Skip to main content

BETA This is a new service - your feedback (opens in a new tab) will help us to improve it.

Adopters - All adopters' guidance

List of all the guidance and regulations that apply to adopters of digital technologies in health and social care.

Loading sections...

Identifying the problem list
Steps to consider Why is it important? Guidance type
Are digital technologies the right solution to your problem? You need to assess whether digital healthcare technologies or AI are the right solution to the problem you are trying to solve. There may be a simpler solution. Best practice

Assessing the right technology to use list
Steps to consider Why is it important? Guidance type
Complying with NHS Digital clinical risk management standards Once you are satisfied with the evidence, if you still want to adopt a digital technology on behalf of the NHS, you need to first meet the safety standards set by NHS Digital. Required
Understanding the evidence for a technology before adopting it When deciding whether to adopt a digital healthcare technology, you need to review the evidence and make sure you understand it. Best practice
Thinking about whether a medical device will meet your needs You need to think about whether the medical device is fit for purpose and likely to meet your needs before deciding whether to adopt it. Best practice

Planning for implementation list
Steps to consider Why is it important? Guidance type
Understanding how the Care Quality Commission (CQC) regulates services If you provide a regulated health or social care activity in England, you are legally required to register with CQC. You need to understand which regulations you must meet and whether an application is required. Required
Complying with Ionising Radiation (Medical Exposure) Regulations (IR(ME)R) The CQC enforces the Ionising Radiation (Medical Exposure) Regulations (IRMER). If you will be using ionising radiation, you need to understand and comply with these regulations to protect patients from risk of harm. Required
Planning for local validation and integrating a digital technology It is important to integrate and validate digital healthcare technologies before deploying them in a health or care service. Adopters should plan for this during procurement, in liaison with the developer or vendor. Best practice
Piloting digital technologies in a health or care service Before deciding whether to adopt a digital healthcare technology, you may need to pilot it in your service. Best practice
General staff-training and product-specific user training There are 2 levels of training adopters need to consider regarding digital healthcare technologies: general training for all staff so they understand how to implement, use and govern technologies and product-specific user training so they can use specific technologies. Best practice

Using the technology list
Steps to consider Why is it important? Guidance type
Understanding post-market surveillance of medical devices Post-market surveillance of medical devices is the legal responsibility of the developer. But it is important for adopters to understand and support post-market surveillance of medical devices. Required
Monitoring safety and effectiveness of digital technologies It is important to monitor digital technologies once deployed, as they contain algorithmic systems and models. These models may be affected by changes in the external environment. This can result in ‘model drift’ in which the model’s performance and accuracy reduces over time. Required
Reporting safety issues about medical devices to the MHRA Adopters should report safety concerns about medical devices to the MHRA via the Yellow Card reporting site. Best practice
Managing changes to medical devices after adoption Managing changes to medical devices is the legal responsibility of the developer, but adopters support developers in these processes and are required to follow the clinical risk management standard. These help make sure devices stay safe and effective. Best practice
Meeting your public sector equality duties Public bodies should consider the public sector equality duty when thinking about whether to use digital healthcare technologies. This also applies to any digital healthcare technologies that public bodies are already using or that others are developing or using on their behalf. Required
Planning for managing legacy systems and decommissioning A legacy system is an outdated or unsupported technology that is still in use. It is important to plan for managing legacy systems and decommissioning before deploying a digital healthcare technology. Adopters should do this planning during procurement, in liaison with the developer or vendor. Best practice

Regulations that govern the use of data list
Steps to consider Why is it important? Guidance type
Data regulations for digital technology in health and social care: a guide An introduction to the data guide for adopters who need to know what legal requirements govern the use of this data. Required
Understanding types of health and care data Two types of health and care data can be distinguished to help you determine when the relevant legal and regulatory frameworks apply. Required
Understanding laws that regulate the use of health and care data Learn about the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Required
Using data during the adopted technology’s lifecycle When considering adopting digital healthcare technologies, you need to know that data protection legal requirements that will apply at the different stages of the technology's lifecycle. Required
Data considerations related to compatibility testing Both developers and adopters must make sure that use of data during compatibility testing is done lawfully. Required
Technology adoption: using health and care data You may need to use personal health and care data during the adoption of the technology. This requires a lawful basis. Required
Complying with the UK GDPR Steps 1 - 7: an introduction If you are using personal data, you are obliged to protect it and comply with data protection law. Required
Common law duty of confidentiality The common law duty of confidentiality means that when someone shares confidential information in confidence, you cannot disclose it without some form of legal authority or justification. Required
Data access and re-identification risk intervention If you share, or provide access to, health and care data with the developers of a digital technology, you will need to consider the identifiability of the data. Required
Understanding the difference between research and non-research activities How to determine if your activity classifies as research or non-research, and whether you need research approvals. Required
Data Protection agreements and contracts It is important for adopters to have appropriate data agreements and contracts in place to formalise arrangements around access to and use of health and care data. Required
Using data during deployment and after rollout Learn how to use or process data during and after deployment of your digital technology. Required
Changing a technology’s purpose A change in processing purpose has implications for your obligations under data protection law. Required
Print all adopters' guidance (opens a PDF in a new tab)

Regulations are regularly updated. For the latest information, check the website as printed documents may be outdated.

Other helpful links

  • Glossary

    Demystify the complex world of digital health regulation terminology with our glossary.

  • Using this service

    Learn how to use this service as a developer or adopter of AI or digital health technologies.