Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

- England


- Health Research Authority (HRA)

Page last reviewed: 15 Jan 2023

Using data during deployment and after rollout

Reviewed by: Health and Care IG Panel

Deploying your adopted digital technology: using health and care data

Direct care encompasses the processing of health and care data in the delivery of care to an individual (such as in the adoption of a healthcare technology used directly in treatment of a patient). However, direct care does not encompass pre- or post-deployment testing or adoption of the technology.

The processing of confidential patient and service-user data for direct care purposes can lawfully be made using the legal basis of implied consent under the common law duty of confidentiality. This legal basis is available to a member of the direct care team who provides care services to the individual about whom the data relates.

As explained previously, this is because patients would reasonably expect their personal data to be used for their direct care. As such, they are assumed in law to give their implied consent for their data to be shared for uses that involve prevention, investigation or treatment of any illness involving them. That assumption remains unless the individual specifically withdraws that consent.

Direct care can be defined as a clinical, social-care or public-health activity concerned with the prevention, investigation or treatment of illness and the alleviation of suffering of individuals. It includes supporting an individual’s ability to function and improve their participation in life and society. It also includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes done by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.

Direct care does not include health services management, including population health management (preventative or other) initiatives, or medical research. Examples of activities that are not in-scope for direct care include risk prediction and stratification, service evaluation, needs assessment and financial audit.

Important note: whether for direct care or not, your processing must satisfy an Article 6 legal basis and an Article 9 condition. It must also comply with the data protection principles and other compliance requirements, as stipulated by the UK GDPR. See complying with the UK GDPR.

Also see:

NHS Digital’s definition of individual or direct care

Information: To share or not to share? The Information Governance Review

ICO's investigation into use of patient information by the Royal Free NHS Foundation Trust

Making sure your data usage is lawful

The use of a technology in direct care does not require any further approvals or require you to obtain consent from the individuals to whom the information relates. However, as with all health-data processing, data protection legislation still applies.

Is there anything wrong with this page? Let us know