Developers - Data regulations for digital technologies in health and social care: a guide

Reviewed by: Health and Care IG Panel

Please note: a longer and more technical version of this guidance is available on the website of the Health Research Authority (HRA): Legal requirements for using health and care data in data-driven technologies Health Research Authority (hra.nhs.uk). Refer to this longer guidance and its glossary for an in-depth analysis of your legal obligations and the laws in this area (including reference to primary legal definitions). You can also find other important health and care research guidance on the HRA's website.

For comprehensive general guidance on UK data protection law, see the ICO's website.

For guidance on information governance (IG) in the health and care sector in general, see the NHS Transformation Directorate IG Portal. This brings together national IG guidance to help those working in the health and care sector understand how to use information appropriately to support care. It includes guidance focusing on the IG implications of using AI in health and care settings, which you should refer to because it helps support the lawful and safe use of data for AI innovations.

Revolutionising health and social care with digital technologies

Digital technologies have enormous potential to improve health and social care. For example:

• sensory technology could track patients at home, assisting independent living
• apps could help patients talk to their clinicians and better manage their health
• data-driven digital tools could help clinicians better diagnose and treat conditions

It is data that powers these innovations, but data usage must comply with laws and regulations. The good news is that the laws and regulations governing the use of health and care data aim to make data sharing possible for a range of purposes, including the development of data-driven technologies. Therefore, understanding these legal and regulatory frameworks is key to realising the potential of digital technologies.

This guide will help you learn:

• what laws apply to using health and social care data at each stage of your technology’s lifecycle
• how to implement a data protection ‘by design and by default’ approach
• how and when to undertake a data protection impact assessment (DPIA), and how it will benefit you and the patients/service users you serve
• when you need to get research approval from
  • the Health Research Authority (HRA)
  • Health and Care Research Wales (HCRW)
  • a Research Ethics Committee (REC), and/or the Confidentiality Advisory Group (CAG), and
  • when you need to follow guidance set out by the Medicines and Healthcare products Regulatory Agency (MHRA)