UK Government publishes draft Code of Conduct for data-driven healthcare technology

Issues to consider in a new Code of Conduct for data-driven healthcare technology providers issued by the Department of Health and Social Care.

The use of data-driven digital health tools in the healthcare and life sciences sector is ever-increasing, from patient monitoring apps, AI diagnostics and clinical support tools to healthcare management tools. The data sharing required to necessitate these tools has also led to a number of unfortunate headlines in recent months. In recognition of these challenges, and building on the Department for Digital, Culture, Media and Sport’s Data Ethics Framework, the Department of Health and Social Care (the DHSC) published a draft code of conduct for data-driven health and care technology (the Code) earlier this month.

The Code details ten principles which suppliers of data-driven technologies in the healthcare and life sciences sector should comply with. Notably, the Code does not only cover issues such as lawful use and transfer of data, data security and minimisation; it also covers wider commercial issues related to these types of NHS and industry partnerships. In addition, the DHSC has made various “commitments” in the Code, including a simplified regulatory environment for digital health technologies.

While the Code is stated to be voluntary, technology providers and healthcare providers are encouraged to sign up to the draft version. Organisations are also encouraged to provide feedback on the Code via a questionnaire, which will inform the final version of the Code to be published in December.

The Code’s key principles

The Code proposes ten key principles for safe and effective digital innovation in the healthcare system.

Many of these key principles are inspired by concepts in the EU General Data Protection Regulation and the UK Data Protection Act 2018. For example, the Code emphasises the importance of incorporating “privacy by design” into technology solutions. The completion of data protection impact assessments (“DPIA”), assisted by data flow maps and consultation with the Information Commissioner’s Office where necessary, is regarded as essential. The results of DPIA must feed into data sharing agreements, and here the Code refers to the importance of obtaining appropriate legal advice and allowing sufficient time to prepare suitable contracts. Other principles focus on transparency, the use of proportionate datasets, and data security. In relation to security, the Code restates the principle that all organisations with access to NHS patient data must comply with the Data Security and Protection Toolkit (formerly known as the Information Governance Toolkit).

The Code also advocates a “2-staged” approach for data analytics, whereby systems first are trained to understand levels of data quality and variables before running an analysis, all to improve accuracy and minimise bias. As for AI, transparency is the Code’s key message. Amongst other things, providers must demonstrate their system’s learning methodology, the strengths and limitations of algorithms, and potential resource implications. The Code also encourages the drafting of clear standard operating procedures (SOPs) detailing how algorithms will be implemented, which can leverage the output from data flow maps and DPIA.

However, in addition to these more technical data requirements, the Code includes various commercial requirements, such as ensuring interoperability with existing systems, identifying the user/market need and the “value add” for the healthcare system. In particular, it requires parties to ensure that the benefits of partnerships are shared “fairly”. These requirements include consideration of (amongst other things) the proposed position on IP ownership, the scope of any IP licence granted, apportionment of liability, management of any AI bias, recognition of NHS “value add” contributions and more varied revenue models (eg royalties, discounted products, equity shares, or improvements to datasets).

The DHSC’s “commitments”

The Code includes five commitments from the DHSC for a revised regulatory landscape for digital health innovation which should benefit SME and bigger companies alike. Perhaps the most important commitments are those to simplify the regulatory and funding landscape (which is currently a significant hurdle for any business trying to access the NHS market) and to improve interoperability of systems by establishing clear, open and public data standards and APIs.

Other commitments simply reflect and build on the wider recommendations in Sir John Bell’s Life Sciences Industrial Strategy, such as using the Digital Innovation Hubs and other initiatives to create an environment which enables experimentation, and encouraging and training healthcare professionals to adopt such technologies.

Interestingly, while promising to simplify the regulatory landscape, the DHSC also proposes to introduce further regulation with the development of a “trusted approval (Kitemark) scheme” for digital health products, building upon the DHSC’s previous efforts with the NHS Apps Library. It is unclear whether this “Kitemark” would apply only to products which do not qualify as (and therefore are not regulated as) medical devices, or if it would apply across the board. In any event, digital health providers still will now need to ensure they have considered the requirements of the Medical Devices Directives / Medical Devices Regulation, the General Data Protection Regulation (in some cases, to varying extents the Network and Information Systems Regulations 2018), the SCCI0129, the Data Security and Protection Toolkit, the new Code and any requirements for this “Kitemark” (as applicable depending on their product’s regulatory classification).

What’s next?

The introduction of the Code indicates that the DHSC is embracing the recommendations in Sir John Bell’s Life Sciences Industrial Strategy regarding leveraging NHS datasets to become a global digital health leader. It also confirms that the DHSC is serious about repositioning itself in its commercial collaborations and maximising value it obtains. Indeed, alongside the Code, the DHSC is reviewing the current regulatory framework and assessing commercial models used in technology partnerships.

Once the Code has been finalised and this review completed, the DHSC hopes to identify how to constructively enforce the Code and related standards, as well as ensuring it provides commercial support for NHS trusts that wish to enter into partnerships with industry.

Although the draft Code is non-binding, technology and life sciences providers developing digital health solutions should start to comply with the Code’s provisions now (and provide feedback on it where necessary) in order to be well placed to ensure compliance once the Code is finalised.

Lawyers in our Life Sciences and Healthcare sector group advise on all legal and regulatory aspects of commercial transactions in the digital health space. In addition, our data protection impact assessment, data audit, and data sharing products and tools are designed to help businesses achieve maximum compliance with the GDPR and associated regulation such as the Code.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.