Data-driven technologies, particularly artificial intelligence and other complex algorithms, have the potential to enhance patient care and catalyse medical breakthroughs. However, these technologies are heavily reliant on data, which poses challenges in ensuring that patient information is handled in a safe, secure and legally compliant way.

In response to early issues with the deployment of artificial intelligence and other algorithmic tools in healthcare, on 5 September 2018 the UK Department of Health & Social Care (DH) published an Initial Code of Conduct for Developers and Suppliers of Data-driven Health and Care Technology (the Code). The Code is not legally binding but aims to raise standards by establishing best practices.

The Code consists of:

  • 10 key principles (i.e., what DH expects from suppliers of data-driven technologies)

These principles outline best practice for safe and effective digital innovations, including defining the user, the value proposition, the commercial strategy, and the type of algorithm being built.

To address data protection concerns, Key Principle 3 mirrors the GDPR regime by requiring developers to be “fair, transparent and accountable about what data you are using“. Key Principle 4 also states you must “use data that is proportionate to the identified user need” and refers to the national opt-out policy, allowing patients to opt out from having their patient data used beyond their direct care.

  • 5 commitments (i.e., what DH will do to support and encourage innovators in health and care)
    • simplifying the regulatory and funding landscape;
    • creating an environment that enables experimentation;
    • encouraging the system to adopt innovation;
    • improving intolerability and openness; and
    • listening to users.

DH is encouraging developers of data-driven technologies to manage risks to the safety and quality of care by signing up to the Code. It will produce a revised version of the Code in December 2018 and seeks feedback from researchers, innovators, the public, and the NHS. The feedback questionnaire is available here.

A recent judgment of the European Court makes it clear that in many circumstances more than one party may be a joint data controller. Whilst the judgment pre-dates the GDPR, its consideration of what constitutes ‘control’ and ‘joint control’ remains good law under the GDPR. The judgment means that parties who may have considered themselves ‘data processors’ in the past should review whether they are in fact ‘joint data controllers’ with others. Continue Reading Are joint data control relationships now the norm rather than the exception?

On 13 September 2017, the Commission issued a proposal for a Regulation to strengthen the role of the EU Agency for Network and Information Security (ENISA) by:

  • granting it a permanent mandate;
  • clarifying its role as the information hub of the EU for cybersecurity; and
  • tasking it with the responsibility of proactively contributing to policy in the area of network information and security.

The proposal also introduces EU-wide cybersecurity certification schemes for ICT products and services, which will be prepared by ENISA. This aims to address current market fragmentation and provide a comprehensive set of cybersecurity rules, technical requirements, standards and procedures. Continue Reading EU Commission proposes stronger mandate for ENISA and EU-wide cybersecurity certification

The UK Government has released a “Future Partnership” paper setting out its vision for UK-EU data flows post-Brexit. In particular, the paper anticipates seeking an early UK-EU agreement that each area’s data protection laws provide equivalent protection, which would allow data to continue to flow between the EU, the UK and other third countries post-Brexit.  Continue Reading UK Government seeks EU equivalency for UK data protection law post-Brexit

With holiday season upon us, earlier this week Matt Hancock, the UK Government’s Digital Minister, announced proposals for a new UK data protection law. Previously covered on this blog here and here, little new of substance was announced, but in a slow news week, the announcement garnered significant UK media coverage and attention.  Continue Reading UK’s Digital Minister announces changes to UK data protection law

Following the Government’s decision to include a revised data protection law in the Queen’s Speech last month, the House of Lords EU Home Affairs Sub-Committee reviewed the potential implications on national security, stability and public safety of the UK exiting the European Union without an agreement to ensure there is unhindered data flow between the two sides. The Committee issued a stark warning that it was “struck by the lack of detail” on how the Government would ensure that the UK data protection regime continues to allow data transfer with the European Union in a post-Brexit world.

Continue Reading UK Data protection post-Brexit: a “cliff-edge”?

A revised data protection law forms part of the new government’s legislative agenda for the UK. Key points in the Queen’s Speech on 21 June 2017 were that a new UK Data Protection Bill (the Bill) will replace the current Data Protection Act 1998; the new Bill will implement the EU General Data Protection Regulation (GDPR) in the UK (a fact that the party manifestos were silent on before the election); and the government intends to put the UK in the best position to maintain data sharing across the EU and internationally. These points remained unchallenged in the subsequent parliamentary debates, and the government’s express intention to implement the GDPR through national law in the UK was welcomed by many businesses. Continue Reading Proposal for a new UK Data Protection law

The European Commission’s January 2017 Communication on Building an European Data Economy (‘Communication‘)  proposes a principle of free movement of data within the EU. Whilst the coming into force of the General Data Protection Regulation (‘GDPR‘) on 25 May 2018, significantly changes and tightens the rules relating to the collection and use of personal data in Europe, those changes need to be read alongside the Communication (and the accompanying staff working paper) to fully understand the regulatory environment for data in Europe. The Communication examines actual or potential blockages to the free movement of data and presents options to remove unjustified and or disproportionate data location restrictions in the EU. It also considers the barriers around access to and transfer of non-personal machine-generated data, data liability, as well as issues related to the portability of non-personal data, interoperability and standards. Continue Reading European data economy: the free movement of data principle and other tall tales…

On 10 May 2017, the European Commission published its mid-term review of the implementation of Europe’s Digital Single Market strategy. Launched in 2015, the ambitious strategy covered 16 actions under the three pillars: (1) improving access to digital goods and services for consumers and businesses across Europe; (2) creating the right conditions and a level playing field for digital networks and innovative services to flourish; and (3) maximising the growth potential of the digital economy. Despite a lot of activity, the Commission was only able to highlight one actual delivered improvement in its review – the abolition of retail roaming charges – although it looks forward to the imminent implementation of cross-border content portability in early 2018 and the expected approval of a proposal to address unjustified geo-blocking.

Continue Reading European Digital Single Market strategy mid-term review: What happens next?

In January 2017, the European Commission published the proposed text of a new draft e-Privacy Regulation (ePR) as part of its ongoing drive to advance one of its key initiatives, the Digital Single Market.

Whilst the impending introduction of the GDPR has been dominating headlines for the past months, the ePR has somewhat gone under the radar. We set out the key points to look out for with regard to the ePR and who it is likely to apply to.

Continue Reading The ePrivacy Regulation: what you need to know