Yes whoever decided to let them do this has a lot of explaining to do. This data should never have left the UK.

If memory serves, this was not kept on NHS hardware or even NHS controlled compute.

Does anyone have a verifiable source for that? It would be extremely controversial if true and even among the big civil liberties and privacy advocacy groups in the UK I have never seen anyone make that claim.

The defence to using Palantir by British government departments and public services has typically been that Palantir only provides the technology and the data itself is still held and processed in the UK under the native organisation's control. Even this is still controversial because of issues like the CLOUD Act and the general reputation of Palantir.

But that is a long way from allowing the mass export of sensitive personal data to a US firm without the data subjects' knowledge or consent. That looks just plain illegal under our existing data protection legislation. Green lighting it - even in the panic phase during COVID - would probably be controversial enough to end a few political careers at least. It might even leave enough of a cloud over the party in government at the time to affect a future election.

"if memory serves" is an interesting way to phrase "I'm just making shit up"