Skip to main content

BETA This is a new service - your feedback (opens in a new tab) will help us to improve it.

Data compliance checklist for developers

Below are the legal requirements you must take into consideration when using health and care data as a developer of digital health technologies.

1. Understand what types of data you will need to develop a technology

Different types of data need to meet different regulations. Two types of health and social care data can be distinguished to help you determine when the relevant legal and regulatory frameworks apply.

  1. Personal data, which is data relating to living identifiable individuals, to which we add confidential patient and service user information about living or deceased identifiable individuals.
  2. Data that does no longer relate or identify to an individual is anonymous data.

Read more about using personal or anonymous data in the relevant sections of our data guide:

2. Consider where you will get your data from and how

Access to data is subject to the data provider’s approval process. Different organisations may have different approval processes. You will need to contact them for advice on how to access their data and any contract that they require needs to be agreed upon before you can access the data.

Read more about getting usage approvals in the relevant sections of our data guide:

  • Getting data from data providers explains the various places you can get data from (for example NHS Trusts or Universities) and contracts that might be required for access.
3. Consider whether you need consent or approval before you can use this data

Usually, you do not need consent or approval to process data that has been rendered anonymous (including through synthesis), or artificial data.

To receive (identifiable) confidential patient and service user information, however, the individual to whom the information relates must first have provided their prior explicit consent to their information being shared before you can access it, unless there is another legal basis available to you.

Read more about getting consent or approval in the relevant sections of our data guide:

Important note: this type of consent (explicit consent from an individual to permit confidential information to be shared outside the team directly caring for them) is separate from UK GDPR consent. However, the rules on consent do not conflict. This is because they are about consent for different things under 2 different sets of regulations that were created to work together without tension. For more on this distinction, see the NHS England Transformation Directorate’s guidance on consent and confidential patient information.

4. Check to see if any project activity could be considered ‘research’

Throughout the development of your technology, there could be various activities that could be considered research. If they are considered research, you will need to get relevant approvals from the Health Research Authority (HRA) and Health Care Research Wales (HCRW) and may require ethical review from a Research Ethics Committee.

Read more about determining if you need research approval in the following sections of our data guide:

5. You may need to get further approvals for clinical investigations on medical devices

A clinical investigation of technology is defined as research by the HRA and HCRW and needs approval.

You must notify the Medicines and Healthcare products Regulatory Agency (MHRA) before you begin a clinical investigation.

Read more about getting clinical investigations approvals for medical devices in the relevant sections of our data guide:

6. Establish whether you are a data controller or data processor

Your obligations will vary depending on if you are a data controller or data processor in respect of each of the processing activities you carry out for distinct purposes.

Read more about determining if you are a data controller or processor in the relevant sections of our data guide:

7. Ensure you have a legal basis for processing health data under GDPR

To process health-related personal data (which is likely to include social care related data), you must identify:

  1. a lawful basis under Article 6 of the UK GDPR
  2. a separate condition for processing data special category under Article 9 of the UK GDPR

Read more about lawfully processing health personal data in the relevant sections of our data guide:

8. Consider conducting a data protection impact assessment (DPIA)

Before you start processing health and social care data or deploying a technology in a health or social care setting, you should consider carrying out a DPIA.

Read more about conducting a DPIA in the relevant sections of our data guide:

9. Make sure you’ve registered with the ICO and paid a data protection fee

Every organisation or sole trader who processes personal data as a controller is legally required to register with the ICO. Once you have registered, you will have to pay a data protection fee. If you do not pay the fee, you may be fined.

Read more about registering with the ICO in the relevant sections of our data guide:

Below are a list of best practice principles related to the use of health and care data. Although these are not legal requirements, we strongly recommend you follow these principles.

1. Check out the longer and more technical version of this data guide on the Health Research Authority’s website

Refer to this longer guidance and its glossary for an in-depth analysis of your legal obligations and the laws in this area (including reference to primary legal definitions).


2. Keep up to date with the UK’s data protection laws

If you are using personal data, you are obliged to protect this data and comply with data protection law principles. The Information Commissioner’s Office (ICO) is the UK regulator that oversees compliance and upholds information rights.


  • For comprehensive general guidance on UK data protection law, regularly visit the ICO's website.
3. Review existing data sets and consider data minimisation principles

You should identify the minimum amount of personal data needed to fulfill your purpose and hold no more information in excess of the minimum. The personal data held should also be relevant and adequate for purpose. It is unethical to access more than is needed, and a contravention of UK GDPR.


4. Make sure you are transparent with your research

The HRA has a legal duty to promote research transparency. When applying for HRA and HCRW approval you should think about how you will share your findings and how you plan to involve patients or service users, and members of the public in the research. This is separate to recruiting individuals as research participants.


5. Follow the Caldicott principles

Follow the 8 Caldicott Principles that make sure people's information is kept confidential and used appropriately.

Caldicott Guardians help organisations ensure confidential information about health and social care is used ethically, legally, and appropriately. Caldicott Guardians should provide leadership and informed advice on matters involving the use and sharing of patient and service user confidential information, especially in situations where there may be legal or ethical ambiguity.