Developers - Deploying your digital technology: using personal health data

Reviewed by: Health and Care IG Panel

The processing of personal data in the delivery of care (such as in the live deployment of a healthcare technology) is for direct care. However, direct care does not encompass pre- or post-deployment testing or development of technology.

The processing of confidential patient and service-user data for direct care purposes can lawfully be made using the legal basis of implied consent under the common law duty of confidentiality. This legal basis is available to a member of the direct care team who provides care services to the individual about whom the data relates.

As explained previously, this is because patients would reasonably expect their personal data to be used for their direct care. As such, they are assumed in law to give their implied consent for their data to be shared for uses that involve prevention, investigation, or treatment of any illness involving them. That assumption remains unless the individual specifically withdraws that consent.

Direct care can be defined as a clinical, social-care or public-health activity concerned with the prevention, investigation or treatment of illness and the alleviation of suffering of individuals. It includes supporting an individual’s ability to function and improve their participation in life and society. It also includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including the measurement of outcomes done by one of more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.

Direct care does not include health services management, including population health management (preventative or other) initiatives, or medical research. Examples of activities that are not in-scope for direct care include risk prediction and stratification, service evaluation, needs assessment and financial audit.

Important note: whether for direct care or not, your processing must still satisfy an Article 6 legal basis, and Article 9 condition. It must also comply with the data protection principles and other compliance requirements, as stipulated by the UK GDPR. See complying with the UK GDPR.

Also see:

NHS Digital’s definition of direct care

To share or not to share? The Information Governance Review

ICO's investigation into use of patient information by the Royal Free NHS Foundation Trust.

Making sure your data usage is lawful

The use of a technology in direct care does not require any further approvals or require you to obtain consent from the individuals to whom the information relates. However, as with all health data processing, data protection legislation still applies.