On 5 April 2016 Osborne Clarke held the second event of a three-part series focused on the Internet of Things. The second event was dedicated to connected healthcare and the connected home; here is a summary of the discussion.
Connected healthcare and patient-led Innovation
Frazer Bennet, Technology Recruitment Manager at PA Consulting, started the discussion with some thoughts on connected healthcare. He described how connected health products provide potential solutions for today’s global challenges such as the aging population, rising costs of care, increases in long-term conditions and health care issues faced by emerging economies.
Frazer insisted that the successful use of technology to address these issues must put the patient first over the technology, data or doctor. He also explained that although there are great ideas out there for connected healthcare, the industry currently suffers from “pilotitis” – we are very good at running pilots but fail to scale and bring new technologies to market.
Frazer went on to draw upon some exciting examples of how technology is improving patient lives:
- a new baby sensor worn in a woolly hat that monitors a premature baby’s vital signs (heart and breathing rate) wirelessly – previously it was very difficult for doctors to hear a baby’s heart through a paediatric stethoscope due to background noise in the delivery room;
- a foetal heart rate monitor that is placed on an expectant mothers stomach and conveys data into the cloud so preeclampsia can be monitored remotely. This is transformational because it allows the mother to remain at home, being visited by a nurse, rather than spend weeks being monitored in hospital; and
- using the power of social networks to encourage patients with potentially fatal diseases to improve medicine adherence, increasing life expectancy.
Frazer also touched on the privacy, governance and regulatory challenges of connected health. He made the prediction that “connected medical devices will not be safe for the next 15 years, if ever”. There are a plethora of reasons for this, including the value of stolen medical data enticing theft, a lack of resources available to dedicate to security, and the pace of innovation – meaning hardware in many connected healthcare solutions is out-of-date before launch.
Jon Fell, Head of Telecoms at Osborne Clarke, highlighted that the connected home is nothing new, there have been aspirations of a connected home for decades. The first “real-life” connected home product was a slightly useless internet-controlled toaster in 1990. Jon asked why all the interest in the connected home and connected devices now? In part, the interest stems from increased regulation, such as the requirement for energy companies to install smart meters, but also it stems from better connectivity, miniaturisation, the love of the mobile phone app and plain old “getting used to it” by the consumer.
Research shows that the priorities for purchasing connected home devices change over time.
The initial priority is home safety (lighting, curtains, alarms and so on), followed by personal status (communications and entertainment), personal safety, personal heath, and finally personal medical status.
The IoT is also starting to help address the sensitive issue of care in the community in a culture where it is now common to live apart from elderly relatives and where community social care resources are increasingly scarce. Sensors can now be put in the home so that an elderly person can be remotely monitored, for example sensors can feed back into the cloud that Granny is awake, has put the kettle on, has taken her medicine, opened the fridge (i.e. had breakfast) or has even fed the cat!
Exciting as these developments are, five key concerns abound:
- ensuring that devices are secure, designed with security in mind and that users are educated on security risks;
- data ownership;
- interoperability of technologies and multilingual hubs;
- liability and regulatory issues around automatic contracting, product liability and discrimination; and
- making IoT work to the benefit of emerging economies.
Automatic contracting, data ownership, privacy and getting consent, remote monitoring
Lorna Brazell, an IP expert at Osborne Clarke, explained that protecting rights in data from the IoT is a challenge: there are no intellectual property rights in data itself. It cannot be stolen and a lien cannot be asserted over it. Data can be protected by confidentiality only if it has the necessary qualities to make it so. No one can own the data so there needs to be clear contractual obligations setting out each party’s rights and obligations.
There is another interesting question about how this new connected landscape can fit into the confines of contract and consumer law. For example, can a machine contract with a supermarket to order new products when it is running low? Can a building or care home manager contract on your behalf? Will disclaimers/exclusions be enforceable? Will the usual contract remedies apply, for example could an automatically contracted agreement be voidable? The law must evolve to fit these new scenarios. In the meantime, contracts must ensure transparency for the individual, limits on the authority of machines/third parties to contract on the individual’s behalf, the right to withdraw consent and privacy safeguards.
Emily Jones, a partner in Osborne Clarke’s data team, delved into the huge topic of privacy and the security of the data used and generated by the IoT, and particularly by connected health and connected home devices. The adoption of robust data protection measures can determine the success or failure of a product because, as people become increasingly privacy savvy, it will impact individual’s decisions about whether to use a new piece of technology and the reputation of the business.
Key challenges are:
1. Ensuring personal data is processed fairly and lawfully in accordance with the Data Protection Act 1998: obtaining an individual’s consent to data processing, unless other legitimate grounds for processing can be relied on (such as if the processing is necessary to perform a contract).
2. Processing health data which is sensitive personal data: this data must be processed more carefully and, in particular, express fully informed and specific consent of the individual is required.
3. Data quality and retention: personal data must be accurate and up-to-date and kept for no longer than necessary for the purpose for which it was first collected.
4. Data minimisation: the data controller should only collect personal data which is needed for its purpose and not excessive.
In order to comply with the DPA (when processing personal data collected from connected devices) it is advisable to map out the relevant data flows to understand how the product is used and data collected. Best practice is to carry out a privacy impact assessment to ensure privacy by design; use clear and simply privacy statements to ensure transparency at the point of collection of the personal data; and to identify and allocate appropriate roles and responsibilities to any data processors.
Emily finished by briefly explaining how data protection law is being reformed and what businesses can expect when the new General Data Protection Regulation comes into force in 2018.
The third and final instalment of the Internet of Things series will focus on security by design and will be held on 19 May 2016. Register your interest here .