Adopters - Using data during deployment and after rollout
Reviewed: 15 January 2023
Reviewed by: Health and Care IG Panel
Deploying your adopted digital technology: using health and care data
Direct care encompasses the processing of health and care data in the delivery of care to an individual (such as in the adoption of a healthcare technology used directly in treatment of a patient). However, direct care does not encompass pre- or post-deployment testing or adoption of the technology.
The processing of confidential patient and service-user data for direct care purposes can lawfully be made using the legal basis of implied consent under the common law duty of confidentiality. This legal basis is available to a member of the direct care team who provides care services to the individual about whom the data relates.
As explained previously, this is because patients would reasonably expect their personal data to be used for their direct care. As such, they are assumed in law to give their implied consent for their data to be shared for uses that involve prevention, investigation or treatment of any illness involving them. That assumption remains unless the individual specifically withdraws that consent.
Direct care can be defined as a clinical, social-care or public-health activity concerned with the prevention, investigation or treatment of illness and the alleviation of suffering of individuals. It includes supporting an individual’s ability to function and improve their participation in life and society. It also includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes done by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.
Direct care does not include health services management, including population health management (preventative or other) initiatives, or medical research. Examples of activities that are not in-scope for direct care include risk prediction and stratification, service evaluation, needs assessment and financial audit.
Important note: whether for direct care or not, your processing must satisfy an Article 6 legal basis and an Article 9 condition. It must also comply with the data protection principles and other compliance requirements, as stipulated by the UK GDPR. See complying with the UK GDPR.
Also see:
NHS Digital’s definition of individual or direct care
Information: To share or not to share? The Information Governance Review
ICO's investigation into use of patient information by the Royal Free NHS Foundation Trust
Making sure your data usage is lawful
The use of a technology in direct care does not require any further approvals or require you to obtain consent from the individuals to whom the information relates. However, as with all health-data processing, data protection legislation still applies.
Get more support
To discover how the regulatory organisations can assist you and for contact details, visit our 'Get Support' page.
Thank you for your feedback!
To share additional insights about this page, please use the following link (opens in a new tab) to submit your observations.
There is a problem
An error occurred when submitting your feedback. Please, refresh the page and try again.