Covid-19 is a pandemic – not a terrorism threat. So where’s the public health response?

Containment and suppression of Covid 19 outbreaks require a public health response – so why the involvement of Strategic Command and Home Office counter-terrorism surveillance?

Since Boris Johnson’s televised statement on Sunday 10 May , the government’s Covid19 response has decisively shifted to biosecurity and surveillance state methods.

Even before then, the government had outsourced the surveillance data mining and processing that underpins these methods to global, profiteering American companies.

This has implications for USA-UK trade talks – where the NHS is undoubtedly on the table, despite government protestations to the contrary. With these USA companies installed at the heart of the UK’s now interlocking health and anti-terrorism security services, it will be next to impossible for the trade talks to protect the NHS’s unique database of 55 million patient records from US companies’ access.

Please support Open Democracy/Foxglove’s legal challenge to secrecy surrounding NHS data deals with private companies (Update: on 5th June, hours before openDemocracy was due to sue, the government released massive data-sharing contracts with Amazon, Microsoft, Google, Faculty and Palantir.)

Over the past week, considerable public anger has erupted about the national test and trace service and its obvious shortcomings. There is growing evidence on social media of people’s unwillingness to take part in it.

This is not just the result of the government’s blatant betrayal of the public’s trust, by failing to hold Dominic Cummings to the same standards as the public – who have stayed home for each other, with much hardship for months now, to stop the spread of Covid 19.

The largely privatised test/trace service is a civil liberties nightmare – as well as a costly shambles

The government’s response to the Covid 19 pandemic has been cut from disaster capitalism’s cloth. It has seized the opportunity to hand the great wealth and public good of NHS data to global – largely American – companies, after a decade of running down public health services.

And in the rush to centralise and privatise their response to the pandemic, the government have diverted key resources away from public health.

It has done so with little regard for the privacy and rights of the patients whose personal data the government is funnelling to private companies – many with a terrible record in the provision of public services and others with strong links to the military and security services.

Public Health England is to hold people’s identifiable data from the national test and trace scheme for 20 years for people with COVID-19 symptoms, and 5 years for their contacts who remain symptom-free. (Update 3 July 2020 – the 20 years has now been reduced to 8 years. The new Privacy Notice also lists people’s rights as data subjects.) Public Health England also has special permission from the Secretary of State for Health and Social Care to use personally identifiable information without people’s consent where this is in the public interest.

How does this data grab comply with Public Health England’s own Personal Information Charter? It says,

“If we ask for your personal information we will: only ask for what we need, let you know why we need it…only keep it for as long as we need to.”

Public Health England has also launched the national test and trace system without carrying out the mandatory data protection impact assessment. According to data rights lawyer Ravi Naik, this raises concerns that U.K. authorities have not fully addressed the potential privacy implications. It could also open up the contact-tracing system to potential legal challenges. The Information Commissioner’s Office @ICOnews tweeted on 29 May,

“We are in contact with Public Health England and other organisations to understand more about how the test and trace system will ensure the protection of people’s personal data.”

Test data from the Deloitte-managed drive-through testing sites is centrally collected and is so far failing to reach local Public Health directors and GPs, who currently receive no information about test results in their practice areas.

In addition, the Deloitte testing sites, which are operated by the army and private contractors acting independently of the NHS, have failed to record individual NHS numbers or full addresses of 350K people who’ve self-swabbed. This means that while individuals receive their results, their doctors are not automatically notified.

The UK government’s Covid 19 alert system uses biosecurity methods derived from terrorism prevention and surveillance

The new Joint Biosecurity Centre, set up to operate the 5 scale Covid-19 alert system based on the anti-terrorism security system, is run out of the Cabinet Office. It was first headed by a senior Home Office counter-terrorism official with no obvious scientific background – Tim Hurd. In June the government announced that Dr Clare Gardiner, a director at the National Cyber Security Centre with a background in medical statistics and epidemiology, would head up the centre.

It is taking over responsibility for managing the low profile alert system that was previously run by Public Health England. So far it seems unclear what the Joint Biosecurity Centre’s “independent analytical function” is going to be.

Politicians such as the Green Party Co-Leader Jonathan Bartley have asked Matt Hancock to explain how the Joint Biosecurity Centre will be politically accountable, who its members are and the basis for their selection.

The Institute of Government thinks that the Joint Biosecurity Centre’ will take the place of SAGE in supplying govt with scientific advice.

Carole Cadwalladr has tweeted,

“This is deeply deeply worrying. No transparency, oversight, accountability.

“Why are the security services involved? Why based in Cabinet Office? Will independent scientists have access to this data? Why did Cummings/Gove need to appoint their cronies to oversee it? What does any of this mean for SAGE? And these are just the first questions.

“Remember there is zero transparency into the heart of govt. But Cummings made clear his condition of entering govt was to smash the civil service & reshape it in his image. The Cabinet Office is where it begins. This whole project screams of an executive landgrab.”

The consequences of Cummings’ “executive landgrab” look dire. On 31 May, former Green MEP Molly Scott Cato tweeted:

Update: By October 2020, the Joint Biosecurity Centre had fallen foul of MPs’ and scientists’ calls to end the secrecy of its data and recommendations that were driving government decisions over local lockdowns affecting millions of people.

Scientists including Professors Allyson Pollock and Deenan Pillay criticised the set up of another structure outside the NHS and Public Health England, when they say what is needed is better investment in local and regional public health.

Update 28.11.2020 The Joint Biosecurity Centre webpage now includes information about its membership and governance and how it works with national and local organisations. It also says, “The JBC complements the work of the Scientific Advisory Group for Emergencies (SAGE), supporting its scientific consensus with operational capability…” At the bottom of the webpage it links to Coronavirus cases by local authority epidemiological data and Coronavirus cases in England: 26 November 2020.

Professor Pollock has also criticised the emphasis on biosecurity rather than epidemiology.

(As far as I can figure out, the key distinction seems to be that the biosecurity approach to infectious disease control emphasises mechanistic methods based on controlling and recording people’s movements – while epidemiology has a wider focus:

“Epidemiology is the study of how often diseases occur in different groups of people and why.”

So epidemiology seems to include identifying the social and environmental determinants of the spread of infectious diseases, in order to mitigate them and reduce inequalities that lead to greater burdens on vulnerable communities.)

Epidemiological data about the spread of disease is surely pretty useless without effective public health interventions to stop it?


The Joint Biosecurity Centre became part of the UK Health Security Agency on its establishment on 1 April 2021.

Gabriel Scally, Visiting Public Health Professor, described the government’s creation of the new agency as a “concerning shift”. Abandoning a previous commitment to replace Public Health England with a National Institute of Public Health, that would work closely with Councils and their Directors of Public Health on a “local first” approach, the UK Health Security Agency was to

“be part of the UK’s national infrastructure and security system…[with] a core function in driving economic growth as an integral part of what politicians term ‘UK plc.’ In particular, it is envisaged as ‘acting as an engine’ for the life sciences and diagnostics industry.

BMJ 2021;373:n875

Against background of growth of medical-industrial complex, the UKHSA looks like a further step in the growth of a centralised, secretive state apparatus in bed with corporate interests

Gabriel Scally’s BMJ article continues:

“The emergence of a powerful medical-industrial complex was first described in the US in the 1960s. In the UK, the influence of this sector of the economy increased after 2010 as it took advantage of the contracting of core NHS services to the private sector. In its pandemic response, the government pivoted away from public health and NHS functions and organisations. Taking advantage of the emergency to dispense with normal tendering and contracting procedures, funding on a colossal scale was passed to the private sector. Similarly, in data analytics, the government has engaged state security organisations and the private sector to provide crucial information on covid-19.7 Against this background, it is likely that the creation of UKHSA will be seen by many as a further step in the growth of a centralised and secretive state apparatus with the close engagement of private sector interests.

“The development of a powerful health security organisation under direct ministerial control will also be in keeping with the libertarian political view that regards anything to do with promoting public health as an act of the “nanny state” and an assault on the freedoms of business and individuals. A UKHSA focused away from important problems—such as non-communicable disease and the stalled improvement in life expectancy—and towards the perceived external threat to the country of novel infectious diseases, can only further weaken the response to the poor overall health status of the UK.”

Project Oasis – Strategic Command and NHSx are data mining 3rd party symptom checker apps

The government has recently commissioned Strategic Command’s innovation hub, jHub, to work with NHSX to securely gather and share COVID-19 symptom data for project OASIS. Project Oasis is to facilitate the secure transfer of relevant symptom and epidemiology data from the third party COVID-19 apps to NHSX. (This is the non-statutory body set up in 2018 by Matt Hancock, the Secretary of State, in order to speed up the adoption of digital technology by the NHS.)

Update 9.5.22 NHSX has been merged with NHS England. It seems that the remnant of NHSX has now become a “Joint Unit” that will “serve as both strategy and policy team of the new transformation directorate in NHS England, and as the digital transformation directorate of DHSC”, according to a Health Service Journal report.

Data from 3rd party Covid-19 symptom tracker apps that are sent to jHub may include “ information which may inadvertently identify users”. jHub is to remove such data, ensuring that only symptom and demographic data is sent on to NHSX.

To the best of our knowledge, thousands of Calderdale people who’ve been sending their symptoms status info to the Join Zoe app were not aware that this would be passed on to a data hub run by the Ministry of Defence and Strategic Command. But Join Zoe is listed among the 3rd party apps that are sending Covid 19 symptom data Project Oasis – under the app’s former name: “C-19 COVID Symptom Study provided by the BREATHE Health Data Research Hub for Respiratory Health, in partnership with its trusted research environment, the SAIL Databank”.

With 3.7m symptom-checking “contributors”, Join.Zoe is probably the largest dataset in Project Oasis. Its privacy policy says “A full list of institutions we’ve shared data with can be found at the bottom of this page”, but the list doesn’t include jHub or the MOD.

Public spirited people may respond to this information by saying they don’t mind their info being used by NHSX if it provides any assistance in tracking the virus.

But the worry is that it’s not just NHSx (a non-statutory body) that has access to the data, it’s the Ministry of Defence and Strategic Command.

The pandemic is not a terrorism threat. Responding as if it is – rather than using the tried and tested epidemiological/public health approach to containing and suppressing infection- means a big expansion of the security/surveillance state, and the likelihood of failure in containing/suppressing Covid19.

Implications for UK-USA trade talks

There are significant implications for the UK-USA trade negotiations – where the NHS is undoubtedly on the table, despite government protestations that it isn’t,

To set up this “biosecurity” system, the UK government has paid global American companies untold sums of public money via secret contracts that have not been awarded on the basis of public tenders.

In this way, the government has enabled global USA digital companies to entrench themselves at the heart of the NHS data system. They are profiteering from the pandemic and the wealth of public data the NHS holds.

Not only that – the government is now enmeshing our health data with Home Office and MOD security/terrorism data.

Public data in my view is a common good. Its processing should not be privatised and turned into a source of profit. It should not be handed over to the Military and anti-terrorism surveillance services in the Home Office. And it certainly should not be a bargaining chip in USA-UK trade talks.

Think of chlorinated chickens and lower food standards and then think what could happen to our precious 72 years of population wide health data.

An unwieldy privatised test and trace system

Rather than build up the tried and tested public health infection control services, the government has set up an unwieldy, largely privatised system with unclear lines of accountability and almost zero public transparency.

As ck999 has already reported, key elements of the national test and trace system have been contracted to the management consultancy Deloitte, Serco, G4S, and Amazon. Some of these companies have poor track records, to say the least, in delivering public services.

And the NHSX Covid19 contact tracing app, which comes with significant data protection issues, has been developed with involvement from Faculty, a data company owned by Mark Warner. (His brother Ben was a principal at Faculty when the company worked with Dominic Cummings on the Vote Leave campaign – which broke electoral law. Ben Warner is now a ‘data scientist’ adviser to Johnson, still working alongside Cummings.)

However, on 6th May, Faculty took to twitter to say they were not involved in the development of the NHSX contact tracing app. All they had done was work with Oxford Big Data Institute out of the goodness of their hearts to build free, open source software.

However, it seems questionable that the NHSx app is really an open source project. A comment on the NHSX github page says:

“It seems that only the first version has been published, no updates have been merged (even when they have been released). I think its obvious this is just a repo they put the code in and actual code base is elsewhere.
For all we know there could be numerous security bugs or additional permission/data collected that no-one knows about. Just as bad people nay [sic] be putting effort into reviewing code that is not actually there/used anymore.”

Secretive NHSx Covid-19 data store

Faculty – a member of the Digital Economic Advisory Council which advises the government on digital, data and artificial intelligence – is also creating and managing the controversial, secretive NHSx Covid-19 data store together with Palantir (the US data-mining firm founded by close Trump ally Peter Thiel).

It seems the Palantir Foundry platform is key to the NHSx Covid-19 data store.

Palantir is best known for supporting the CIA’s counterinsurgency and intelligence operations in Iraq and Afghanistan. In 2019 Immigrant rights group Mijente criticised the company for assisting US Immigration and Customs Enforcement’s brutal regime of deportations. 

Palantir has won similar COVID-data contracts in the US worth millions of dollars; however the firm is reportedly working on the NHSX Covid 19 data store for £1. Why?

(Update 15 July: Palantir’s original contract ran out on June 11th. Today (15 July) NHS England confirmed the contract has been extended for four months and Palentir is to receive £1m. As part of the new deal, NS Tech reports that NHS England has told Palantir to “package up the work they’ve been doing so the service can go out to tender in an open procurement process”. Apparently when the project goes to competitive tender, it could be worth several million pounds; Palantir has recently signed a coronavirus-related deal with the US Department of Health and Human Services for $17.3m.)

A dozen groups including Liberty and medConfidential have written to Matt Hancock demanding answers about the government’s plans for the Covid-19 datastore.

Update: On 5th June, hours before openDemocracy and Foxglove were due to sue, the government released massive data-sharing contracts with Amazon, Microsoft, Google, Faculty and Palantir.

The Cummings connection

The Prime Minister’s ‘adviser’ Dominic Cummings was instrumental in assembling the corporations that are running NHSX’s Covid-19 data store. He chaired the meeting of digital technology companies summoned to Downing street by Boris Johnson on 11 March.

Then on 28th March, the NHSx CEO, Matthew Gould, invoked the usual Disaster Capitalist rationale for effective privatisation of the NHSx data store:

“In this time of crisis, we need the private sector to play its part to tackle these unprecedented challenges. We have therefore enlisted the help of some of the most cutting edge and experienced firms from across Britain’s technology sector.”

In fact, Faculty is the only British company listed among the American companies – Microsoft, Amazon Web Services, Google and Palantir.

The company is reported to have already won seven government contracts worth almost £1m in 18 months. Why did this firm get picked for the big NHS datastore, and what role is it playing?

Covid-19 data store is key to managing NHS hospitals

The NHSx data store processes and consolidates data from across the NHS and social care and “partner” organisations- including 111 online/call centre data from NHS Digital and Covid-19 test result data from Public Health England. 

Its purpose is to prevent the NHS from being overwhelmed during outbreaks of Covid 19. Live data track the spread of Covid19, and the NHS capacity to deal with it – measured by, for example, by:

  • Occupancy levels at hospitals, broken down by general beds and specialist and/or critical care beds
  • Current capacity of A&E departments and current waiting times
  • Statistics about the lengths of stay for Covid-19 patients

The New Statesman reports that the data is also key to decision-making about when the government will allow the NHS to start performing elective care again. Here’s the list of datasets being used in the NHS Covid-19 datastore, and their sources.

How can the government pretend that paying global corporations to carry out blatant data grabs of the public’s data is in anyway an effective or appropriate response to the Covid19 pandemic?

Whether that response involves managing the resources of NHS hospitals – or containing and suppressing outbreaks of Covid 19 in order to avoid a second wave of infection?


7.1.2020 – Information added about the appointment of Dr Clare Gardiner, a director at the National Cyber Security Centre, as new head of the Joint Biosecurity Centre.

29.6.2022 – The Good Law Project reports that it looks likely the Government will be forced to come clean over companies handed VIP Test and Trace contracts.

50 companies with close links to Ministers, Peers and Government officials were given access to a priority route through which they secured lucrative Covid testing contracts. But, shockingly, the Government has refused to come clean over which firms profited.

Now, following the Good Law Project’s long Freedom of Information battle, the UK Health Security Agency (UKHSA), which took over responsibility for the testing regime, has finally confirmed that it is making contact with the 50 ‘VIP’ firms in order to answer their request.

The Good Law Project have replied to the UKHSA, calling on them to publish both the names of companies who received priority treatment and the names of those who referred them.

The Good Law Project expect to hear back by 5 July and will publish their response, along with, we hope, the names of the 50 further VIPs.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.