The NHS SBS Healthcare AI Solutions Framework and the importance of data protection.

The NHS SBS Healthcare AI Solutions Framework is a framework for health AI companies, closing on 21 July. Data protection plays a key role throughout the tender, and highlights the importance of having the right governance in place for successful NHS adoption.

Having a privacy notice, completing the Data Security and Protection Toolkit (DSPT), and having some policies and procedures in place are no longer enough on their own.

Your data protection governance comes into play across the following areas:

1.      Project required standards – pass/fail

2.      Conditions of participation

3.      Qualitative questions

4.      If successful, NHS SBS will request further information ‘to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and to ensure the protection of the rights of data subjects’

The requirements vary depending on the lot being bid for. The core standards are consistent – including Data Protection Officer (DPO), DSPT, Digital Technology Assessment Criteria (DTAC), and Data Protection Impact Assessments (DPIAs). Putting these in place will support points 1 and 2, but points 3 and 4 require something more: working, operational governance, not just evidence artefacts.

Key questions include how information risk is managed in practice. How are policies actually implemented? How do you ensure they are followed and remain relevant as your product and organisation evolve? How do you evidence that your privacy by design and default approach is operational, and feeds into your DPIA process?

That move from start-up to scale-up governance is often what underpins strong qualitative responses.

This becomes even more important in the context of health AI. How does your AI lifecycle align with data protection law? What controls and safeguards are in place to minimise risk to individuals, particularly when using identifiable or sensitive health data?

Iniver supports health AI and digital health companies with data protection and information governance, particularly in NHS and public sector environments.

Iniver is led by Joe Stock, a data protection professional with 14 years’ experience working in health and care environments. In 2021 he completed his Masters in Information Rights Law and Practice, with a dissertation focused on the lawful use of health data in the development and deployment of AI.

If you are preparing a submission to the NHS SBS Healthcare AI Framework and need support with this aspect of your bid, you can reach out at hello@iniver.co.uk.

Looking to outsource your DPO? Read our guide to picking the right supplier here

At Iniver we offer a 'Full-Service' Outsourced DPO, born from the complex health and healthtech sector. Find out more about our offering here

We also have specific packages for start-ups and scale-ups to meet financial and operational needs.

Start-Up: https://www.iniver.co.uk/start-up

Scale-Up: https://www.iniver.co.uk/scale-up