Following the recent introduction of the Data (Use and Access) Bill in the House of Lords on 23 October 2024, the UK’s Health and Care sector may face significant changes to data security and data protection standards. The Bill aims to standardise the management of health and care data by introducing mandatory information standards for relevant IT providers within the sector.
The forthcoming standards would introduce provisions around interoperability, connectivity, and security, likely supporting the government’s broader push for a unified patient record.
The timing of these changes is notable. Health and Care has been one of the leading sectors for data breaches in the UK, accounting for over a fifth of all breaches in 2022-2023, according to the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.).
The DUA Bill aims to mandate stronger protections around patient data, ensuring that health and care information is managed appropriately, and remains secure as digital transformation accelerates in the sector.
A key feature of the proposed legislation is the power given to the Secretary of State to oversee compliance and delegate monitoring functions, including the ability to issue public censure for non-compliance with these forthcoming standards.
Data protection professionals are carefully examining the implication of these changes and how they might impact current practices and existing systems.
Lawrence Carter, DPO and Life Sciences Sector Lead at The DPO Centre said,
‘It is unclear at this time how and where these proposed standards would slot into the existing framework for Health and Care IT providers. Whilst these standards may mark a positive step towards protecting sensitive health data, they might also place a substantial compliance burden on these organisations, especially smaller providers.
‘IT providers in this sector are already contractually required to complete the Data Security and Protection Toolkit (DSPT) which, from this year, mandates an independent DSPT audit. Also, from July 2025, IT providers in-scope of the DSPT must comply with a modified version of the National Cyber Security Centre’s Cyber Assessment Framework, posing a significant challenge for many smaller organisations.
‘In addition, IT suppliers have a myriad of existing obligations, including, where applicable: the requirement to comply with the DCB 0129 and DCB 0160 standards, the legal requirements relating to The Medical Devices Regulations 2002 (UK MDR), and other data protection and information security queries relating to procurement, tender, and due diligence processes, including the Digital Technology Assessment Criteria (DTAC) framework. It remains to be seen how these new health information standards will be woven into the current tapestry of requirements, or if they will replace some or all of them.
‘Regarding the Secretary of State’s proposed new powers, there is concern about how these censure abilities may be applied and monitored. If utilised inappropriately, such censures could risk damaging reputations unfairly. The perceived threat of such censure (essentially reprimands) could even have a ‘chilling effect’ and stifle innovation within the UK health technology space. Unlike established frameworks such as the DSPT or DCB, which have clear legal or contractual compliance consequences, the use of censure marks a departure from the black and white accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. approach of these existing standards.’
The DPO Centre is monitoring the progress of the Bill and will share updates as soon as new information becomes available.