Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

- England


- Health Education England (HEE)

Page last reviewed: 13 Jan 2023

Using data during the adopted technology’s lifecycle

Reviewed by: Health and Care IG Panel

When considering adopting digital healthcare technologies, you need to know that data protection legal requirements will apply at the following stages:

Before buying a digital technology

You need to understand what to expect from developers and the key issues to think about, before buying a technology. You should consider whether the technology is compatible with your existing systems and infrastructure

Integration and piloting

When integrating or piloting a technology, including doing compatibility testing, you need to consider compliance with data protection legislation. It imposes requirements to make sure personal data is processed lawfully, fairly, and transparently


Once you have rolled out the technology, you will have to monitor it for safety and efficacy. There will be ongoing data-related requirements related to this, which may involve further research, service evaluation or be part of direct care.

Direct care is also known as individual care. People in the individual care team are health and care staff who the individual would reasonably expect to have access to their record for individual care.

Care teams may include doctors, nurses, and a wide range of staff on regulated professional registers, including social care professionals. The most important thing is that a member of a direct care team has a legitimate care relationship with the specific patient or service-user individual whose data they access. So, this excludes entrepreneurs not working within NHS or social care organisations in England and Wales.

Considerations before buying a digital technology

Before buying a digital healthcare technology, you should check the developer has complied with the relevant regulations. For example, the developer needs to have registered with ICO, nominated a data protection officer, and completed a Data Security and Protection Toolkit and a Data Protection Impact Assessments (DPIA).

You should try to understand the developer’s approach to make sure you understand their approach to complying with the law and regulation, including its choice of legal basis allowing it to provide you with access to personal data and/or confidential patient and service-user information. See the developer pathway guide for detailed information on what laws and regulations developers need to consider. Further reading:

Is there anything wrong with this page? Let us know