Data considerations related to compatibility testing
Reviewed by: Health and Care IG Panel
Both developers and adopters must make sure that use of data during compatibility testing is done lawfully.
Compatibility testing may involve the use of patient and service-user data that may not be for direct care or does not constitute a research activity. You should use the HRA’s decision tool ‘Is my study research?’ to assess whether a project has characteristics indicative of a research activity requiring regulatory approval.
You need to think about data protection and confidentiality, for example:
- Is the use of personal and/or confidential patient and service-user information necessary, or could your purpose be achieved in other ways?
- Who is accessing confidential patient and service-user information and are they part of the care team?
- How is the data being collected, held or shared?
- What security measures are in place?
How to process data lawfully during compatibility testing
If a technology is already compatible with existing systems and can be integrated without processing health and care data, no approvals are usually required.
If health and care data need to be processed, and even if the processing does not constitute research, data protection law will still apply. While processing anonymous data falls outside data protection law, data controllers should carefully consider the risks from reidentification and data matching (matching data to a person) as part of determining whether anonymisation standards have been met. When considering whether anonymisation is effective, you should review ICO's guidance on anonymisation
Confidential patient and service-user information processed by someone within the direct care team
If confidential patient or service-user information (collected in direct-care provision) needs to be processed to carry out testing, you should consider whether those holding such information have a legal basis to share such data with those that would do the testing. When such information does not need to be shared with people outside the direct care team for testing, no further action is needed.
Confidential patient and service-user information processed by someone outside the direct care team
If confidential patient or service-user information is shared with someone outside of the direct care team for testing purposes, either explicit consent to such sharing must be obtained from the individual, or (where not possible or highly impractical to get consent in the situation), ‘section 251 support’ must be obtained. You will need to apply to the Confidentiality Advisory Group (CAG) via the HRA and HCRW to set aside the common law duty of confidentiality to permit the sharing where the activity is deemed research, or direct to CAG via the Secretary of State where not (that is, in non-research cases). An example would be when manual work with confidential data (for example, coding) is proposed to be done by members of the technology developer’s team and that would involve sharing external to the direct care team.
Read getting research approvals for more information on applications to CAG.