The UK’s Department of Health and Social Care (“DHSC”) has published on 19 January 2021, an updated guide to the initial "Code of Conduct for Data-Driven Health and Care Technologies", (the "Guide").

Along the Code, the Guide provides guidance to NHS suppliers of what the NHS is looking for when it buys digital and data-driven technology for use in the health sector, so these principles can be built into the strategy and product development. This should make the procurement process more straightforward, as many of the criteria will already have been met. The guide consists of 12 principles of good practice (“Principles”).

The Principles

How To Operate Ethically
  • Suppliers must review the Data Ethics Framework and abide by the principles. The Framework can be found here.
  • Suppliers are responsible for ensuring people are properly informed why and when their data is shared so people can be reassured their data is used legally, fairly and equitably.
  • The key principles of the Data Ethics Framework are: respect for persons; respect for human rights; participation; and accounting for decision. 
Have a Clear Value Proposition
  • Suppliers must ensure that the product is designed to achieve a clear outcome for users or the system.
  • To get a clear value proposition, the best way is to research and define user needs thoroughly, and involve users through the whole life cycle of the product, including discovery, design, change and post-release review.
  • The next step is the generation of key performance indicators or other outcome measures that will be used to evidence success and identify potential improvements.
Usability and Accessibility
  • Suppliers must ensure that the product is easy to use and accessible to all users.
  • It is an expectation that suppliers will be able to demonstrate how they have designed and evaluated their product with users during every stage of the life cycle.
  • Health technology designers should consider the needs of a diverse set of users to ensure the product is accessible to as many people as possible.
  • All new health and social care digital services should be made internet-facing from day one and existing services should be upgraded to meet these standards as soon as possible.
Technical Assurance
  • Suppliers must ensure that the product is appropriately tested and is fit for purpose.
  • Digital health technologies should usually have the ability to roll back to a previous version, should any significant problems be encountered following an update. An appropriate Disaster Recovery and Business Continuity Plan should be in place.
Clinical Safety
  • Suppliers must ensure that the product is clinically safe to use.
  • Suppliers should give a copy of their DCB0129 hazard log and clinical safety case report to customers so they can carry out their duty of compliance with DCB0160, the companion standard. It is a requirement that all documents are approved by a Clinical Safety Officer (CSO).
Data Protection
  • Suppliers must demonstrate that the product collects, stores and processes users’ information in a safe, fair and lawful way.
  • Suppliers must be able to demonstrate that they are compliant with GDPR/ Data Protection Act 2018.
Data Transparency
  • Suppliers must be fair, transparent and accountable about what data is being used.
  • Suppliers must be transparent about the limitations of the data used, with assessment of data quality being checked continuously and taking into consideration the guidance on data quality from NHS England and the UK Statistics Authority.
  • Suppliers should consider the effect of linking data to mitigate adverse impact in data quality.
  • Suppliers must be transparent on the strengths and limitations of the training versus deployment data set. If the algorithm has been built on a training set and not yet deployed in a real-world clinical implementation.
Cyber Security
  • Suppliers must make security integral to the design and ensure that the product meets industry best practice security standards.
  • The Data Security and Protection Toolkit replaces the previous Information Governance Toolkit. All organisations that have access to NHS patient data and systems must complete the toolkit to provide assurance that they are practising good data security and that personal information is handled appropriately. The Toolkit can be found here.
  • Suppliers must ensure that the product meets all relevant regulatory requirements, and in particular any additional requirements where the product would be considered a “medical device” or “in vitro diagnostic tool”.
  • Suppliers must establish the classification as a medical device or in vitro diagnostic tool and follow the required regulatory conformance route required in light of the UK’s departure from the EU. Post-Brexit, the rules for putting a product on the market in the UK may remain very similar to the approach currently in place in the short term.
Interoperability and open standards
  • Suppliers must ensure that the product makes the best possible use of open standards to ensure data quality and interoperability.
  • If a technology needs to communicate with clinical systems to share data, it must comply with the relevant clinical, professional and technical standards. Details on the information standards can be found here.
Generate evidence that the product achieves clinical, social, economic or behavioural benefits
  • Suppliers which aim to create products for national recommendation or procurement, can have the product reviewed by The National Institute for Health and Care Excellence (“NICE”). The Evidence Standards Framework informs technology developers and evaluators about which types of evidence should be generated. The Framework can be found here.
  • A recommendation in NICE guidance is looked upon very favourably and described as the “gold standard”.
Define the Commercial Strategy
  • Suppliers must take into account the allocation of benefits when NHS data forms the basis of the commercial arrangements, based on their respective contributions, roles, responsibilities, risks and investment. If an NHS data asset is being used to the benefit of a technology developer, the NHS and tech developer must each undertake a comprehensive consideration of what constitutes ‘fair value’.
  • The DHSC has outlined five “guiding principles” to ensure that NHS stakeholders see a benefit from commercial arrangements involving NHS data.
  • The Guide notes that NHSX has set up the Centre for Improving Data Collaboration to facilitate partnerships between the NHS and industry and will provide commercial and legal support to NHS organisations entering into commercial agreements.
Dr. Nathalie Moreno

Dr. Nathalie Moreno

Partner, Commercial and Data Protection

View profile