The UK government has invited firms to apply for funding to carry out studies and research into how the National Healthcare Service (“NHS”) can overcome data privacy challenges, including how to comply with the requirements under the EU General Data Protection Regulation (“GDPR”), whilst allowing private companies to use its data for the development of digital technology solutions in the health sector.
The competition, which closes on October 31, 2018, gives UK-based small and medium-sized businesses the opportunity to apply to have up to 70% of their project costs met by a grant from the Digital Health Technology Catalyst (“DHTC”) or Innovate UK (a new body which works in partnership with universities, research organisations, businesses, charities, and government). Up to £9m of funding is being made available in this current round (up to £1m for feasibility studies, and up to £8m for collaborative research and development projects) which is part of the UK government’s longer term strategy to increase the use of digital technology, particularly artificial intelligence, in the NHS in order to achieve efficiencies and improve patient outcomes. The UK government recognises that many digital health innovations are reliant on the use of data, including personal information and health records of individual patients, and that it has strong duties to protect these data and mitigate the risks associated with managing, sharing and exploiting data, particularly in light of the introduction of the GDPR.
The NHS database is widely considered to be one of the most comprehensive sets of health data in the world and many large private firms, particularly from the US, want access to it. The sharing of the data with the healthcare industry promises a much-needed cash boost for the NHS but it also presents a number of issues with regard to ensuring that patient data are properly protected and kept secure. Accordingly, the DHTC is a £35 million fund that will be deployed over 4 years to help address challenges that were identified in the 2016 Accelerated Access Review, including how to keep patient data that are shared by the NHS with private companies safe, and also how to ensure that the NHS is fairly rewarded by those companies for the benefits they receive from access to such data.
A number of solutions have already been proposed. For example, British think-tank Reform suggested in its January 2018 report “Thinking on its own: AI in the NHS,” that NHS data should be pseudonymised, meaning that direct personal identifiers within the database should be replaced with artificial ones so that the identity of the individual cannot be ascertained without looking at additional information which is held separately. Pseudonymisation is explicitly recommended in the GDPR as a way of significantly reducing the risks associated with data processing and complying with the GDPR’s requirements for the safe storage of personal information, whilst maintaining the utility of the data for analytical purposes (see, for example, Article 6(4)(e) of the GDPR).
Also, in September 2018, the UK government published a draft code of conduct for data-driven health and care technology, which sets out 10 principles for all organisations that have access to NHS data and systems to follow, including being transparent about what data are being used, being able explain to a lay member of the public why the data used were needed, and completing a new Data Security and Protection Toolkit to provide assurance that the organisations are practising good data security and that personal information is handled correctly.
Applicants to the competition will be interviewed over the coming months, and a final decision made in January 2019.