Unraveling Multimodality with Large Language Models.pdf
Things you need to know about info governance to sell healthtech products into the NHS
1. for more information visit us at -
www.hempsons.co.uk
Things you need to know about
information governance to sell
healthtech products into the NHS
16 June 2017
Chris Alderson, Partner
2. NHS as a market for healthtech
products
• Very large economy - NHS in England alone
budget of £101.3 billion in 2015/16
• Still always looking for savings
• Technology is seen as key to deliver savings – not
just in ‘back office’ functions but also in developing
and delivering better care pathways
• Fewer hospital admissions, lower healthcare costs
3. NHS as a market for developers of
healthtech products
• Increasing convergence of electronic systems
• Unique identifier (NHS number) for all NHS
patients – 54.3 million plus individuals in England
alone
• Enables linkage of information from records
between hospital and primary care
4. Information governance considerations
- Data Protection Act 1998
• Schedule 1 condition: processing necessary for the
purposes of legitimate interests pursued by data
controller or third party to whom data are disclosed,
except where unwarranted by reason of prejudice to
rights and freedoms or legitimate interests of data
subjects
• Schedule 3 condition: processing necessary for
medical purposes and undertaken by health
professional or someone owing equivalent duty of
confidentiality. Medical purposes includes medical
research and management of healthcare services
5. Information Governance
considerations DPA continued
• Section 33
• Processing data for research not to be treated as
using data for purpose incompatible with the
purpose for which it was collected, and exempt
from subject access rules provided
• not processed to support decisions relating to the
individuals
• data not processed in way that substantial damage or
distress caused to any data subject
7. DPA – First data protection principle
• Data must be processed fairly and lawfully
• Imports common law duty of confidence
• Limits what can be done with data to that which is
in accordance with public information about uses
of data
8. Caldicott Principles
• Principle 1 - Justify the purpose(s) for using confidential information
Every proposed use or transfer of personal confidential data
within or from an organisation should be clearly defined,
scrutinised and documented, with continuing uses regularly
reviewed, by an appropriate guardian.
• Principle 2 - Don't use personal confidential data unless it is
absolutely necessary
Personal confidential data items should not be included unless it
is essential for the specified purpose(s) of that flow. The need for
patients to be identified should be considered at each stage of
satisfying the purpose(s).
9. Caldicott Principles continued
• Principle 3 - Use the minimum necessary personal confidential data
Where use of personal confidential data is considered to be essential,
the inclusion of each individual item of data should be considered and
justified so that the minimum amount of personal confidential data is
transferred or accessible as is necessary for a given function to be
carried out.
• Principle 4 - Access to personal confidential data should be on a strict need-
to-know basis
Only those individuals who need access to personal confidential data
should have access to it, and they should only have access to the data
items that they need to see. This may mean introducing access controls
or splitting data flows where one data flow is used for several purposes.
10. Caldicott Principles continued
• Principle 5 - Everyone with access to personal confidential data
should be aware of their responsibilities
Action should be taken to ensure that those handling personal
confidential data - both clinical and non-clinical staff - are made
fully aware of their responsibilities and obligations to respect
patient confidentiality.
• Principle 6 - Comply with the law
Every use of personal confidential data must be lawful.
Someone in each organisation handling personal confidential
data should be responsible for ensuring that the organisation
complies with legal requirements.
11. Caldicott Principles continued
(From April 2013 following ‘Caldicott 2’ Report)
• Principle 7 - The duty to share information can be as important as
the duty to protect patient confidentiality
Health and social care professionals should have the confidence
to share information in the best interests of their patients within
the framework set out by these principles. They should be
supported by the policies of their employers, regulators and
professional bodies
• Introduces concept of Caldicott Guardian – role within NHS
organisations tasked with expertise in decisions regarding usage of
patient data and decisions to share – usually Medical Director
12. Confidentiality: NHS Code of
Practice
• www.gov.uk/government/publications/confidentiality-nhs-code-of-practice
• Main source of rules governing how patient data may be
used in the NHS
• Builds on Caldicott principles
• Key message – data that relates to identifiable patients
can only be used and shared by those in the direct care
team and only to the extent that the information is
necessary for the purpose of delivering that care
13. Confidentiality: NHS Code of
Practice continued
• Emphasis on their being no surprises in how
information is to be used
• Model for sharing data amongst direct care team is
that patient has been informed about how their
data will be used and shared and has not
disagreed – implied consent
• Note importance of link to direct delivery of care
14. Confidentiality: NHS Code of
Practice continued
• What is not covered by this implied consent
• Usage of patient identifiable data for administrative
purposes – for example invoice validation by
commissioners
• To researchers
• To app developers
• BBC News 16 05 17
“Google DeepMind patient app legality questioned”
“[The national Data Guardian] questioned the use of ‘implied consent’
as the legal basis for the transfer of identifiable patient records,
because the data was initially used just to test the app.”
15. How then, do you develop health
apps
• Anonymisation/pseudonymisation at source
• Anonymisation if never a need to re-identify patients
• Pseudonymisation if may be a need to link back outcomes of apps to
individuals
• Granularity of data
• Risk of accidental/intentional re-identification of data if detailed
information can be combined with other data sets.
• If data can be re-identified in this way, has not been anonymised and so
usage of data restricted
• Avoid with the use of controlled environment for usage of detailed
anonymised data
16. Other means of using personal
confidential data
• Patient consent
• Express informed consent of patient
• Suitable for research such as clinical trials
• Not suitable for use of large quantities of data as would be
needed for algorithm development
• Section 251 NHS Act 2006
• Confidentiality Advisory Group of Health Research Authority
will recommend authorisation of use of personal confidential
data on case specific basis if no way of progressing a
valuable project without it
17. Processing data overseas (including
use of cloud)
• Many NHS standard contracts will specify that data
cannot be stored outside England/UK/EEA
• Not a requirement imposed by law, as such transfers of
data lawful provided permitted means under DPA utilised
• Reflection of risk-averse nature of NHS economy
• Product easier to sell to NHS if data transfers overseas
limited
• Bear in mind if data are being processed with the
intention that will be accessed remotely overseas this is
still an export of data
18. Security
• Major issue for NHS market
• Expect to have to explain level of security in some detail
• Back up with disciplinary policies – intentional breach of
confidence in NHS will lead to dismissal
• Be open to audit or arrange audit with reputable external
auditor whose reports will be shared
• Patient level data will need to have high level of security
assurance
19. Role of NHS IG Toolkit
• Every NHS organisation has to meet information
governance standards set out in the IG Toolkit in
order to be allowed access to NHS secure network
• For example, in relation to arrangements with third
parties, must have policies addressing:
• The types of third party that the organisation is likely to contract with;
• The types of information that each category of third party is likely to
require access to;
• How monitoring of the third party’s compliance with the information
governance controls will be carried out;
20. IG Toolkit continued
• The business continuity measures that will need to be in place within
both the organisation and the third party to ensure continued
performance of the contract;
• Training for the contracts staff in the organisation to ensure they have
knowledge of the controls to be built into third party contracts;
• Training for staff who work for the third party to ensure they are aware of
information governance requirements; what they can and can’t do and
who they should contact if things go wrong.
• How information incidents will be reported and managed;
• The type of information governance controls to be documented in the
third party contract.
• This is just one of the criteria required
21. Freedom of Information Act 2000
• All NHS bodies are public authorities under the FoIA and
so requests can be made for any information they hold
• Must greater transparency in contracts than in private
sector
• Expect information about your work to be put into public
domain
• Are exemptions, but beneficiaries of public funds must
expect transparency as a result
• Generally only ‘core’ sensitive information is protected
22. Changes coming
• GDPR – impact on all aspects on the use of
personal data
• Requirements to demonstrate consent tightened
• Regulatory framework strengthened – fines of up
to €20 million or 4% of global turnover for breach
• However impact on use of data in NHS likely to be
limited as NHS rules already considerably beyond
DPA requirements
23. Changes coming
• Legislative change following ‘Caldicott 3’
• Right to ‘opt out’ secondary uses of patient data
(but note – no opt out for the use of anonymised
data)
• Introduction of criminal offence of combining
anonymised data with other sources so as to
render data identifiable
24. Getting it wrong
• ICO penalty notice HCA International Limited (23
February 2017)
• Unencrypted transfer of recordings of IVF clinics for
transcriptions to country outside EEA
• Transcripts put on unsecured server and discoverable via
internet search
• No security checks or specifications in contract
• Penalty of £200,000
25. How to develop your app
• Make sure your team are aware of the IG
framework used by the NHS at the outset
• There is no use in your team developing
functionality that is not based on a permissible use
of NHS data
• Speak to the NHS – while there is no one body
that represents NHS organisations (so no contract
will ever be with ‘the NHS’) there are specialists in
this field – in particular NHS Digital
26. How to develop your app continued
• NHS Digital keen to support products that likely to develop savings
for NHS
• Online resources - http://developer.nhs.uk/
• Further reading
• Confidentiality: NHS Code of Practice
• GMC – Confidentiality: good practice in handling patient
information
• ‘Caldicott 3’ – National Data Guardian for Health and Care
Review Data Security, Consent and Opt-Outs
• Information Governance Alliance