Overview of the Data (Use and Access) Bill 2024-25

Overview of the Data (Use and Access) Bill 2024-25 and information standards for the NHS and IT providers, who are providing IT systems to the health and social care sector

The Data (Use and Access) Bill 2024-25 (“the Bill”), currently in the final stages of being reviewed, proposes significant changes to how data is accessed and used across the NHS and adult social care services in England.

This article discusses the potential implications on health and social care IT system requirements if the Bill is enacted; and outlines the Bill’s background, objectives, proposed amendments to the information standards for health and social care, and contractual considerations.

Schedule 15 of the Bill introduces mandatory information standards for the healthcare sector, requiring IT providers, services, and systems to align with uniform standards that enhance data interoperability, improve patient outcomes, and streamline processes across health and social care in England.

Background and aim to the Bill

The Bill is similar to previous Bills introduced under the conservative government, most recently introduced as the Data Protection and Digital Information Bill.

The main objectives of the Bill are to grow the economy, improve public services, and make people’s lives easier.

The Government has recognised the benefit of IT systems being designed to facilitate data sharing across platforms. The Bill aims to assist building “an NHS fit for the future”, by improving clinical outcomes, speeding up the delivery of care, reducing data duplication, and enhancing patient safety by making information standards mandatory for IT service suppliers in the health and care system.

This principle of the benefits of IT systems being designed to facilitate data sharing can also be seen by NHS England’s promotion of the Federated Data Platform (FDP), a data-sharing platform aimed at enabling seamless data exchange between NHS organisations to improve collaboration and patient care.

Proposed amendments

Information Standards for IT Services

S250 of the Health and Social Care Act 2012 (“the Act”), as amended by the Health and Care Act 2022, currently enables the Secretary of State or NHS England to prepare and publish information standards. An information standard is a document that contains information processing requirements and guidance that must be followed by those providing health services or adult social care in England.

If enacted, the Bill will extend the remit of S250 of the Act, by making it clear that information standards will also include standards relating to information technology and IT services. The information standards will apply to providers of IT services and information processing services. It will ensure that health and care data is uniformly recorded and managed, to help facilitate the sharing of data. Information standards may cover various aspects, including the design, quality, functionalities, and interoperability of IT systems.

Compliance and Enforcement

The Bill includes mechanisms for enforcing compliance. The Secretary of State can issue written notices to IT providers suspected of non-compliance, requiring them to meet the specified information standards within a set timeframe. We await further details as to the implications of IT suppliers not satisfying the timeframe included in the written notice.

Public censure of non-compliant providers is another enforcement tool included in the Bill.

Contractual considerations if the Bill is enacted

Information Standards

NHS England may prepare and publish information standards for IT services. These standards will be applicable to all public bodies and any private bodies (who are registered with the Care Quality Commission) in their provision of NHS services.

Review and Update Contracts

It would be advisable for healthcare providers to review and update their contracts with IT suppliers to incorporate the new information standards mandated by the Bill. By embedding these standards into contractual agreements, healthcare providers can ensure that IT suppliers are contractually obligated to comply with the legislation. This approach not only aligns suppliers with legal requirements but also provides healthcare providers with a means to enforce compliance. In cases of non-compliance or breach of the Bill’s provisions by IT suppliers, healthcare providers will have the option to seek remedies under the terms of the contract, ensuring accountability and safeguarding their operations.

Consideration for Accreditation

The Bill affords the Secretary of State the right to make accreditation regulations. At this stage, it is unknow if regulations will be made. Nevertheless, consideration will need to be given, as to whether any regulations have been enacted making provisions for the accreditation of IT services, and whether the IT provider needs to seek accreditation under the proposed accreditation scheme for IT and IT services. The criteria for accreditation and any associated fees should be clearly outlined within the contractual terms.

Data Protection Considerations

It is important to note that IT service contracts dealing with the handling of personal data must comply with the requirements of the Bill, as well as GDPR and the Data Protection Act 2018, to maintain lawful data processing practices. Legal advice may need to be sought to comply with these requirements.

Conclusion

The Bill represents a potentially significant step forward in modernising the NHS’s digital infrastructure. By implementing mandatory information standards for IT services, the Bill aims to support more efficient data sharing, improve patient safety, and enhance the overall quality of care. NHS clients and their IT suppliers will need to consider if contractual revisions are necessary to ensure compliance and capitalise on the legislation’s benefits.

Our legal team intends to draft a further article if the Bill is enacted. In the meantime, for further information or advice on the Bill please contact our legal team.