The purpose of this guide is to help those who want to use health and care data in the development and deployment of digital technologies, such as AI. It refers to different legal frameworks and regulations in this area, and signposts you to external guidance. As data policy is a rapidly evolving area, this guidance and the links within it may need to update periodically. Therefore, you should return to this page regularly to see any updates reflecting these changes. While we try to update content on this website on a timely basis, we cannot guarantee that they will be done immediately. Therefore, you should check the linked websites directly from time to time as new guidance becomes available on them.

Of note, we have not expanded the scope of the guidance to include the technical detail about how to ensure data are anonymous because we are awaiting final ICO guidance. Once the ICO has published their final guidance, we will add links to the final document.


Guidance
Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

- England

From:

- Health Research Authority (HRA)

Page last reviewed: 13 Jan 2023

Data regulations for digital technologies in health and social care: a guide for adopters

Reviewed by: Health and Care IG Panel

When integrating, piloting or deploying new digital healthcare technologies, adopters need to process health and social care data. You need to know what legal requirements govern the use of this data and when to get research approval. For the purpose of this guide, adopters are considered to be users of the technology, who may work in:

  • social care
  • NHS organisations (providers and commissioners, including primary care, community care and mental health)
  • independent healthcare providers

Please note: a longer and more technical version of parts of this guidance is available on the website of the Health Research Authority (HRA): Legal requirements for using health and care data in data-driven technologies - Health Research Authority (hra.nhs.uk). Refer to this longer guidance and its glossary for an in-depth analysis of your legal obligations and the laws in this area (including reference to primary legal definitions). You can also find other important health and care research guidance on the HRA's website.

See ICO's website for comprehensive general guidance on UK data protection law.

For guidance on information governance (IG) in the health and care sector in general, see the NHS Transformation Directorate’s IG Portal. This brings together national IG guidance to help those working in the health and care sector understand how to use information appropriately to support care. It includes guidance focusing on the IG implications of using AI in health and care settings, which you should refer to because it helps support the lawful and safe use of data for AI innovations.

Revolutionising health and social care by adopting digital technologies

Digital technologies have enormous potential to improve health and social care. For example:

  • sensory technology could track patients at home, assisting independent living
  • apps could help patients talk to their clinicians and better manage their health
  • data-driven digital tools could help clinicians better diagnose and treat conditions

It is data that powers these innovations, but data usage must comply with laws and regulations. The good news is that the laws and regulations governing the use of health and care data aim to make data sharing possible for a range of purposes, including the adoption of data-driven technologies. Therefore, understanding these legal and regulatory frameworks is key to realising the potential of digital technologies. This guide will help you learn:

  • what laws apply to using health and social care data at each stage of the adopted technology’s lifecycle
  • how to implement a data protection ‘by design and by default’ approach
  • how and when to do a data protection impact assessment (DPIA), and how it will benefit you and the patients or service users you serve
  • when you need to get research approval from
  • the Health Research Authority (HRA)
  • Health and Care Research Wales (HCRW)
  • a Research Ethics Committee (REC)
  • the Confidentiality Advisory Group (CAG), and
  • when you need to follow guidance set out by the Medicines and Healthcare products Regulatory Agency (MHRA)

Is there anything wrong with this page? Let us know