UK Law and Practice Contributed by: Amélie Chollet, Hannah Curtis and David Dennis, CMS
regulation, MHRA-specific interpretations of the guidance will possibly be seen in the future. 2.2 Laws and Regulations Key laws and regulations applicable to digital healthcare in the UK are set out below. Please note that, as set out in 2.1 Definition Of Digital Healthcare, the applicable regulatory require- ments differ between GB and NI. The Medical Devices Regulations 2002 (MDR (GB)) These regulate medical devices, including soft- ware as a medical device (SaMD). The MDR (GB) is based on the previous EU Directives. Following Brexit, the UK government adopted the Medicines and Medical Devices Act 2021, which enables a comprehensive reform of the framework legislation for medical devices and human medicines. The government has set out a roadmap for this reform; the first piece of leg- islation for the new framework was introduced in 2024 and covers post-market surveillance. The reform is ongoing, and further statutory instru- ments are expected in the coming months. The EU Medical Device Regulation (2017/745) (EU MDR) and the In Vitro Diagnostic Medical Device Regulation (2017/746) (IVDR) The EU MDR and IVDR are still applicable in NI, as a result of the Northern Ireland Protocol and Windsor Framework, as mentioned in 2.1 Defini - tion Of Digital Healthcare . The Medical Devices (In Vitro Diagnostic Devices etc.) Amendment Regulations 2024 also came into force on 21 March 2024 and introduced provisions required for implementing the IVDR in NI. These include: • penalties, powers to impose enforcement notices and an amendment to extend the civil sanctions regime;
• appointment of the Secretary of State as the authority responsible for notified bodies in relation to the IVDR; and • the requirement for performance study spon- sors to apply to an ethics committee for an ethical review. The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 These require providers of certain health or social care services in England and Wales, including telehealth/telemedicine, to register with the CQC and comply with specified quality standards. Data Protection Laws If the personal data of users/patients is pro- cessed using digital health software, any such processing must comply with the data protec- tion law in force in GB. For NI, if a business in NI processes data in the context of offering goods or services to individuals in the EU, it may also be subject to EU data privacy legislation. The UK General Data Protection Regulation (UK GDPR) The UK GDPR is a retained version of the EU GDPR, with some UK-specific amendments. It governs the processing of personal data, includ- ing health data, and imposes requirements for lawfulness, fairness, transparency and security. The Data Protection Act 2018 (DPA) This supplements the UK GDPR and sets out additional requirements for the processing of special category data, including health data (Article 9 UK GDPR). The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) These impose specific requirements in the con- text of marketing, cookies, keeping communica- tions secure and customer privacy. The PECR
124 CHAMBERS.COM
Powered by FlippingBook