Data regulations for digital technologies in health and social care: a guide for adopters
Reviewed by: Health and Care IG Panel
When integrating, piloting or deploying new digital healthcare technologies, adopters need to process health and social care data. You need to know what legal requirements govern the use of this data and when to get research approval. For the purpose of this guide, adopters are considered to be users of the technology, who may work in:
- social care
- NHS organisations (providers and commissioners, including primary care, community care and mental health)
- independent healthcare providers
Please note: a longer and more technical version of parts of this guidance is available on the website of the Health Research Authority (HRA): Legal requirements for using health and care data in data-driven technologies - Health Research Authority (hra.nhs.uk). Refer to this longer guidance and its glossary for an in-depth analysis of your legal obligations and the laws in this area (including reference to primary legal definitions). You can also find other important health and care research guidance on the HRA's website.
See ICO's website for comprehensive general guidance on UK data protection law.
For guidance on information governance (IG) in the health and care sector in general, see the NHS Transformation Directorate’s IG Portal. This brings together national IG guidance to help those working in the health and care sector understand how to use information appropriately to support care. It includes guidance focusing on the IG implications of using AI in health and care settings, which you should refer to because it helps support the lawful and safe use of data for AI innovations.
Revolutionising health and social care by adopting digital technologies
Digital technologies have enormous potential to improve health and social care. For example:
- sensory technology could track patients at home, assisting independent living
- apps could help patients talk to their clinicians and better manage their health
- data-driven digital tools could help clinicians better diagnose and treat conditions
It is data that powers these innovations, but data usage must comply with laws and regulations. The good news is that the laws and regulations governing the use of health and care data aim to make data sharing possible for a range of purposes, including the adoption of data-driven technologies. Therefore, understanding these legal and regulatory frameworks is key to realising the potential of digital technologies. This guide will help you learn:
- what laws apply to using health and social care data at each stage of the adopted technology’s lifecycle
- how to implement a data protection ‘by design and by default’ approach
- how and when to do a data protection impact assessment (DPIA), and how it will benefit you and the patients or service users you serve
- when you need to get research approval from
- the Health Research Authority (HRA)
- Health and Care Research Wales (HCRW)
- a Research Ethics Committee (REC)
- the Confidentiality Advisory Group (CAG), and
- when you need to follow guidance set out by the Medicines and Healthcare products Regulatory Agency (MHRA)