Nigel Jones, ex Head of Legal at Google EMEA and co-founder of the Privacy Compliance Hub, on how health tech leaders can protect themselves from negative headlines that impact consumer trust and sales.
The health tech sector has grown at breakneck speed in recent years. With billions being invested in the latest bright idea, there are now more than 350,000 digital health apps, tracking everything from moods, fertility cycles and sleep, to fitness and diets and everything in between.
Health tech innovation will save lives and improve the health of citizens all over the world. But it relies on the analysis of patient data, and that comes with concerns about privacy.
The UK is somewhat unique because of the very large, diverse NHS dataset that it has at its disposal, spanning the entire British population, from cradle to grave.
Analysts estimate that realising the value of that data could be worth almost £10bn per year, thanks to operational savings and improved patient outcomes.
But despite efforts to do so – by the NHS, other public bodies, and HealthTech startups – data sharing is still very fragmented, limited by bureaucracy and a lack of public confidence. A survey by Accenture, for example, found 55 per cent of respondents said they did not trust tech companies to keep their digital health record secure.
Faced with such challenges, here’s how HealthTech providers can ensure privacy boosts innovation and growth, rather than hinders it:
HealthTechs rely on users sharing their data, but that requires a great deal of trust to be built and sustained. Be transparent about how the data you’re collecting will be used, who it will be shared with, how long it will be kept for and the rights users have under the UK’s General Data Protection Regulation (UK GDPR).
This information must be provided at the point the data is obtained, and written in clear, accessible language, not hidden under layers of legalese. It’s also a good idea to involve users through advisory boards or forums so they feel there’s an open communication channel to share concerns or ideas with the business going forward.
Minimise the data collected and shared
If you keep the amount of personal data you process to a minimum, it’s easier to protect it. Map the data you’re collecting and ask yourself whether all of it is essential for your service. What is your legal basis for using that data?
If it is ‘consent’, do users have a choice about whether or not to participate, and are they able to withdraw that consent? Make sure that any information you do send outside your business is only shared with safe organisations. You need to consider asking external businesses to complete a risk assessment questionnaire and you must sign an appropriate agreement.
Don’t mission creep
Once a user has been told what their information will be used for and the legal basis for doing so, startups should not change those parameters at a later date. Recently, one crisis text line for urgent mental health support gave third-party researchers access to millions of messages, despite promising never to do so.
And last year, the Information Commissioner’s Office (ICO) began investigating claims that at least one large Covid-19 testing company included a notification – buried in extensive terms and conditions – that it could retain its clients’ DNA information to share with external researchers. Such steps may be unlawful under the UK GDPR and damage the trust built between a health tech startup and its users.
According to the ICO, the healthcare sector is a popular target for cyber criminals, reporting the highest incidences of data breach in 2020/21, compared to every other industry. It’s thought medical data is seen as attractive because hackers believe they’re more likely to be paid, given the nature of the information at risk.
Garmin, for example, is thought to have paid $10 million to free its systems in 2020. Make sure your security credentials are steadfast, with regular training for employees. Four in 10 customers say they’ll never return to a business after a security issue.
Create a culture of continuous privacy compliance
Everyone in the organisation has a responsibility to safeguard privacy, from sales and marketing and customer service, to HR, IT and executive teams. Privacy is not a one-time project that can be ticked off and forgotten about.
The aim is to create a culture of continuous privacy compliance where every team member understands privacy, cares about it and does their bit to protect it. It will then become second nature to ask at every stage of a product or service being developed – what does that mean for privacy, now and in the future?
Privacy doesn’t have to stop health tech companies from achieving great things. With the right approach, you can build long-lasting relationships with your users based on trust, insight and respect.
Nigel Jones is the co-founder of The Privacy Compliance Hub, a no-nonsense platform created by two ex-Google lawyers that makes compliance easy for everyone to understand and commit to. Take your free 10-minute GDPR health check here.
NHS Forth Valley goes live with RCPCH GrowthAPI integrated with Morse Mobile EPR
Mid and South Essex ICS building new shared care record with Orion Health
Red light can reduce blood glucose levels, study finds
Medical device design standards
Why rethinking funding priorities is key to virtual ward success
Thousands with cancer-causing condition offered life-saving NHS bowel cancer test
Neuromelanin imaging: A new path to brain health insights
Lenus puts automation at heart of diagnostic pathways with CDC Heart Failure roll-out
Gallery will highlight therapeutic power of art
Delays in lockdown skin cancer diagnosis linked to deaths and £6bn costs in Europe
- Insight4 weeks ago
8 tips to brand your new medical device
- Diagnostics3 weeks ago
NHS England launches gene testing programme to identify cancer risk early
- AI6 days ago
Aim AI policies at hardware to ensure safety, experts say
- Robotics4 weeks ago
Synthesis robot harnesses AI to speed up chemical discovery