Data compliance checklist for developers

Different types of data need to meet different regulations. Two types of health and social care data can be distinguished to help you determine when the relevant legal and regulatory frameworks apply.

1. Personal data, which is data relating to living identifiable individuals, to which we add confidential patient and service user information about living or deceased identifiable individuals.
2. Data that does no longer relate or identify to an individual is anonymous data.

Read more about using personal or anonymous data in the relevant sections of our data guide:

• Understanding types of health and care data will give you more information on what classifies as personal and anonymous data.
• Understanding laws that regulate the use of health and care data will provide an overview of what laws apply to personal data.
• Using data during your digital technology lifecycle will explain when you may need to use data and at which stage of the technology’s lifecycle.
• Proof-of-concept: using anonymous or artificial health data will explain the benefits of using anonymous or artificial data during proof-of-concept, pre-deployment stage.
• Ensure you know the importance of data minimisation and the differences between anonymous, or artificial data and pseudonymous data.
• Technology development: using health data explains how to process personal data during the development stage (when the use of anonymous or artificial data is not possible), and explains which data protection laws (such as UK GDPR and the Common law duty of confidentiality ) you will need to comply with at this stage of the product lifecycle.
• Deploying your digital technology: using personal health data explains how the processing of personal data should take place post-deployment in the delivery of patient care.
• See also: Data protection criteria for compatibility testing and How to process data lawfully during compatibility testing.

Access to data is subject to the data provider’s approval process. Different organisations may have different approval processes. You will need to contact them for advice on how to access their data and any contract that they require needs to be agreed upon before you can access the data.

Read more about getting usage approvals in the relevant sections of our data guide:

• Getting data from data providers explains the various places you can get data from (for example NHS Trusts or Universities) and contracts that might be required for access.

Usually, you do not need consent or approval to process data that has been rendered anonymous (including through synthesis), or artificial data.

To receive (identifiable) confidential patient and service user information, however, the individual to whom the information relates must first have provided their prior explicit consent to their information being shared before you can access it, unless there is another legal basis available to you.

Read more about getting consent or approval in the relevant sections of our data guide:

• Understand what the common law duty of confidentiality requires in terms of patient consent and what to do if you do not have explicit consent and whether an application to CAG is required
• Confidential data processed by someone outside the direct care team
• Explicit consent from an individual to permit confidential information to be shared outside the team directly caring for them

Important note: this type of consent (explicit consent from an individual to permit confidential information to be shared outside the team directly caring for them) is separate from UK GDPR consent. However, the rules on consent do not conflict. This is because they are about consent for different things under 2 different sets of regulations that were created to work together without tension. For more on this distinction, see the NHS England Transformation Directorate’s guidance on consent and confidential patient information.

Throughout the development of your technology, there could be various activities that could be considered research. If they are considered research, you will need to get relevant approvals from the Health Research Authority (HRA) and Health Care Research Wales (HCRW) and may require ethical review from a Research Ethics Committee.

Read more about determining if you need research approval in the following sections of our data guide:

• Getting research approvals, if needed which explains what constitutes research and what activities would be considered research at the pre-market and post-market stages.
• Consider whether a CAG application is required if confidential patient and service-user information is being processed without explicit consent

A clinical investigation of technology is defined as research by the HRA and HCRW and needs approval.

You must notify the Medicines and Healthcare products Regulatory Agency (MHRA) before you begin a clinical investigation.

Read more about getting clinical investigations approvals for medical devices in the relevant sections of our data guide:

• Medical device clinical investigations approvals

Your obligations will vary depending on if you are a data controller or data processor in respect of each of the processing activities you carry out for distinct purposes.

Read more about determining if you are a data controller or processor in the relevant sections of our data guide:

• Determine if you are a data controller or processor

To process health-related personal data (which is likely to include social care related data), you must identify:

1. a lawful basis under Article 6 of the UK GDPR
2. a separate condition for processing data special category under Article 9 of the UK GDPR

Read more about lawfully processing health personal data in the relevant sections of our data guide:

• Have a lawful (also known as ‘legal’) basis for processing health data

Before you start processing health and social care data or deploying a technology in a health or social care setting, you should consider carrying out a DPIA.

Read more about conducting a DPIA in the relevant sections of our data guide:

• Do a data protection impact assessment (DPIA)

Every organisation or sole trader who processes personal data as a controller is legally required to register with the ICO. Once you have registered, you will have to pay a data protection fee. If you do not pay the fee, you may be fined.

Read more about registering with the ICO in the relevant sections of our data guide:

• Register with the ICO

Refer to this longer guidance and its glossary for an in-depth analysis of your legal obligations and the laws in this area (including reference to primary legal definitions).

Resources:

• Read: An overview of the legal requirements for using health and care data in the development and deployment of data-driven technologies.
• See also: glossary of definitions used within this guide
• You can also find other important health and social care research guidance on the HRA's website.

If you are using personal data, you are obliged to protect this data and comply with data protection law principles. The Information Commissioner’s Office (ICO) is the UK regulator that oversees compliance and upholds information rights.

Resources:

• For comprehensive general guidance on UK data protection law, regularly visit the ICO's website.

You should identify the minimum amount of personal data needed to fulfill your purpose and hold no more information in excess of the minimum. The personal data held should also be relevant and adequate for purpose. It is unethical to access more than is needed, and a contravention of UK GDPR.

Resources:

• Infrastructure is in place to help access health and social care data, for example from NHSD, Clinical Practice Research Datalink (CPRD), or UK Health Security Agency. These may already have some of the legal approvals in place to ensure that use of the data has a lawful basis. Each organisation has its own approvals processes and will need to be approached for advice on how to access its data.
• See also the ICO’s data minimisation principle for more information

The HRA has a legal duty to promote research transparency. When applying for HRA and HCRW approval you should think about how you will share your findings and how you plan to involve patients or service users, and members of the public in the research. This is separate to recruiting individuals as research participants.

Resources:

• Make it public: transparency and openness in health and social care research
• The HRA’s best practice in public involvement

Follow the 8 Caldicott Principles that make sure people's information is kept confidential and used appropriately.

Caldicott Guardians help organisations ensure confidential information about health and social care is used ethically, legally, and appropriately. Caldicott Guardians should provide leadership and informed advice on matters involving the use and sharing of patient and service user confidential information, especially in situations where there may be legal or ethical ambiguity.

Resources:

• Follow the 8 Caldicott Principles
• For more information about the types of organisations that should have a Caldicott Guardian, see the National Data Guardian guidance on appointment of Caldicott Guardians. If your organisation does not have a Caldicott Guardian, you can contact the UK Caldicott Guardian Council: ukcgcsecretariat@nhs.net.