Developers - Post-market: compatibility of technology with existing systems

Reviewed by: Health and Care IG Panel

When deciding whether to buy a digital technology, potential adopters will consider whether the technology is compatible with their existing systems and infrastructure.

Thus, technology compatibility testing may be required. Again, you must make sure that your use of data during this stage is done lawfully.

Data protection criteria for compatibility testing

Although technology compatibility testing involves the use of data, it is not considered a research activity or direct care.

However, you still need to think about:

• Is the data personal or confidential?
• Who is accessing the data? For example, are they part of the care team?
• How is the data being collected, held or shared?
• What security measures are in place?

How to process data lawfully during technology compatibility testing

An already compatible technology

If a technology is already compatible with existing systems and can be integrated without processing health data, no approvals are usually required.

However, data controllers should still consider the risks from reidentification and data matching (matching data to a person).

Confidential data processed by someone within the direct care team

If confidential information needs to be processed in direct care provision, and when such information is not shared with people outside the direct care team, there is usually no need for explicit consent (to the sharing) to be in place, nor alternatively a need for section 251 (of the NHS Act 2006) support for the sharing to be requested.

Confidential data processed by someone outside the direct care team

Before confidential information is shared with someone outside of the direct care team, section 251 support for this may be required. For research purposes, and unless explicit consent to share the information has been obtained (or can be obtained) from patients and service users in advance, this will normally involve an application to the Confidentiality Advisory Group (CAG) via the HRA and HCRW to set aside the common law duty of confidentiality to permit the sharing. An example would be when manual work with the data (for example, coding) is proposed to be done by members of the technology developer’s team and that would involve sharing external to the direct care team organisation.

For more information, read how to apply for research approvals in step 5 of complying with the UK GDPR.