Australia’s medtech sector has experienced rapid growth over the last decade, with a recent focus on digital health, connected devices and artificial intelligence. Frances Wheelahan, Partner and Suman Reddy, Senior Associate at Corrs Chambers WestGarth provide their insights into the key legal issues for MedTech Startups.
What are the proposed changes to the classification rules for SaMD (Software as a Medical Device) and why have they been put forward?
Technology has evolved and diffused dramatically since the last major overhaul of the Australian medical device regime which occurred in 2002. The changes to the Therapeutic Goods Act 1989 (Cth) (the Act) and the introduction of the Therapeutic Goods (Medical Devices) Regulations 2002 (Medical Devices Regulations) were intended to provide a best practice regulatory regime which harmonised Australia’s requirements for quality, safety and performance with the higher standards enforced in Europe at the time.
However, Australia’s medical device regulatory framework has not kept pace with the advances in information and communications technology which now underpin the focus of medtech innovation – particularly the development of standalone software and integrated technology platforms which can be used to diagnose or treat disease.
Given this, the Therapeutic Goods Administration (TGA) is poised to recommend the introduction of new regulations to govern SaMD. One of the most significant proposed changes will be the requirement to properly classify SaMD according to risk, in contrast to the present situation which results in all SaMD being properly classified as Class I (i.e. the lowest risk classification of device), regardless of actual risk. This is because the current classification rules only consider the possible harm caused by a physical interaction of a medical device and a human.
The proposed changes to the rules will result in SaMD which is used directly in diagnosis or therapy being classified as Class IIa to III devices, both for new applications and for existing registrations. The only SaMD to remain as Class I would be lower risk software which directs patient activity based on a non-interactive intervention. This will align with international approaches, for example in the European Union, where rules for higher classifications have already been introduced. However, this will have a dramatic impact on the time and costs involved in registering (or maintaining the registration of) the SaMD on the Australian Register of Therapeutic Goods (ARTG). Medtech companies should review the proposed classification scheme in anticipation of the increased regulatory scrutiny which is likely to be imposed.
Could you provide some insights into what this means in regards to cyber security?
For any medical device to be included on the ARTG, the manufacturer must demonstrate compliance with the ‘Essential Principles’ contained in the Medical Devices Regulations. The Essential Principles require the minimisation of risks associated with the design, long-term safety and use of the device, which implicitly includes minimisation of cyber security risks.
However, the Essential Principles currently do not refer specifically to SaMD. This is a recognised gap, and one which the TGA plans to address by recommending changes to the Essential Principles to include clear and transparent requirements for demonstrating the safety and performance of SaMD and other regulated software. Proposed requirements include:
- any cyber security risks associated with network connectivity be minimised;
- that software be designed and produced using best practice software engineering principles;
- best practice cyber security principles be used regarding the risk of unauthorised access to the device; and
- medical devices be designed to facilitate software updates, and information about the clinical risk of an update is provided to the user.
Again, the proposed changes to the regime will necessarily involve additional effort and cost for manufacturers to systemise development and production practices, and document the evidence for assessment. The TGA also notes that in some cases, new quality management and development practices may have to be put in place to demonstrate compliance.
Could you expand on what the new penalties are under the Privacy Act?
All Australian companies (with limited exceptions) must comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act) when dealing with personal information. The APPs contain higher standards when dealing with health information.
Breaches of the APPs are subject to hefty penalties – up to A$2.1 million for the most serious and repeated breaches. However it is likely that these penalties, together with the OAIC’s enforcement powers, will be increased significantly in the near future. The Australian Government has proposed these amendments to substantially strengthen the enforcement regime and align our legal framework more closely with the European GDPR.
The proposed amendments will increase the maximum penalty for entities subject to the Privacy Act to the higher of:
- A$10 million for serious or repeated breaches;
- three times the value of any benefit obtained through the misuse of information; or
- 10% of a company’s annual domestic turnover.
The draft legislation is due for consultation before the end of 2019.
How do these changes affect the issue of consent in relation to collecting data for the purpose of machine learning?
Medical technology is increasingly incorporating elements of machine learning which relies on continuous data analysis to “train” the algorithm to become more accurate over time. However, given the privacy constraints around secondary uses of health information, consent to the use of such data for machine learning purposes must be obtained from individuals. Data could be de-identified for this purpose, however it may be argued that the process of de-identifying data is itself a “use” of data which requires consent under the APPs.
Medtech companies should both identify how they need to use the data they collect, and consider the potential ways in which they might plan to use that data in the future, and ensure that they have obtained the required consents to enable those uses.
Under the Privacy Act, APP 1 requires that a company make available a well drafted privacy policy. In addition to that, medtech companies may wish to develop a “white paper” which provides some further details about the company’s data handling and cyber security practices so that it is clearer and more transparent to potential customers and individuals how their data, and particularly personal information, will be collected, used, stored and disclosed. A privacy policy may deal with this to some extent, however, it is not a legal requirement to describe a company’s data protection practices in any detail in such a policy. A white paper can be a good way to provide comfort to consumers of technology that personal information will be handled safely and appropriately.
Finally, how does the abolishment of the Innovation Patent System play a role in relation to Medtech companies?
Legislation currently before the Australian Parliament – the IP Laws Amendment (Productivity Commission Response Part 2 and Other Measures) Bill 2019 (Cth) (Bill) – will, if passed, have the effect of abolishing Australia’s innovation patent system. The innovation patent system provides second tier patent protection of eight years for innovations, as opposed to the 20 year protection for patentable inventions.
The innovation patent system was introduced in 2001 to protect incremental technological developments by Australian small and medium sized enterprises and has been used effectively in the medical device space.
Under the Bill, those who have already obtained or applied for innovation patents will (if the Bill is passed) continue to be able to enforce them. In addition, for a period of 18 months from the Bill receiving royal assent, it will still be possible to apply for innovation patents. After this ‘grace period’, no more applications will be accepted.
Medtech companies who wish to apply for innovation patent protection should try to obtain these key enforcement tools while they are still available.
If you would like to hear more insights about legal issues concerning health and technology, consider attending Health & Life Sciences: Technology & the Law
Frances Wheelahan specialises in transactions and advice related to the ownership, procurement, commercialisation and other dealings with intellectual property and technology. Fran advises on a range of related regulatory compliance areas (including franchising, data privacy, data breaches, therapeutic goods, food standards and export of dual use technologies). Her clients include some of the world’s largest companies, particularly in energy and resources, infrastructure and engineering as well as the food and health industries, universities, hospitals and research institutes. She is also actively involved in the support of the start-up sector and has dual qualifications in Law and Science. Fran is a member (and former committee member) of the Licensing Executives Society. You may connect with her via LinkedIn 
or email
A commercial lawyer who specialises in all aspects of technology and intellectual property law, Suman Reddy’s expertise includes privacy and data protection, general commercial law, mergers and acquisitions and medical technology regulation. He regularly advises leading multi-national and Australian companies on all manner of technology procurement and supply arrangements (including AI platforms and medtech), complex data and privacy issues, technology licensing and commercialisation, IP protection, media agreements and general commercial arrangements. Suman obtained a science degree and worked as a clinical consultant in the medical device industry for more than five years before becoming a lawyer, and has a particular interest in medtech and the health sector. Suman also has significant experience advising government, having worked for the Commonwealth Department of Innovation on legal and policy issues before entering private practice. You may connect with Suman via LinkedIn or email
