Alarm bells ought to have rung when it emerged last month that Palantir engineers could gain “unlimited access” to identifiable NHS patient data. Such sensitive medical information was only supposed to be available either to someone involved in a patient’s care or with the patient’s informed consent. NHS England’s new position appears to have changed that, extending access to private companies because it may make data processing easier. Convenience is not a basis for undermining medical confidentiality.

Nicola Byrne, the government’s national data guardian, clearly thought the NHS had broken its promise that its £330m deal with Palantir would see “identifiable patient information … limited to NHS staff with a legitimate need”. Patients tell doctors things they may tell no one else. If they think that sensitive details can be disclosed to US tech corporations, trust will suffer – and patients will say less when the truth matters most.

This risk helps explain why MPs on parliament’s science, innovation and technology committee warned this week that Palantir had become an “unacceptable point of weakness”. The business model is simple. Britain supplies the raw material: NHS patient data. Silicon Valley monetises it. The problem is that the benefits – better models, new products – accrue not to the British public, but to US shareholders.

The MPs also argued that Palantir is not just another software firm. In the US it has worked with the military and immigration authorities on controversial programmes. Its co-founder, Peter Thiel, the committee noted, has disparaged the idea of a national health service. The report recommends that ministers should activate the February 2027 break clause in its £330m NHS Palantir contract – ending its relationship with the company and moving to either an in-house or UK-owned provider. The government should heed this advice.

The committee ought to be thanked for making it clear that this is no one-off scandal, but part of a wider pattern. Public bodies, it warns, have become dependent on a few powerful technology companies which the state lacks the capacity to challenge or replace. Officials often struggle to understand the systems they buy. Allowing critical public infrastructure to rest on foreign-owned platforms undermines state autonomy. Accountability is blurred when decisions on data access and procurement are buried in technical briefings and dense contracts.

This is especially concerning when assessing the government’s claim that a new £1.8bn digital ID system would make “public services quicker, easier and more secure to access”. Given the chequered history of big government IT projects, it is unsurprising that the committee is sceptical of its successful launch. Its report, correctly, views mandatory adoption as wrongheaded. The public sector holds citizens’ data on trust, MPs say, “and should therefore hold itself to a higher standard”. With patient data, that seems not to be the case.

Ministers have offered various reasons for digital ID: stopping illegal working, easing access to vehicle records and even checking bin collection days. None has stuck. The deeper problem is that digital transformation is treated as an exercise in efficiency, not one requiring public consent and parliamentary scrutiny. Infrastructure built around a person’s identity must not expand by bureaucratic drift. The committee’s call for separate parliamentary votes on each use of digital ID is the democratic lock missing from the NHS’s Palantir deal.