Digitalisation and Data Protection in Healthcare
This article was written by Alyssa Carmelli P. Castillo, who is participating in qLegal, the award-winning commercial pro bono law clinic, as part of her Commercial and Corporate Law Masters studies at Queen Mary University of London. She is the Gold Award Winner of qLegal’s Blog Writing Competition 2021–2022. The content of this article does not constitute legal advice and should not be relied upon as a source of legal advice. **
The digitalisation of healthcare in the UK
When the National Health Service (NHS) celebrated its 70th anniversary in 2018, it set out its ten-year plan involving the mainstreaming of digitally-enabled care. The priorities for this digital transformation include digital access to healthcare, better and wider physician access to patient records, and use of artificial intelligence to manage patients’ health. The digital revolution in the NHS is suitably accompanied by London’s rise as a healthtech hub in Europe, with healthtech investment increasing by nine times in the UK in 2021.
These events highlight the UK’s role in healthcare innovation and reveal an opportunity for it to tackle the challenges that accompany this major shift. While technology modernises access to healthcare in important ways, it also carries with it risks to patient privacy, and consequently, regulatory complications for both government and service providers. This problem is more apparent for start-up companies, which play a central role in the technological revolution albeit working with limited capital.
Healthcare and personal information
A fundamental concern in the wider use of technology is personal data management. Personal information is at the heart of delivering quality care to patients. Insofar as healthcare is concerned, anonymisation and pseudonymisation are uncommon, if not unhelpful. Being able to identify the patients and their specific circumstances is key to proper diagnosis and treatment. In this regard, the digitalisation of patient data can help improve tracking of patient symptoms. With technology, companies are also able to make a variety of services — from mental health to menopause care — accessible to more patients.
In addition to personal data management, information asymmetry has been an issue in healthcare, specifically in assessing the quality of care given to patients. Information asymmetry concerns the imbalance of knowledge and expertise between doctors and patients leaving the latter unable to immediately evaluate the care provided to them. Digitalisation of patient records along with machine learning can close this gap in knowledge. With more data, technology can provide supplementary information to help patients better evaluate the treatment options available to them. Information on aftercare can also become more up-to-date and reliable.
Towards compliance with data protection regulations
The extensive use and undeniable importance of personal information in healthcare highlights the need for companies to have a working understanding of data privacy and security. This also stresses the significance of having clearer guidance on the initial steps businesses can take to comply with the UK General Data Protection Regulation (UK GDPR). For start-up companies, regulatory requirements in this area can be overwhelming and external advice can be expensive. Fortunately, the Information Commissioner’s Office (ICO) has introductory materials on UK GDPR compliance, the basics of which are as follows:
- Data protection fee
A data protection fee is required of every organisation or trader who processes personal information, unless exempt. The ICO website provides a self-assessment tool, which asks a series of questions for entities to evaluate if they are required to pay the fee and to calculate the possible cost of the fee. The fee depends on the size of the entity and its turnover. It typically ranges from £40 to £60 annually for most organisations, including small and medium-sized businesses. Direct debit payments can save businesses £5, but failure to pay the fee can result to a fine of up to £4,000.
2. Data protection officer
The UK GDPR also requires the appointment and registration of a data protection officer (DPO) if an entity’s activities “require large scale, regular and systematic monitoring of individuals” or if its core activities “consist of a large scale processing of special categories of data or data relating to criminal convictions and offenses”, among others. It is important for healthtech companies to know that “special categories of data” includes data concerning health. The ICO’s assessment tool can help a business evaluate for itself whether its processing activities would require the appointment of a DPO, who shall assist its compliance with relevant regulations on data protection. However, whether or not a business is required to have a DPO, it must ensure that it has the necessary resources to comply with the UK GDPR.
3. Moving forward
Indeed, any business can do more to ensure that their clients’ personal data are sufficiently protected. Sensitive data concerning health necessarily require more prudence on the part of companies that process them. With the fines and reputational risks involved, it also makes business sense for healthtech start-ups to be mindful of these requirements from the outset. When in doubt, it is important that they find the resources available with the ICO to assess their compliance with data protection regulations, even as small business owners.
— — — — —
Cornell University (2016) Asymmetric information in healthcare industry. Available at https://blogs.cornell.edu/info2040/2016/12/01/asymmetric-information-in-healthcare-industry/comment-page-1/ (Accessed: 29 June 2022).
Department of Health & Social Care (2021) The NHS Constitution for England. Available at https://www.gov.uk/government/publications/the-nhs-constitution-for-england/the-nhs-constitution-for-england (Accessed: 29 June 2022).
Information Commissioner’s Office (2022) Data protection officers. Available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/#ib1 (Accessed: 29 June 2022).
Information Commissioner’s Office (2022) Data protection fee. Available at https://ico.org.uk/for-organisations/data-protection-fee/ (Accessed: 29 June 2022).
Information Commissioner’s Office (2022) Special category data. Available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/ (Accessed: 29 June 2022).
Information Commissioner’s Office (2022) Registration FAQs. Available at https://ico.org.uk/for-organisations/data-protection-fee/faqs-data-protection-fee-payment-and-online-registration/#9 (Accessed: 29 June 2022).
National Health Service (2019) The NHS Long Term Plan. Available at https://www.longtermplan.nhs.uk/online-version/chapter-5-digitally-enabled-care-will-go-mainstream-across-the-nhs/ (Accessed: 29 June 2022).
National Health Service (2020) About the NHS. Available at https://www.stepintothenhs.nhs.uk/about-the-nhs (Accessed: 29 June 2022).
UK Tech News (2021) London becomes top hub for healthtech, investments increase to $1bn. Available at https://www.uktech.news/news/london-healthtech-investments-grow-2021-20211119 (Accessed: 29 June 2022).
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
**qLegal provides pro bono legal advice and legal education to start-ups and entrepreneurs on intellectual property, data protection, corporate and commercial law. See the qLegal website for more details and to book your appointment. Follow us on Twitter and LinkedIn for regular updates on issues relevant to your business.