Developers - How to comply with the UK GDPR as a developer- Step 8: Getting data from data providers

There are organisations that originally collected the data (for example, NHS Trusts, Universities). The original purpose of the collection may have been to provide clinical care, or to carry out studies including research activities. These organisations will already have made sure that the original collection of health data was lawful and fair. This would include ensuring appropriate lawful bases and compliant processing under UK GDPR.

Access to data is subject to the data provider’s approval process. Different organisations may have different approval processes. You will need to contact them for advice on how to access their data and any contract that they require be agreed before you can access the data.

When you apply to get data from an NHS service provider who acts as an intermediary (such as NHS Digital), a research database, or a Trusted Research Environment/Secure Data Environment (both terms referring to a controlled digital environment used to store or analyse sensitive data securely), you should also check what requirements you must meet. This could include requiring you to first obtain researcher accreditation according to procedures they set out.

Carrying out these processes is separate from any research approvals you need to obtain. Therefore, you should include the additional time needed for this final stage in the calculation of your overall project timelines.

Get more information from:

• the Clinical Practice Research Datalink (CPRD)
• NHS England (NHSE) and its Data Access Request Service (DARS) with the Advisory Group for Data acting in an advisory role to NHSE, and
• the UK Health Security Agency (UKHSA)

Important note: when you want to ‘repurpose’ data collected for one purpose for a new purpose, UK GDPR requires you to have a new lawful basis in place before you engage in your so-called ‘secondary processing’. However, if the new purpose is research as defined under data protection law, there are research exemptions that may be available to you. These include an exemption that means no new lawful basis is required in certain circumstances.

Therefore, it is important that you check if your purpose for using pre-collected data is research as defined by the ICO. If it is not research (which might be the case in some types of technology development activities), research exemptions would not be available and you will need to make sure you have a new lawful basis in advance of starting your secondary processing. Otherwise, if you want to use data for a new purpose that you did not originally anticipate when you collected the data, you can only go ahead if the new purpose is compatible with the original purpose. Information on how to assess compatibility can be found in the ICO’s guide on lawful basis for processing. However, it is not applicable if you are using data collected by another organisation. The law does not allow you to rely on compatibility with the original organisation’s purpose, which means you will need to identify your own lawful basis to process the data.

Important note: if you originally collected the data but you did so on the basis of UK GDPR consent, you would normally need to get new consent before you repurposed the data, to ensure your new processing is fair and lawful. You also need to make sure that you update your privacy information to ensure that your processing is still transparent.

Get more information:

Read about purpose limitation in the ICO’s guide to the GDPR, and the ICO's guidance for research provisions within the UK GDPR.