Health data regulation is messy, and we think it’s time to talk about the elephant in the room. If we want to foster an innovative healthtech ecosystem in the UK, UK policymakers should act now to cut bureaucracy and streamline health data governance.

The confusion around health data stems from one fundamental issue: there are two regulatory regimes governing the use of health data that are inconsistent with one another, but nevertheless overlap:

on the one hand, there is the traditional healthcare regulatory framework. This includes the common law duty of confidentiality (which may apply to patient data), clinical trial legislation and the regulation of medical devices and pharmaceuticals.

separate to that, there are legal concepts which have been traditionally applied to regulating big data and big tech. These appear in data protection legislation like the GDPR (and now, the GDPR as incorporated into UK domestic law) - the GDPR employs concepts like data controllers and data processors. However, these concepts don’t quite work in the life science industry, and there is a reason for that – they have been developed and cultivated totally outside the healthcare context.

In our open letter to UK policymakers, we urge policymakers to consider key areas of overlap and confusion:

the different thresholds for anonymisation: developers and researchers often request access to 'anonymised' datasets in order to develop (for example) a new AI algorithm with a diagnostic function, or as part of a registry-based study. The problem is that thresholds for anonymisation between the GDPR and the common law duty of confidentiality are very different. We constantly see innovators and NHS organisations get this issue wrong because they conflate the 'confidentiality' standard for anonymisation with the 'GDPR' standard. Policymakers need to address this confusion.

consent, legal bases and the messy intersection between the GDPR and the common law duty of confidentiality: we urge policymakers to dispel the notion that GDPR consent is the ‘gold standard’ in the life sciences industry. We see that innovators lean heavily on GDPR consent, conflating the requirement for consent in other contexts (such as under the common law duty of confidentiality) with GDPR legal bases for processing. They mistakenly believe that they require GDPR consent in order to use personal data throughout the product lifecycle, such as for post-market surveillance, clinical follow-up or scientific research. As a result, they are reluctant to maximise the use of their datasets, given that often, GDPR consent has not been obtained. Innovators do not appreciate that alternative (and potentially less onerous) legal bases are already available to them under the GDPR – innovators are just in need of guidance and clarity that they can use these alternative grounds for their selected purposes.

The volume of soft guidance is growing exponentially in the health data sphere, but we urge policymakers to focus on streamlining guidance. 

Policymakers should consider the full depth of regulatory regimes that apply to health data in the UK from the outset. The piecemeal approach of considering confidentiality, data privacy and product regulation in isolation is not working - it is creating a complex web of laws and soft guidance that is impossible for innovators to navigate. This is an opportune moment for regulators to create a harmonised, consistent regime for data-driven innovation in the life sciences industry. This is why we have contributed to the Goldacre Review, a review launched by the government this year to focus on the more efficient and safe use of health data for research and analysis. 

If you’d like more information on this, please read our full open letter to UK policymakers here.