Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Things you need to know about info governance to sell healthtech products into the NHS


Published on

London Tech Week presentation by Chris Alderson, Partner, Hempsons.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Things you need to know about info governance to sell healthtech products into the NHS

  1. 1. for more information visit us at - Things you need to know about information governance to sell healthtech products into the NHS 16 June 2017 Chris Alderson, Partner
  2. 2. NHS as a market for healthtech products • Very large economy - NHS in England alone budget of £101.3 billion in 2015/16 • Still always looking for savings • Technology is seen as key to deliver savings – not just in ‘back office’ functions but also in developing and delivering better care pathways • Fewer hospital admissions, lower healthcare costs
  3. 3. NHS as a market for developers of healthtech products • Increasing convergence of electronic systems • Unique identifier (NHS number) for all NHS patients – 54.3 million plus individuals in England alone • Enables linkage of information from records between hospital and primary care
  4. 4. Information governance considerations - Data Protection Act 1998 • Schedule 1 condition: processing necessary for the purposes of legitimate interests pursued by data controller or third party to whom data are disclosed, except where unwarranted by reason of prejudice to rights and freedoms or legitimate interests of data subjects • Schedule 3 condition: processing necessary for medical purposes and undertaken by health professional or someone owing equivalent duty of confidentiality. Medical purposes includes medical research and management of healthcare services
  5. 5. Information Governance considerations DPA continued • Section 33 • Processing data for research not to be treated as using data for purpose incompatible with the purpose for which it was collected, and exempt from subject access rules provided • not processed to support decisions relating to the individuals • data not processed in way that substantial damage or distress caused to any data subject
  6. 6. So, what is the problem?
  7. 7. DPA – First data protection principle • Data must be processed fairly and lawfully • Imports common law duty of confidence • Limits what can be done with data to that which is in accordance with public information about uses of data
  8. 8. Caldicott Principles • Principle 1 - Justify the purpose(s) for using confidential information Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian. • Principle 2 - Don't use personal confidential data unless it is absolutely necessary Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
  9. 9. Caldicott Principles continued • Principle 3 - Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out. • Principle 4 - Access to personal confidential data should be on a strict need- to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.
  10. 10. Caldicott Principles continued • Principle 5 - Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality. • Principle 6 - Comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
  11. 11. Caldicott Principles continued (From April 2013 following ‘Caldicott 2’ Report) • Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies • Introduces concept of Caldicott Guardian – role within NHS organisations tasked with expertise in decisions regarding usage of patient data and decisions to share – usually Medical Director
  12. 12. Confidentiality: NHS Code of Practice • • Main source of rules governing how patient data may be used in the NHS • Builds on Caldicott principles • Key message – data that relates to identifiable patients can only be used and shared by those in the direct care team and only to the extent that the information is necessary for the purpose of delivering that care
  13. 13. Confidentiality: NHS Code of Practice continued • Emphasis on their being no surprises in how information is to be used • Model for sharing data amongst direct care team is that patient has been informed about how their data will be used and shared and has not disagreed – implied consent • Note importance of link to direct delivery of care
  14. 14. Confidentiality: NHS Code of Practice continued • What is not covered by this implied consent • Usage of patient identifiable data for administrative purposes – for example invoice validation by commissioners • To researchers • To app developers • BBC News 16 05 17 “Google DeepMind patient app legality questioned” “[The national Data Guardian] questioned the use of ‘implied consent’ as the legal basis for the transfer of identifiable patient records, because the data was initially used just to test the app.”
  15. 15. How then, do you develop health apps • Anonymisation/pseudonymisation at source • Anonymisation if never a need to re-identify patients • Pseudonymisation if may be a need to link back outcomes of apps to individuals • Granularity of data • Risk of accidental/intentional re-identification of data if detailed information can be combined with other data sets. • If data can be re-identified in this way, has not been anonymised and so usage of data restricted • Avoid with the use of controlled environment for usage of detailed anonymised data
  16. 16. Other means of using personal confidential data • Patient consent • Express informed consent of patient • Suitable for research such as clinical trials • Not suitable for use of large quantities of data as would be needed for algorithm development • Section 251 NHS Act 2006 • Confidentiality Advisory Group of Health Research Authority will recommend authorisation of use of personal confidential data on case specific basis if no way of progressing a valuable project without it
  17. 17. Processing data overseas (including use of cloud) • Many NHS standard contracts will specify that data cannot be stored outside England/UK/EEA • Not a requirement imposed by law, as such transfers of data lawful provided permitted means under DPA utilised • Reflection of risk-averse nature of NHS economy • Product easier to sell to NHS if data transfers overseas limited • Bear in mind if data are being processed with the intention that will be accessed remotely overseas this is still an export of data
  18. 18. Security • Major issue for NHS market • Expect to have to explain level of security in some detail • Back up with disciplinary policies – intentional breach of confidence in NHS will lead to dismissal • Be open to audit or arrange audit with reputable external auditor whose reports will be shared • Patient level data will need to have high level of security assurance
  19. 19. Role of NHS IG Toolkit • Every NHS organisation has to meet information governance standards set out in the IG Toolkit in order to be allowed access to NHS secure network • For example, in relation to arrangements with third parties, must have policies addressing: • The types of third party that the organisation is likely to contract with; • The types of information that each category of third party is likely to require access to; • How monitoring of the third party’s compliance with the information governance controls will be carried out;
  20. 20. IG Toolkit continued • The business continuity measures that will need to be in place within both the organisation and the third party to ensure continued performance of the contract; • Training for the contracts staff in the organisation to ensure they have knowledge of the controls to be built into third party contracts; • Training for staff who work for the third party to ensure they are aware of information governance requirements; what they can and can’t do and who they should contact if things go wrong. • How information incidents will be reported and managed; • The type of information governance controls to be documented in the third party contract. • This is just one of the criteria required
  21. 21. Freedom of Information Act 2000 • All NHS bodies are public authorities under the FoIA and so requests can be made for any information they hold • Must greater transparency in contracts than in private sector • Expect information about your work to be put into public domain • Are exemptions, but beneficiaries of public funds must expect transparency as a result • Generally only ‘core’ sensitive information is protected
  22. 22. Changes coming • GDPR – impact on all aspects on the use of personal data • Requirements to demonstrate consent tightened • Regulatory framework strengthened – fines of up to €20 million or 4% of global turnover for breach • However impact on use of data in NHS likely to be limited as NHS rules already considerably beyond DPA requirements
  23. 23. Changes coming • Legislative change following ‘Caldicott 3’ • Right to ‘opt out’ secondary uses of patient data (but note – no opt out for the use of anonymised data) • Introduction of criminal offence of combining anonymised data with other sources so as to render data identifiable
  24. 24. Getting it wrong • ICO penalty notice HCA International Limited (23 February 2017) • Unencrypted transfer of recordings of IVF clinics for transcriptions to country outside EEA • Transcripts put on unsecured server and discoverable via internet search • No security checks or specifications in contract • Penalty of £200,000
  25. 25. How to develop your app • Make sure your team are aware of the IG framework used by the NHS at the outset • There is no use in your team developing functionality that is not based on a permissible use of NHS data • Speak to the NHS – while there is no one body that represents NHS organisations (so no contract will ever be with ‘the NHS’) there are specialists in this field – in particular NHS Digital
  26. 26. How to develop your app continued • NHS Digital keen to support products that likely to develop savings for NHS • Online resources - • Further reading • Confidentiality: NHS Code of Practice • GMC – Confidentiality: good practice in handling patient information • ‘Caldicott 3’ – National Data Guardian for Health and Care Review Data Security, Consent and Opt-Outs • Information Governance Alliance
  27. 27. Any Questions?
  28. 28. Chris Alderson Partner T: 0161 234 2448 E: