CCG ICO update article
It's been over three months since the GDPR came into force. Here we look at some of the new case law and updated guidance from the ICO regarding data protection issues under the Regulation.
Published 5 October 2018
At NHS Expo 2018, we saw the commitment of the NHS to technology and innovation as a key theme, with the announcement of more funding for Global Digital Exemplar NHS Trusts, further discussions about the art of the possible for the “NHS App”, and the creation of a Health Tech Advisory Board. We have also recently seen the Royal College of Physicians calling on doctors to embrace artificial intelligence, as long as it works for patients, alongside a speech from the Rt Hon Matt Hancock, Secretary of State for Health, confirming a commitment by the NHS to embrace digital first primary care.
The pace of development of data-driven medical technology brings with it a range of opportunities and risks to operators and commissioners considering implementation. On 5 September 2018, the Department for Health and Social Care published an initial code of conduct for data-driven health and care technology (“Code”). In this article, we consider the scope of the Code, and its likely impact.
Commissioners of such technology will find the Code a useful aide memoire when undertaking due diligence prior to adoption. It may also serve as a steer to providers as to the types of issues which commissioners may be looking to have covered off.
The current version of the Code can be found here, although the DHSC wants the Code to be co-designed with relevant stakeholders and so there is an opportunity to comment on its contents (by way of questionnaire) with a view to re-publishing an updated version in December.
The ultimate aim is for the Code to become a "collaboratively agreed standard for technology partnerships". The Code will initially be voluntary; the DHSC hopes that signing up to it will become attractive to technology providers as demonstrative of their "world-leading approach".
The approach of the Code is to set out:
- 10 key principles for safe and effective digital innovations, and
- 5 commitments from the government with a view to ensuring that the health and care system is in a position to take advantage of new technology at scale.
The principles are as follows, along with our views as to how they may be relevant from a commissioning perspective:
1. Define the user - have steps been taken to identify the ultimate user of the technology in question, and as a result their specific needs?
2. Define the value proposition – what particular added value, for instance in respect of KPIs, cost savings and better outcomes for patients, will the technology deliver?
3. Be fair, transparent and accountable about what data is being used – what steps have been taken to ensure compliance with the stringent requirements of the GDPR and Data Protection Act 2018 in respect of any personal data used by the technology?
4. Use data that is proportionate to the identified user need - does the technology ensure that it does not disproportionately infringe individual's rights, by only using personal data to the extent that it is necessary to do so?
5. Make use of open standards – is there evidence of the technology having taken active steps to ensure compliance with widely published data, clinical and interoperability standards for health and social care data? This would include guidance from NHS England, NHS Digital and the Department of Health and Social Care.
6. Be transparent to the limitations of the data used – how does the technology work to detect and eradicate anomalies? Specific attention should be paid to the NHS England, UK Statistics Authority, and National Institutes of Health (US) guidance on data quality.
7. Make security integral to the design - is security an inherent and fundamental part of the technology? All organisations with access to NHS patient data and systems must complete NHS Digital's new Data Security and Protection Toolkit with a view to demonstrating that they are actively practising good data security.
8. Define the commercial strategy - this is primarily aimed at commissioners, which the Code suggests should develop a clear idea of the vision in terms of the use of technology before engaging with industry.
9. Show evidence of effectiveness for the intended use - there is a tiered system of evidential requirements depending on the potential impact and harm of the technology in question. This is still under development under the Evidence for Effectiveness project, which is being worked on by the DHSC, NICE, Public Health England, Academic Health Science Networks with leadership by NHS England.
10. Show the type of algorithm being developed or deployed, the evidence base for using that algorithm, how performance will be monitored on an ongoing basis and how performance will be validated - is there transparency and openness such that commissioners can understand why a decision was made or not made by the clinical decision support system/algorithm, the level of clinical and model evaluation, the accreditation of the algorithm, why an error may occur, etc.
The Code also contains 5 broad commitments from the government designed to promote the use of technology in the health sector. In very brief terms, they are to:
1. Simplify the regulatory and funding landscape;
2. Create an environment that enables experimentation;
3. Encourage the system to adopt innovation;
4. Improve interoperability and openness; and
5. Listen to users.
The Code is currently voluntary, and the DHSC has invited feedback from stakeholders, with a view to updating the Code in December 2018. The development of the Code depends upon the engagement of industry and those in the health and care sector to help shape it – including commissioners. The way that the Code is enforced will be critical to its success. It may be the case that we see obligations to adhere to the Code being included in standard contractual documentation where, for example, the NHS engages data driven technology providers in due course.
In our work on integration projects in the health and social care sector, we see huge potential benefits of the use of data driven technology, whether this relates to enabling risk stratification in a population health context, or the provision of AI tools to help with diagnosing conditions. We act for commissioners and providers, which gives us a unique understanding of both the challenges but also the considerable potential benefits of medical technology. In our view, it is in the interests of both the NHS and the medical technology industry to be clear and transparent about the possibilities, as well as the limitations of data driven technology. This will create relationships of trust, built upon a solid understanding of implementing safe, effective and secure technology for patients, with providers of such technology being accountable for the same which in turn will give commissioners piece of mind but a clear framework through which to enforce non-compliance.
Should you wish to provide feedback to the DHSC on the Code or discuss any of the legal issues arising from this article, we would be pleased to discuss this further with you.