Encouraging innovation whilst protecting the NHS data resource – a new code for digital technology
10 September 2018
As big data continues to be big news and data protection law continues to evolve, it is timely that the Department for Health and Social Care (the Department) has published a code of conduct relating to the use of data-driven health and care technology (the Code).
Published in its initial form last week (5th September), the code addresses how the UK’s data-rich healthcare system proposes to interact with suppliers of data-driven technology. In particular, how it can encourage innovation and promote better healthcare through that technology, whilst ensuring data security, patient safety and a fair share of commercial benefits gained from a data-technology partnership.
The balancing act
Developments in apps, decision making tools, and algorithms, as well as artificial intelligence (AI) present a opportunity to extract information from the vast pool of patient data held by the NHS, with potential applications for patients, industry and the healthcare system alike. Given the sensitive nature of the data involved, the encouragement of innovation and technological advancement under the Code goes hand in hand with a requirement for best practice standards and safeguards.
The intention is to build on the Department for Digital, Culture, Media and Sport’s Data Ethics Framework and account for existing safeguards such as the National Data Guardian’s 10 data security standards and the national data opt-out programme.
Perhaps most interesting is the Code’s requirement that commercial benefit and reward should be shared between the technology innovator and the data provider - between the supplier of the machine itself as well as the fuel it relies upon. However, whilst clarifying the need for commercial terms to address potentially complex issues such as data usage, intellectual property ownership and liability concerns, the Code does recognise a need for mutually beneficial arrangements and a more coherent and consistent “demand signal” from healthcare providers and procurement teams.
Principles and commitments “to live by”
The Code sets out 10 principles (requirements for suppliers) and 5 commitments (from the Government) that describe how the Department anticipates technological engagement to proceed, how suppliers are expected to operate and how the health care system will be ready to adopt technology at scale. Gold standard technology solutions and rigorous safeguards would be wasted if they cannot be implemented.
The principles require suppliers to:
- define the user, and the value proposition - for example, who will benefit from the technology, what might impact uptake, how does AI improve efficiency or quality, how will the product result in improvements for the healthcare system.
- be fair, transparent and accountable about data being used - for example, demonstrate privacy-by-design in agreements, data maps and data protection impact assessments, and consider and implement all aspects of the General Data Protection Regulation.
- minimise personal data used and incorporate data standards - for example, limit personal data to what is necessary and account for the data opt-out policy, ensure data quality by incorporating data and interoperability standards (maintained by NHS Digital and NHS England), ensure effective data linkage and highlight limitations of data sets or algorithms used to train products.
- make security integral to the design - for example, ensure appropriate security and data safeguards, apply and comply with the NHS Digital Data Security and Protection Toolkit and OWASP application Security Verification Standard.
- define the commercial strategy - for example, consider commercial and technology aspects and contractual limitations, only enter into commercial terms where benefits of the partnership are shared fairly.
- evidence effectiveness and the nature of algorithm used - for example, evidence how effective the product is for use, show how the algorithm and any learning methodology operates and how outcomes are validated (so aiding transparency requirements and effective resource and training allocation)
The commitments of the government are to:
- simplify the regulatory and funding landscape, streamlining engagement with the market and reviewing regulation to allow innovation without risking safety.
- create an environment that enables experimentation, using Local Health and Care Record Exemplars and Digital Innovation Hubs to improve safe and secure access to NHS data for research and development and using environments to enable analysis and data sharing.
- encourage the health and care system to adopt innovation, reviewing contracting, procurement and commercial arrangements to ensure fair compensation for all parties, improving training to ensure an appropriately skilled customer base and developing an approvals and recognition process for products.
- improve interoperability and openness, using application programming interfaces and public data standards so that products are interoperable.
- listen to users, discussing principles, commitments and plans with all parties.
What happens next?
The current form of the Code is open for comment (with a questionnaire provided for input) and whilst the Department encourages its use, the Code will be updated and finalised in December. As the tone of the Code is one of mutual benefit, encouragement, responsibility and fair-shares, the intention is for the final code to be “co-designed”.
As set out in the commitments, the Code anticipates associated initiatives to ensure its outcomes. In time, the implication is that this voluntary Code may gain some teeth, with a desire to determine “how to constructively enforce these standards”.
Alignment in the profession
This Code comes hot on the heels of a position paper, issued by the Royal College of Physicians (the RCP) on 3rd September, also encouraging use of AI in the health industry.
Whilst the benefits of AI are acknowledged, the RCP flagged the need for careful appraisal of the technologies by doctors and the need for regulator guidance and evaluation.
The RCP does not see a world where doctors become obsolete but where technology can support the professionals, so long as the “safety, societal, legal, educational and ethical implications” are considered. A requirement for high-quality data to ensure safe AI conclusions, positions specifying transparency, evidence-based explanations, peer review and training all act to highlight an awareness that existing levels of AI knowledge within the health service, as well as the nature of current systems, will need to progress alongside any technological innovations. Industry will be key to facilitating that up-skilling process.
A good example-technology teamed with data to enable health
Perhaps less glamorous than AI diagnostics but part of the Department’s approach to engaging with innovations in technology and AI is the up-coming roll out of the NHS booking app. Piloting in five areas in October, with a view to roll out at the end of the year, the new app will enable GP bookings, repeat prescriptions, access to medical records, the setting of data sharing preferences, as well as organ donation and end-of-life preferences and online access to medical queries. Here is an example of the integration of traditional health care services (access to doctors and medical advice), with expression of personal preferences, data management and transparency, in an accessible format, where the medical knowledge, computing power and legal/regulatory requirements must all be accounted for. It will be interesting to see how this app is received by the target audience and how the associated industry and healthcare benefits materialise.
The NHS is in a unique position - collecting and processing vast quantities of patient health data that, taken together, enable unique insights into clinical diagnosis and the prospect of medical advancement. The public tend to trust the NHS and are more able to see the advantages to the use of health data by the NHS in some cases.
It will be interesting to see how the healthcare service manages this data resource and responsibility, what lessons can be learnt by other organisations developing policy, and how potential partners can make the most of a positive technology environment that now demands a return on the opportunities granted.
It remains to be seen whether all industry partners view this Code as sufficient encouragement to pursue business if commercial spoils are to be shared, particularly in a post-Brexit Britain, but existing initiatives such as the equity partnership and royalty stream established by Sensyne Health PLC, would suggest that engagement will remain attractive.