Data compliance checklist for adopters
Below are the legal requirements you must take into consideration when using health and care data as an adopter of digital health technologies.
1. Understand what types of data you’ll be using during the technology’s lifecycle.
Different types of data need to meet different regulations. Two types of health and care data can be distinguished to help you determine when the relevant legal and regulatory frameworks apply:
- Data related to identifiable individuals, including confidential patient and service user information is personal data
- Data that does no longer relate or identify to an individual is anonymous data
Read more about using personal or anonymous data in the relevant sections of our data guide:
- Understanding types of health and care data will give you more information on what classifies as personal and anonymous data
- Understanding laws that regulate the use of health and care data will provide an overview of what laws apply to personal data
- Using data during the adopted technology’s lifecycle will explain when you may need to meet certain regulations
- Read what data considerations you should consider when it comes to compatibility testing
- Find out how to legally use data during deployment and after rollout
- Learn what to so when changing a technology’s purpose and repurposing data: data protection and privacy considerations
2. Determine whether you need consent or approval to use this type of health and care data
Consent is not required for anonymous data however, if you plan to use identifiable, personal data, consent should be sought where possible.
Read more about gaining consent in the relevant sections of our data guide:
- Find out how to make an application to CAG, when obtaining explicit consent is not possible
- Understand what the common law duty of confidentiality requires in terms of patient consent
- Understand what consent you need for confidential data processed by someone within the direct care team
- Understand what consent you need for confidential data processed by someone outside the direct care team
3. Establish whether you are a data controller or data processor
Your obligations will vary depending on if you are a data controller or data processor in respect of each of the processing activities you carry out.
Read more about determining if you are a data controller or processor in the relevant sections of our data guide:
- Determine if you are a data controller or processor with help from this guidance
4. Check to see if any project activity could be considered ‘research’
Throughout the development of your technology, there could be various activities that could be considered research. If they are considered research, you will need to get relevant approvals.
Read more about determining if you need research approval in the relevant sections of our data guide:
- Understanding the difference between research, service evaluation and audit
- Read 'Do you need research approval' which provides examples of activities that could be considered research, whether you need research approval and how to apply for approval
5. You may need to get further approvals for clinical investigations on medical devices
A clinical investigation of a technology is defined as research.
You need to consider whether the technology you are adopting (which also refers to AI and software) may be considered a medical device for which an application to MHRA Devices will be required.
You must notify the Medicines and Healthcare products Regulatory Agency (MHRA) before you begin a clinical investigation.
Read more about getting clinical investigations approvals for medical devices in the relevant sections of our data guide:
6. Consider whether you will need to share data, and how to do that securely and lawfully
It is important for adopters to have appropriate data agreements in place to formalise arrangements around access to and use of health and care data.
Read more about lawfully sharing data in the relevant sections of our data guide:
- Learn about data access and re-identification risk intervention
- Learn how to process anonymous data (including a note on pseudonymisation)
- Make sure you have appropriate data protection agreements in place (including Data Sharing Agreements, a Controller-Processor Contract and ICO contracts)
7. Ensure you have a legal basis for processing data under the common law duty of confidentiality
The common law duty of confidentiality means that when someone shares confidential information in confidence, you cannot disclose it without some form of legal authority or justification.
Read more about lawfully processing data in the relevant sections of our data guide:
- Read more about the common law duty of confidentiality
8. Ensure you have a legal basis for processing data under UK GDPR Article 6
There are 6 lawful bases for processing personal data under Article 6 of the UK GDPR. At least 1 of these must apply whenever you process personal data, and you must determine in advance which one you are relying on and make this clear in your privacy notice.
Read more about lawfully processing data in the relevant sections of our data guide:
- Have a lawful basis for processing health and care data (including article 6 of GDPR)
9. Ensure you also have a separate condition for processing special category data, under UK GDPR Article 9 (all health data is special category)
Health and care data is considered a type of special category data under UK GDPR. So, in addition to identifying a lawful basis as described above, you will also need to meet 1 of the 10 specific conditions in Article 9 of the UK GDPR.
Read more about lawfully processing data in the relevant sections of our data guide:
10. Consider conducting a data protection impact assessment (DPIA)
Before you start processing health and care data involving the use of new technology, including in the context of deploying a technology in a health or social care setting, you should consider carrying out a DPIA.
Read more about conducting a DPIA in the relevant sections of our data guide:
- Read how to do a data protection impact assessment (DPIA)
11. Make sure you’ve registered with the ICO and paid a data protection fee
Every organisation or sole trader who processes personal data is legally required to register with the ICO. Once you have registered, you will have to pay a data protection fee. If you do not pay the fee, you may be fined.
Read more about registering with the ICO in the relevant sections of our data guide:
Below is a list of best practice principles related to the use of health and care data. Although these are not legal requirements, we strongly recommend you follow these principles.
1. Check out the longer and more technical version of this data guide on the Health Research Authority’s website
Refer to this longer guidance and its glossary for an in-depth analysis of your legal obligations and the laws in this area (including reference to primary legal definitions).
Resources:
- Read: An overview of the legal requirements for using health and care data in the development and deployment of data-driven technologies.
- See also: glossary of definitions used within this guide
- You can also find other important health and care research guidance on the HRA's website
2. Keep up to date with the UK’s data protection laws
If you are using personal data, you are obliged to protect this data and comply with data protection law principles. The Information Commissioner’s Office (ICO) is the UK regulator that oversees compliance and upholds information rights.
Resources:
- For comprehensive general guidance on UK data protection law, regularly visit the ICO's website
3. Get general guidance on information governance in the health and care sector
For guidance on information governance (IG) in the health and care sector in general, see the NHS Transformation Directorate IG Portal. This brings together national IG guidance to help those working in the health and care sector understand how to use information appropriately to support care. It includes guidance focusing on the IG implications of using AI in health and care settings, which you should refer to because it helps support the lawful and safe use of data for AI innovations.
Resources:
4. Make sure you are transparent with your research
The HRA has a legal duty to promote research transparency. When applying for HRA and HCRW approval you should think about how you will share your findings and how you plan to involve patients and members of the public in the research. This is separate to recruiting patients and members of the public as research participants.
Resources:
- For practical resources and information about how to involve the public in research, read:
5. Follow the Caldicot principles
Follow the 8 Caldicott Principles that make sure people's information is kept confidential and used appropriately.
Caldicott Guardians help their organisations ensure confidential information about health and social care is used ethically, legally and appropriately. Caldicott Guardians should provide leadership and informed advice on complex matters involving the use and sharing of patient and service user confidential information.
Resources:
Follow the 8 Caldicott Principles
For more information about the types of organisations that should have a Caldicott Guardian, see the National Data Guardian guidance on appointment of Caldicott Guardians. If your organisation does not have a Caldicott Guardian, you can contact the UK Caldicott Guardian Council: ukcgcsecretariat@nhs.net.