contract is worth £1M.
The contract is headed with the “Crown Commercial Service” name and logo, and is described as a “G-Cloud 11 Call-Off Contract (version 4)” – whatever that means. It appears to be a typically turgid form of government contract, running to 48 pages. Most of it is boilerplate language.
The “call-off contract value” is stated to be “£930,000 excluding VAT”, and the “call-off contract description” is “provision of strategic support to the NHSX AI Lab”.
The main reference to data in the service description is a phrase (the 7th bullet point of 12 that describe the services) that reads:
Modelling and simulation: using data from across the healthcare system to model scenarios to better understand that impact of the spread of CODIV-19 on healthcare resources
This may or may not involve obtaining personal data from NHS records.
A later [template?] Schedule 1 – Services includes a narrative description of the NHS AI Lab and what it will do, and states that the NHSX “are looking for a partner to help share and deliver the NHS AI Lab”.
These brief descriptions certainly raise the possibility that, in helping to develop the AI Lab, the contractor will have access to personal data, but so far the contract does not say so in terms.
Part B – Terms and Conditions, sets out detailed boilerplate terms for the contract. Clause 12.1 requires the Supplier to
comply with the Buyer’s written instructions and this Call-Off Contract when Processing Buyer Personal Data… [and to] only Process the Buyer Personal Data as necessary for the provision of the G-Cloud Services…
Schedule 6 is a glossary and defines Buyer Personal Data as:
The personal data supplied by the Buyer to the Supplier for purposes of, or in connection with, this Call-Off Contract.
Schedule 7 is headed “GDPR Information” and sets out a familiar table that sets out the parties’ legal roles and responsibilities in relation to data processing. It states that NHX is the Controller and the Supplier is the Processor. Under the heading “Type of Personal Data” it includes:
- Pseudonymised personal data
- Aggregated personal data
Under the heading “Categories of Data Subject” it includes “members of the public” and “patients”.
So, the framework contract contemplates the possibility that the supplier may have access to personal data from NHS patients, but does not explain in detail what the data is and in what circumstances it will be provided and processed.
This contract is in a similar form to the Faculty contract. In the interests of saving a few Norwegian forests, IP Draughts printed out only the Statement of Work that appeared at the end of the contract. But he did check the contract value, in case this was evidence of a scandal. Disappointingly, the contract value is stated to be £1.
The Statement of Work is written in almost impenetrable jargon, but some phrases look as if they might refer to accessing personal data, including:
Ingestion of mutually agreed data sources and further integration into a data ontology
The Customer is required to provide:
Timely access to or provisioning of relevant data
The “contract” that has been disclosed appears to be a set of standard Microsoft contract terms for various types of standard service, including “Azure Services” and Office 365 Services”. The document is headed “Volume Licensing: Online Services Terms April 2020”.
The document is only 16 pages long, but this is misleading: they have reduced the font of the text to about 8 point. IP Draughts now has a headache.
IP Draughts is suprised to hear himself say this, but it was refreshing to turn to Microsoft’s turgid contract prose, after wading through the UK government’s very different turgid contract prose.
These terms are very light on the subject of personal data, but they do include a link to a web page where can be found Microsoft’s “Data Protection Addendum”.
Nothing in the Google or Microsoft documents appears to be evidence of a scandal.
Both Faculty and Palantir appear to have been engaged to support the development of a national AI Laboratory. One may speculate that the development of machine learning techniques in relation to Covid 19 – e.g. assessing how patients with a particular genetic sequence are likely to react to infection – could well involve processing personal data. One may also speculate that the UK population would mostly be happy for their personal data to be used, in a suitably controlled way, to support this important work.
Just looking at the contracts, there is very little about the nitty-gritty of GDPR compliance, and one might hope that other documents exist that will address in more detail what information is to be disclosed and how compliance will be ensured.
Is there a public scandal, and are these contracts “massive”? IP Draughts will leave that for others to decide.