The rapid evolution of medical devices and their ever growing connectivity means that they not only generate large amounts of personal data but they are increasingly capable of sharing the data both deliberately and (potentially if hacked) without the consent of the patient or the data controller. The supply and use of medical devices fall well within the scope of data protection legislation, but in the UK they are also subject to an increasingly complex and sophisticated data framework specific to the UK healthcare regime.
Although the National Health Service doesn't have a complete monopoly on the provision of healthcare in the UK, it's the biggest player and purchaser by a huge margin. As such, medical device companies that are looking to sell in the UK are unlikely to make much of an impact in the market unless they can meet NHS requirements. Here, we consider the most compelling standards any company must meet to become an NHS supplier with access to NHS patient personal data.
UK data protection framework
When processing any personal data in the UK, targeting products and services to people in the UK or monitoring their behaviour in the UK, organisations must adhere to the UK’s general privacy regime. The Data Protection Act 2018 (DPA18) is the overarching statute, incorporating the EU’s General Data Protection Regulation into national law as the UK GDPR, from the end of the Brexit transition period (1 January 2021).
These laws set out principles that must be adhered to when processing personal data and special requirements for the handling of sensitive, 'special category' data, including medical data. Given the sensitive nature of the personal data in the medical device sector, it's important that data protection compliance is prioritised. This will be the baseline and starting point for organisations before they look to contract with the NHS (a more detailed look at GDPR compliance in the life sciences sector is available here).
Background to the NHS
The NHS is the public healthcare system free at the point of use in England (with similar systems across Wales, Scotland and Northern Ireland), and is one of the largest single payer healthcare systems in the world. The existence of the NHS is known to all UK residents and its political and social importance to the UK is understood far beyond its jurisdiction. What's less well understood is that the NHS is not a single centralised department (like a government department) but is comprised of a complex structure with NHS England as the umbrella body, flowing down to Clinical Commissioning Groups (CGCs) that are responsible for commissioning healthcare in local areas.
The NHS Trusts are the bodies that provide the care that CGCs commission such as care services, mental health, ambulance, social care and hospital services. General practitioners are in fact private traders or partnerships, the vast majority of which have NHS contracts to provide care to patients residing within a limited catchment area. The NHS has huge spending power in the UK, of around £27 billion per year on goods and services. Given the wide range of healthcare goods and services that the NHS offers to people, NHS Trusts control vast amounts of patient personal data. There are strict rules that organisations must follow when selling medical devices into the NHS and accessing patient data, rules that far exceed the specificity of the general provisions of the GDPR and DPA18.
Data protection requirements when using NHS Data
There are various data protection considerations that companies need to know about when contracting with the NHS, including:
National Data Guardian data security standards
The National Data Guardian is an independent role, currently held by Dame Fiona Caldicott, who has the primary aim of ensuring that people's confidential information is safeguarded securely and used properly in the UK health and care system. Caldicott principles offer detailed guidance that both public bodies and private organisations that are delivering services to the NHS must take into account.
The National Data Guardian has set out 10 standards which any organisations that handle social and care information in the UK should adhere to, although the way that organisations implement the standards will differ depending on their size and type. The standards are divided into three areas of focus – people, processes and technology – all aiming to ensure confidential information is protected (see our article on the Caldicott Principles for more).
NHS Toolkit
When organisations (including medical device companies) process NHS patient data or systems for any reason, they must use the NHS Toolkit. This is an online tool for implementing the National Data Guardian Standards and aligning data practices with the GDPR. Its focus is on data security and ensuring that an adequate level of protection of data is achieved, which is done via self-assessment tools that organisations use to assess their own compliance.
The assessment is carried out by confirming a range of assertations, which must then be backed up with evidence. This acts as a layer of accountability and organisations can choose to publish their results. The NHS Toolkit also has a reporting tool for reporting any security and protection incidents.
National opt-out
The national data opt-out is a mechanism for people in England to choose whether to opt out from their confidential patient information being used for research and planning purposes. It doesn't apply to information used for care purposes. The national opt-out covers confidential patient information collected about care in England. This includes:
- publicly funded, commissioned or coordinated health and adult social care
- private care given in NHS settings.
All organisations that process (use in any way) health and social care information as a controller will need to comply with the opt-out, and medical device companies will need to assess whether it will apply to them. The deadline for organisations to comply with the national opt-out is now 31 March 2021. They must ensure they have processes in place to respect people's opt-outs if they are using the data for research or planning purposes. This will involve a process to check people's NHS numbers against those with national data opt-outs registered, and then procedures to ensure that they do not use those patients' data for any research and planning purposes.
Retention and record management
We cannot consider data protection without mentioning retention, an aspect of the UK privacy regime that's particularly important in the context of healthcare data. Retention management will form a key part of any organisation's compliance when contracting with the NHS or accessing NHS data.
It's crucial in this context to remember that data retention principles don't exist merely to encourage data cleansing. Data retention guidance expects thorough consideration to be given to the appropriate retention period in the context of medical data, where over hasty deletion of data could compromise patient safety. The secure retention of data in line with transparency periods and patient expectations is crucial. The Records Management Code of Practice sets out what those working in or with the NHS need to do to manage records correctly.
The current 2016 Code is due to be replaced by a 2020 code and sets out retention time periods for different types of personal data.
Other requirements
Organisations contracting with NHS entities will also need to consider broader compliance obligations when handling patient data, including the common law duty to preserve confidentiality, the NHS Code of Confidentiality and the NHS Code of Practice in relation to Information Security Management.
More on the horizon
The UK government has turned its attention to the use of NHS data over recent years in response to high profile NHS data breaches and a general lack of cohesion. This has resulted in the development of new compliance structures. One of these is the NHS digital, data and technology standards framework (in draft at time of writing), that sets out broad principles for using patient data and the interlink with the GDPR.
This involves the standardisation of data and interoperability through methods such as always using NHS numbers, accessing NHS systems through an approved authentication system information, using the NHS Digital Toolkit (as detailed above) and adhering to various standards aimed at protecting the personal data. How new structures will adapt to or replace existing frameworks is still unclear. Medical device companies should keep a firm eye on the evolving regulatory landscape in the UK and ensure they allow time and budget to meet new requirements when processing NHS patient data.
