12/08/2025

The new Data (Use and Access) Act (DUAA), which recently came into effect, makes several important changes to UK data protection laws. One of those changes likely to be of particular interest to health tech providers is the introduction of “Information standards for health and adult social care” (via an amendment to the Health and Social Care Act 2012).
 
The Secretary of State’s ability to introduce information standards is amended via the DUAA to include specific reference to a “…standard relating to information technology or IT services used, or intended to be used, in connection with the processing of information”. The definition of a “relevant IT provider” for the purposes of the envisaged standards is drafted broadly and includes providers of both IT devices and services.
 
As yet there are few details as to what the information standards might look like, but the Act envisages it may include provisions regarding:

  1. the design, quality, capabilities or other characteristics of such technology or services; and 
  2. contracts or other arrangements under which such technology or services are made available.

It also envisages provisions in relation to the following topics: functionality; connectivity; interoperability; portability; storage of, and access to, information; and security of information.
 
In terms of ensuring compliance with the proposed information standards, the Secretary of State (either directly or via an appointed body) will be able to contact providers and ask them to provide evidence that they are compliant. It can also set steps that the relevant provider must take. If the Secretary of State suspects that a relevant IT provider is not complying, then it may publish a statement to that effect, effectively “naming and shaming” (though it will give prior notice and an opportunity for the provider to make representations).
 
The Act also envisages the establishing of a scheme for the accreditation of information technology and IT services so far as used, or intended to be used, in connection with health care or of adult social care in England. 
 
These changes demonstrate the perceived importance of ensuring that data is flowing through the system in a safe and secure manner. In a statement the Government has outlined its intention that “Measures in the Act will ensure healthcare information – like a patient’s pre-existing conditions, appointments, and tests – can easily be accessed in real time across all NHS trusts, GP surgeries and ambulance services, no matter what IT system they are using. Enabling data sharing across platforms will save NHS staff 140,000 hours a year in admin, giving them more time to care for patients and make better informed decisions for them more quickly – speeding up diagnoses and treatments for the British people.”  
 
Given that IT providers delivering services to the NHS are already subject to broad contractual obligations regarding issues such as interoperability; information sharing, information security etc., as well as functional specifications set by the NHS, it will be interesting to see what further requirements are envisaged to ensure that the stated aims are to be achieved in practice, over and above what is already being delivered. 
 
If, and when, an accreditation scheme comes into effect, it seems likely that it will be referenced in the relevant contracts as part of the compliance/standards obligations which must be met (like the need to meet standards such as cyber essentials plus). However, if such a scheme is not to function as a barrier to entry to the market for innovative new products, especially for smaller providers, then the scheme requirements will be to be carefully calibrated to provide for the right level of challenge (i.e. meaningful but not prohibitively difficult or expensive).
 
At this early stage it would seem sensible for relevant IT providers to keep an eye open for any public consultations to better understand, and potentially input into, the proposed standards. We have not yet seen any timetable specific to these changes (though we understand that the ICO has indicated that its consultations in respect of the DUAA more broadly are not likely to begin until late 2025/early 2026).

If you would like to discuss this, or any queries you may have regarding information standards more broadly, then please do get in touch.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.