Summer 2025 saw legislative and policy developments which had the potential to meaningfully affect the medtech landscape, namely the passing of the Data Use and Access Act 2025 in mid-June and the publication of the 10 Year Health Plan in early July. We are now more than six months on and so the inevitable question is what, if any, difference have they made?
Significant changes
In many ways it would be an entirely unfair expectation to have seen any meaningful change by now, not least because the provisions of the DUAA have been coming into effect in staggered fashion. The most relevant changes from a medtech perspective only took effect from February 2026 but on the face of it could make tangible differences in due course. In particular:
- Research using health data ought to be easier going forward thanks to an expanded definition of what is considered research under the UK GDPR (it can be commercially or publicly funded) as well as more relaxed consent and transparency requirements
- There are less strict restrictions on the use of automated decision-making and/or profiling of individuals in certain circumstances and a slightly lowered hurdle for transferring data overseas
Alongside this, however, the DUAA does also impose additional compliance requirements as well as granting wider powers to the Secretary of State in respect of information standards for those operating in the health and social care sectors. In short, the Secretary of State will be able to issue specific standards concerning the technical design or operation of specified IT services and those providing such services to the NHS will have to comply with them. The standards can relate to functionality, connectivity, interoperability, portability, storage of, and access to, information and/or security of information
They are backed up by enforcement powers, including an ability to require an explanation of how the relevant provider is complying with a particular standard and/or provision of information or evidence to that effect. If the Secretary of State remains dissatisfied then they can issue a public statement confirming that the provider has failed to comply, which could obviously have significant reputational effects and so is not to be taken likely.
What next
It is not yet clear if, how and when these powers might be invoked although logically electronic patient records are an obvious potential target given the well-publicised interoperability challenges which currently exist. The Secretary of State will also have to balance potential use of the powers against the policy objectives of the 10 Year Health Plan, which sets out a clear (albeit slightly familiar) ambition to better embrace technology, including better use of AI.
In summary, therefore, the medtech landscape did not change overnight in Summer 2025 and nor has it dramatically evolved since then. Nonetheless, it is clear that there will be incremental efforts in due course to meaningfully influence how the NHS makes best use of medtech and so it is important to keep abreast of these changes.
