Hello again,

Another week with the NHS as our top story, and it's not a good one. We look at the extraordinary access American firm Palantir has been given to patient data, and what you might be able to do about it.

Elsewhere, we check back in on how the EU is treating Open Source Software (well), and debunk the idea that ChatGPT is good for education. In case anyone still thought that...

And for our blog spotlight this week, we look at "neuromaxxing". No, me neither...

And as a special treat, this week we take a leaf out of Columbo's book, and have a "just one more thing" section. Read through to find out more (or, I guess, just scroll right down to the bottom).

Let's dig in...

Top Story

🔍 NHS England confirms: Palantir staff can access patient data

A quick summary

A recent change in policy means that Palantir staff will now be able to request access to un-anonymised patient data from across the NHS.

...I'm sorry, what?

To be honest, there isn't much else to say on this story beyond what’s covered in the article. Palantir, who you'll remember from previous editions of the newsletter (most notably, LT3 #23), have been given even more access than they used to have.

The NHS stresses that any individual with this level of access to your data will have to "have government security clearance and be approved by a member of NHS England staff at director level or above". Which is calming in the same way that I imagine wearing a seatbelt is calming as you purposely drive at high speed headlong into a wall. Sure, it's good you're wearing the seatbelt. But you should always have been wearing the seatbelt. And actually in this particular case, there's only so much the seatbelt can do to protect you.

How are they allowed to do this?

Well, it depends who you ask. But the thing is, between the government and the National Health Service, there are a number of legal tools they can use to justify this. I believe though, that they are leaning on a relatively new change to data privacy laws.

Last year saw the Data (Use and Access) Act 2025, and with it a series of changes to the way organisations in the UK have to manage data. While there was a lot of tightening of legislation, there was one key difference that, at the time, flew largely under the radar. My fellow data privacy nerds will be familiar with Article 6 of UK GDPR, which lays out the lawful bases under which one can collect and process individuals' data. Previously, there were 6 of these, but the DUAA introduced a 7th lawful basis: "recognised legitimate interests", which includes the language: "sharing personal information with an organisation that needs it for their public task or function at their request".

I'm not an NHS lawyer, but if I were, I imagine I could make a fairly strong case in favour of Palantir's work being a "public task", what with the NHS being a public body. Between that and the "assurance" that only appropriate people will see this data, the government and the NHS can pretty much do whatever they want here.

Is there anything I can do?

If you hate this (and there's a reasonable chance that, as a subscriber to this newsletter, you do), there are two things you can try:

1. You can request that your data not be used for research and planning, which you do by following this online process. A word of warning though: removing your consent for your data to be used doesn't necessarily mean the NHS has to honour it in this case. If the NHS is using the new lawful basis to allow Palantir access, then they don't actually need your consent to do that. But it might be worth a try.

2. The second thing is to get in touch with your local MP, councillors, anyone with government lines of communication. You can find out who your representatives at the local council and MP levels are at https://www.writetothem.com/. Write to them and express your concern.

What else is happening in the world of tech?

💰 KDE gets €1.2m

KDE is a free software community that is probably most known for its "Plasma" desktop environment and widgets for Linux-based operating systems. In other words, the bit that makes Operating Systems like Ubuntu way more user friendly.

This week it was announced that they were receiving a €1.28m grant from the Sovereign Tech Fund. This money is coming from the German government, and is one of the latest moves by an EU entity to bolster their support for Open Source tech. Germany is doing a lot of this of late. You may remember a little while ago we spoke about the open source .odf file type being only one of two document types allowed by German public institutions - reducing the hold that the likes of Microsoft and its suite has on office life.

And speaking of reducing the hold of the likes of Microsoft...

🚫 Europe is moving to block Microsoft, Amazon, and Google from handling government health, financial, and legal data

A few weeks back, our top story was the EU's growing fatigue with American big tech (LT3 #25). Well in a report from CNBC, it seems as though that fatigue is about to become policy.

The incoming "Tech Sovereignty Package", if passed, would put considerable restrictions on the use of American tech companies like Amazon, Google, and Microsoft to process individuals' data. Private companies in the EU can still do largely as they please, but public bodies would be banned from allowing sensitive data (including personally identifiable data and special category data under GDPR) to be handled by foreign (read: American) companies. Such organisations would likely have a period of time before they would need to look for other, domestic, places to store and process their data.

In other words, the exact opposite of what our government is running towards over here.

🏫 Influential study touting ChatGPT in education retracted over red flags

In a study published a year ago this week, it was claimed that using ChatGPT "has a large positive impact on improving learning performance". Since its publication, the study has been cited over 500 times across both peer-reviewed and non-peer-reviewed papers, including the likes of Nature. Perhaps unsurprisingly, it also ranks in the top 99th percentile of journal articles for online attention.

Trouble is, the report has now been retracted. As a meta analysis of 51 other studies, it turns out that some of those studies were themselves poorly run. Additionally, the findings mixed together different studies in a way that made it very difficult to verify large portions of the findings.

“In some cases it appears it was synthesizing very poor quality studies, or mixing together findings from studies that simply cannot be accurately compared due to very different methods, populations and samples,”

Unfortunately, as with many things on the internet, the retraction is not likely to make much of a difference to the reputation of a study that is still being regularly cited today. But you now know, at least!

Blog spotlight

🧠 Neuromaxxing

In last week's blog spotlight week we talked about the burnout that AI can cause. Since reading that blog, I've been seeing more and more takes like that. If I didn't know better, I'd say my social media algorithm has me pegged. But I'm over on Mastodon, and there is no algorithm, so maybe this is just a sign of the times.

Anyway, after a delightfully cringe opening, Jared goes on to layout just how much the mental load of constantly carrying all of human information on a glass slate in your pocket weighs a person down. I think it says something that even self confessed nerds are taking a beat.

Give it a read!

Just one more thing...

This week someone on my social media shared taken, the latest project from sinceyouarrived.world, and I've been obsessed with it since. It is a very striking look at some of the data websites can capture about you, before you even get to look at cookie policies, or consent dialog boxes. I won't spoil too much here, but have a look for yourselves, and have a think about the implications.

And we're out! Thanks as ever for reading, and have a great rest of your week.

Will