norm. data protection bulletin: 05th December 2022

ISO27001 updated

The International Organization for Standardization (‘ISO’) announced, on 25 October 2022, that it had updated its standard ISO/IEC 270001:2022 Information security, cybersecurity and privacy protection (‘ISO/IEC 270001’).

You can read the press release here and access the ISO/IEC 270001 here.

Healthcare hot topics

New body to certify medical devices:
The Medicines and Healthcare products Regulatory Agency (MHRA) has appointed DEKRA Certification UK Ltd as a new UK Approved Body, increasing the UK’s capacity to process conformity assessments for medical devices to ensure safe and effective devices reach the UK public. DEKRA are the first body appointed since Brexit. They can now assess whether manufacturers and their medical devices meet the requirements set out in the UK Medical Devices Regulations 2002.The MHRA’s detailed assessment process is designed to ensure that any organisations that wish to certify medical devices are stable, are able to undertake impartial and objective assessments, have an appropriate quality management system in place to support them, have the resources to undertake the assessments, and the processes and ongoing certification in place to meet the relevant regulatory requirements.

EU Health Data Space:
The European Parliament has published a briefing paper on the European Commission’s proposal for a regulation on a European Health Data Space (EHDS). The European Health Data Space (EHDS) is possibly one of the EU’s most ambitious projects ever undertaken and could be transformative for EU healthcare. The EHDS is intended to be a system of rules, infrastructure and governance mechanisms to facilitate primary and secondary uses of electronic health data. The aim is to give European citizens, travelling or living abroad, access to the same healthcare they would have in their home country. 

Framework for using structured healthcare data:
A team of researchers have proposed a best-practice framework to improve the integrity and quality of studies using structured healthcare data from electronic health records. They recommend that the CODE-EHR framework should be used by researchers and clinicians to improve the design of studies and enhance transparency of study methods. The framework was developed to provide researchers with systematic guidance on how to achieve appropriate governance and transparency, whilst also enabling stakeholders to be confident in findings.

AI and healthcare:
In 2020, McKinsey co-produced a report with the European Union’s EIT Health to explore the potential for artificial intelligence (AI) in healthcare. The report’s authors found there were opportunities to use AI in healthcare operations, specifically, diagnostics, clinical decision support, triage and diagnosis, care delivery, and chronic care management. The European Parliament has published a paper titled Artificial intelligence in healthcare. The paper’s authors recommended that risk assessment of AI should be specific to the area of healthcare, because the clinical risks vary in different fields, such as paediatrics. In September, Erasmus MC, University Medical Center Rotterdam, began working with health tech firm Qure.ai to launch its AI Innovation Centre for Medical Imaging. This programme will run for three years and will conduct detailed research into the detection of abnormalities by AI algorithms for infectious and non-infectious disease conditions. The researchers hope to understand the potential use cases for AI in Europe and provide guidance to clinicians on best practices for adoption of the technology specifically for their requirements.

The Global Life Sciences market: The biopharma industry is international, with the biggest life science companies operating in countries all over the globe. The global life science market was valued at $8.3 billion in 2021 according to Grand View Research. Both start-ups and large biopharma and biotech companies are expanding globally, meaning that there has never been more opportunity for jobs in the life sciences sector. The ongoing Covid-19 pandemic exposed the shortcomings of the existing, overburdened healthcare systems, thus driving the demand for analytical solutions. The top ten best locations for life science jobs today, taking into account each country’s revenue and innovations, as well as the number of jobs available, includes Boston, Munich, Paris, Singapore, London, Oxford & Cambridge, and Tokyo.

TikTok tells European users its staff in China get access to their data

As you have may have seen in the news, TikTok has changed its Privacy Notice (policy) to make it very clear that data of its EU customers can be accessed by employees outside the continent, in particular in China. This is a reflection of regulatory concerns about Chinese access to user information on the platform. (The other countries where user data could be accessed by TikTok staff include Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States).

This change is no doubt connected to the fact that Ireland’s data protection regulator – which has jurisdiction over TikTok across the EU – has launched an investigation into “transfers by TikTok of personal data to China”.

The above suggests that if your organisation transfers personal data to China, or is considering doing so, that fact should be clearly ‘flagged’ in your Privacy Notice (policy), not indirectly referred to by words such as ‘we may transfer your data outside the UK/EU’.

ICO to begin ‘naming and shaming’

On 2 November 2022 the Information Commissioner, John Edwards, gave a speech in which he referred to what he described as the ICO’s new strategic approach to regulatory action. This will involve the ICO making use of, and publicising, the range of enforcement actions taken by it. This includes not only fines, but warnings, reprimands, compliance orders and limitation orders.

Apparently concerned about criticism that the ICO does not sufficiently enforce the UK GDPR, he said that there is nothing in the law that says that enforcement must equal fines and that “Enforcement happens across a spectrum. Rather than being one thing, it’s a series of graduated responses to non-compliance”. He announced that, contrary to what it has done previously, the ICO will publish all reprimands going forward, (including reprimands issued from January 2022 onwards).

The idea behind this is that every regulatory action must be a lesson learned by others and play a role in behaviour change. It will be interesting to see what impact the ICO’s new approach has in practice on driving data protection compliance, given that public reprimands may expose organisations to significant reputational risks.

Take a look at our other recent threat bulletin – 23rd November 2022.