ABSTRACT
The NHS Code of Conduct for Data-Driven Health and Care Technology is the culmination of a long series of consultations and deliberations aimed at embedding a standard setting framework that mobilises and guides key stakeholders when sensitive personal data is processed in dynamic and complex healthcare settings. The problem with this framework is that only some of its proposals and principles reflect a full appreciation of the nature of the standard-setting role of data protection law in regulating risks and structuring decision-making processes. This chapter explains why the current framing of risks and decision-making processes by the Code of Conduct introduces additional complexity and uncertainty into healthcare contexts. Their shortcomings manifest themselves in problems of fairness, transparency and accountability that can only serve to hinder the rapid pace of innovation in healthcare and undermine patient safety and trust. The accompanying problems serve as a timely reminder that data protection law should not be viewed restrictively as a set of rules but as a governance framework that enables people and organizations to shape their practices to the governance of rules against a dynamic environment of complexity and uncertainty. Highlighting these aspects has important policy and practical implications for those engaged directly or indirectly with the provision of health and care services.
