The NHS has promised transparency in any future deals with US data firm Palantir after the coronavirus pandemic.
It follows a lawsuit by Open Democracy which accused the NHS of “sneaking through” a £23m contract with the firm.
The group said it had won the lawsuit, because "the government finally caved".
But the NHS maintains it always acted legally, and that campaigners dropped the case “when they realised they didn’t have a leg to stand on”.
The lawsuit was withdrawn by Open Democracy and the NHS clarified it would follow the proper process in future.
Palantir: The controversial firm now worth £17bn
NHS faces legal action over data contract
Palantir helps analyse huge volumes of data generated by governments and businesses, and sorts through the information for useful insights, patterns and connections.
It has frequently been the subject of scrutiny by privacy campaigners.
Founded with support from the US Central Intelligence Agency in 2003, it has been linked to efforts to track undocumented migrant workers in America in recent years.
The deal
Palantir's involvement in the NHS began in March 2020, on a short-term basis, to suggest how best to deploy resources during the coronavirus pandemic.
It analysed a so-called “datastore” of health information where personal details were "pseudonymised, anonymised or aggregated" to protect privacy.
In December, Palantir’s short-term contract was extended for two years.
The contract - seen by the BBC - sets out how the data analysis will be used for insights into dealing with the coronavirus pandemic.
'Mission creep'
One clause also says "the services to be provided by Palantir extend to matters far beyond the response to the Covid-19 pandemic" -including Brexit, NHS workforce plans, and general government business.
Open Democracy, which labels Palantir a "spy-tech" company, argued this clause was "mission creep" and needed public consultation.
The NHS said it would have always followed due process for any non-Covid applications of the data, regardless of a legal challenge.
It did not rule out Palantir using data this way in future.
Impact assessment
The technical complaint was whether a new Data Protection Impact Assessment (DPIA) needed to be done for the revised deal.
A DPIA can involve public consultation, depending on what data is used and how.
One was completed for Palantir's current contract in April last year, and the NHS confirmed it would conduct another if the contract was extended.
“Facing our lawsuit, the government has finally caved,” an Open Democracy blog said.
“They’ve pressed pause, committing not to extend Palantir’s contract beyond Covid without consulting the public.”
'Spurious claim'
But the NHS told the BBC the contract had not been paused, and said proper checks would have always been conducted before extending the parameters of Palantir’s role.
A spokesman said: “Open Democracy have had to drop their court case unilaterally as it was apparent even to them that the NHS has always acted in accordance with its legal responsibilities.
“They, therefore, stood no chance of succeeding in their completely spurious claim… far from 'winning' this case, they had no choice but to drop it when they realised they hadn’t a leg to stand on.”Data and how to manage and process it has been key to the battle against Covid-19 - just think of the charts shown by Chris Whitty and Sir Patrick Vallance at the Downing Street press conferences, and the government’s insistence that the timetable for easing lockdown is all about data, not dates.
So last spring, when the data about the disease was thin and managing it looked a bit of a nightmare, the government turned to a company that had experience at just this kind of work.
Palantir had already been a supplier to the public sector, notably working for Sunderland council to bring together various streams of data from social services and the police in an efficiency drive. It was also a controversial company, both for its work with ICE, the US border force working to deport undocumented immigrants, and because its founder Peter Thiel was one of the very few Silicon Valley figures to support President Donald Trump.
The government has always insisted that while Palantir’s tools were used to interrogate and understand the mass of data about the virus, the company was not being given any permanent access to sensitive health records, or the ability to use them for other purposes.
The decision to renew the contract with a £23m deal came as no surprise to another supplier of data services to the UK government.
"Once you’re in, you’re in”, he said, making the point that companies often underbid on a first contract just to get a foot in the door.
“You know you're going to get the extensions, the improvements, which will make the whole thing profitable. The system is designed not to change. Colour me not surprised that Palantir got an extension.”