On 5 September 2018, the Department of Health and Social Care (DHSC) published the initial code of conduct for data-driven health and care technology. The code – driven by the increased opportunities presented by data-driven technologies – comprises a number of “principles” to be adhered to by technology providers, and “commitments” from the DHSC, which would streamline the introduction and use of innovative technology within the NHS for the mutual benefit of both.
Key objectives of the code include simplifying and clarifying both the regulatory obligations on suppliers to the NHS and the ability of those suppliers to access valuable NHS-derived data, whilst ensuring that the NHS obtains its fair share of the value of those innovations in return. There is also a focus on ensuring effective and objective security standards are set.
Status of the code
The code is in its “initial” stage, and whilst organisations are encouraged to sign up immediately, there is no obligation to do so. Stakeholders are now invited to provide their feedback on the initial code via a questionnaire (although the deadline for feedback is not stated), which requests views on each individual principle and commitment contained within it (more on these below). This feedback will inform the final version of the code, which the DHSC anticipates publishing in December. At that point, it is envisaged that the code will constitute the standard for technology partnerships within the NHS.
Structure and content of the code
10 key principles for data-driven health and care technology suppliers
1. Define the user – explain who the product is for, including an understanding of its wider effect, for example, on possible co-morbidities.
2. Define the value – deliver a business case setting out outcomes and performance indicators.
3. Be fair, transparent and accountable about the data being used – essentially demonstrate privacy by design principles, and full GDPR compliance, noting the possibility of special categories of data having been processed.
4. Demonstrate that data used is proportionate – in accordance with the GDPR minimisation principle.
5. Make use of open standards – including those hosted by NHS Digital around data, clinical and interoperability.
6. Be transparent on the limitations of the data used – ensuring algorithms are designed to understand the quality of data being used; and that the product undergoes continued anomaly detection.
7. Make security integral to design – including compliance with Data Security and Protection Toolkit (recently launched by NHS Digital to replace the Information Governance Toolkit).
8. Define the commercial strategy – which should seek to ensure that the NHS’s input into the development or provision of the product (for example, from NHS derived data sets) is “fully recognised and compensated”.
9. Show evidence of effectiveness for the intended use.
10. Provide information on the type of algorithm being used.
Five DHSC commitments
The DHSC has set out its five commitments to suppliers
1. Simplify the regulatory and funding landscape – including redressing the balance between heavily supported research on the one hand and rolling out final products for use, on the other, and increased support of SMEs.
2. Create an environment that enables experimentation – allowing useful data to be used where legally possible.
3. Encourage innovation – for example, by the development of a Kitemark scheme for digital health and care products.
4. Improve interoperability and openness – by the introduction of new standards for open data and interoperability.
5. Listen to users – increase engagement with patients on the benefits of health and care data to NHS efficiencies and patient outcomes, whilst ensuring patients are enabled to actively manage their own data.
The recognition from the DHSC as to the potential to the NHS of its data is to be welcomed, as is the move towards a more standardised approach towards NHS collaboration with innovators. From a practical perspective, the principles to be signed up to mirror GDPR requirements which organisations will already be familiar with (for a more in-depth discussion of the GDPR and its impact, visit our 100 days of GDPR series). As always, the devil will be in the detail, and the success or otherwise of the code will depend on service providers reaching fully informed and mutually beneficial contractual terms, on a project by project basis. Further clarity and a simplified regulatory regime could result in the appropriate and sensitive use of NHS data for the benefit of all and in particular for the benefit of patients.
Marcus Vass, co-head of Digital Health
If you would like any further information on the code, or if we can assist you in putting together your feedback on this initial version, please do not hesitate to contact one of our experts below.