Health Data Is the New Oil – But Who Owns It?

The past five years have seen an explosion in digital health innovation. From AI-powered diagnostics to genome sequencing and remote monitoring apps, healthcare in the UK is being redefined not just by medical progress, but by how personal health data is collected, processed, and commercialised. In this data-rich ecosystem, the question of legal ownership is becoming increasingly urgent — and surprisingly ambiguous.

The UK GDPR treats health data as a special category of personal data, subject to stricter conditions for lawful processing. But beyond compliance, a deeper issue lurks: who truly owns this data? Patients often assume it belongs to them. Tech companies argue that the models and platforms they build create new value independent of any one individual. Meanwhile, the NHS — the steward of perhaps the most valuable dataset in the country — must navigate between public trust and public-private partnerships.

At John & Partners, we’ve seen a marked increase in clients — particularly healthtech startups and life sciences ventures — wrestling with these questions. Many assume that consent is a universal shield, but in reality, consent in healthcare data is fragile, context-sensitive, and difficult to maintain across the lifecycle of a product. A patient consenting to share data with their GP isn’t necessarily agreeing to have it used for machine learning development or commercial licensing down the line.

Cross-border data transfers add further complexity. Healthtech companies with US-based servers or multinational research collaborations must tread carefully, especially post-Schrems II, where adequacy and contractual safeguards can shift rapidly. The line between patient data and anonymised research inputs is often blurred, and regulators are becoming more assertive in challenging assumptions of ‘non-identifiability’.

In the UK, regulatory clarity is evolving, but not quickly enough to match the speed of innovation. The ICO’s guidance on anonymisation and pseudonymisation is a step in the right direction, but it’s only one piece of the puzzle. Life sciences companies must also navigate MHRA requirements, NHS Digital standards, and the ethical review landscape — each with its own expectations about data use, consent, and public benefit.

This lack of legal clarity around health data ownership is not just a compliance issue — it’s a business risk. Investors are increasingly asking difficult questions about data provenance, portability, and long-term licensing rights. Products built on unstable data foundations risk commercial failure or regulatory intervention. Conversely, companies that embed legal discipline into their data strategies from day one are building not just products, but defensible assets.

Healthcare is moving into an era where data will define value more than devices, patents, or even clinical outcomes. As this shift accelerates, legal frameworks must evolve in tandem. At John & Partners, we believe that robust data governance isn’t a brake on innovation — it’s the runway.

📩 For advice on healthcare data strategy, contact Neha Kapoor at John & Partners.