Guidance
Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

- England

From:

- Health Research Authority (HRA)

Page last reviewed: 15 Jan 2023

Changing a technology’s purpose

Reviewed by: Health and Care IG Panel

If you, as the adopter, use data in a different way than originally intended, you need to consider whether this has changed the intended purpose of processing for the technology. For more information, see managing change.

A change in processing purpose has implications for your obligations under data protection law.

You should also consider whether this changes your activities into research and whether approvals will now be required.

Updates affecting research with REC, HRA or CAG approval

If your research project that has already been approved subsequently changes to involve collection of new or different patient data, you will have to create an amendment.

Amendments are changes made to a research project after approval from a review body has been given. If you plan to make an amendment to your research project, you will need to determine whether you need to notify the review bodies from whom you have received approvals.

You should notify the HRA and REC by submitting the amendment through IRAS. If the research involves a medical device your submission should include the MHRA. If the project has s.251 support (to set aside the common law duty of confidentiality) you will also need to notify CAG.

For more, see:

HRA’s guidance on amending an approvals

The amendments help section in the Integrated Research Application System (IRAS)

Important notes on repurposing data:

  • if you want to ‘repurpose’ data collected for one purpose for a new purpose, this is known as ‘secondary processing’. UK GDPR requires you to have a new lawful basis in place before you do this. However, if the new purpose is research as defined under data protection law, there are research exemptions that may be available to you. These include an exemption that means no new lawful basis is required in certain circumstances
  • it is important that you check if your purpose for using pre-collected data is research as defined by the ICO. If it is not research (which might be the case in some types of technology development activities), research exemptions would not be available. You will need to make sure you have a new lawful basis before starting your secondary processing. Otherwise, if you want to use data for a new purpose that you did not originally anticipate when you collected the data, you can only go ahead if the new purpose is compatible with the original purpose. Find information on how to assess compatibility in ICO’s guide on lawful basis for processing. However, it is not applicable if you are using data collected by another organisation. The law does not allow you to rely on compatibility with the original organisation’s purpose, which means you will need to identify your own lawful basis to process the data
  • if you originally collected the data but you did so on the basis of UK GDPR consent, you would normally need to get new consent before you repurposed the data for a purpose not covered by the original consent, to make sure your new processing is fair and lawful. You should also update your privacy information to make sure your processing is still transparent

Get more information:

Read about purpose limitation in ICO’s guide to the UK GDPR and see ICO's guidance on research provisions.

Is there anything wrong with this page? Let us know