Patient and service user information may be processed in the following phases of development, deployment, and monitoring of data-driven technologies:
- Proof of concept (pre-deployment) - This involves generating evidence to demonstrate that a data-driven technology idea, design, or concept is feasible.
- Testing in the care environment (pre-deployment) - Data-driven technologies must be safe and effective to use in the live environment before they can be deployed in clinical or social care. This may require testing in a live care environment.
- Direct care (deployment) - Direct care (also known as individual care) is provided to individual patients or service-users by people in the care team who have a legitimate relationship with the patient or service-user.
- Service evaluation and post-market surveillance (post-deployment) - All data-driven technologies deployed in care should be monitored for safety and efficacy.
- Service evaluation measures an existing service and seeks to assess how well a service is meeting its aims and objectives.
- Post-market surveillance is an aspect of service evaluation that has particular relevance in the context of medical devices. Manufacturers of medical devices must implement an effective post-market surveillance system to ensure that any problems or risks associated with the use of their device, once freely marketed, are identified early, reported to competent authorities, and acted upon.
When processing health and care information at each of these stages, you need to consider whether you need a legal basis to satisfy data protection legislation and one to satisfy the common law duty of confidentiality including to enable any necessary disclosure to another organisation.
If you are the controller (either sole or jointly with another organisation) of personal data, you will need to demonstrate and document that you have analysed, identified, and minimised the data protection risks. For research activities the sponsor is the controller.
Controllership can be sole, or joint (with one or more other controllers), depending on whether the responsibility for decisions about purposes and means of processing is taken either alone or together. The ICO has produced data protection law guidance on controllers and processors to help determine this issue on the facts and describing the obligations under each role. The HRA has published guidance describing the role of research sponsors as controllers.
As controller, it is useful to create a data flow map that identifies the data assets (data at rest) and data flows (data at points of disclosure) that enable the relevant objective to be delivered. The data flow map can also help you to determine whether your activity falls within your organisation’s existing Data Protection Impact Assessment (DPIA) or it can help you complete a new DPIA. It should describe the proposed flows of personal data, associated governance risks, and the controls developed to ensure lawful processing.
It is likely that you will need to complete a DPIA prior to implementing data-driven technologies, unless your activities fall within the range of activities covered by an existing DPIA. This will help you to manage and mitigate the likelihood and severity of any potential harm to individuals. A DPIA is intended to be a ‘living document’ and should be regularly reviewed and updated during each stage.
The DPIA will also support you to consider how you are meeting the accountability principle of UK GDPR, as well as data protection by design and default. The ICO has produced guidance on DPIAs and taking a risk based approach. The HRA has published guidance on DPIAs for research. There is also an AI toolkit to support organisations auditing compliance of their data-driven technologies.
Where data flow mapping identifies instances where personal data is processed by a data processor on behalf of a data controller, a legally binding written data processing contract or agreement is required. Where particular risks relating to processing are identified, it may be appropriate to specify in the contract particular measures that the data processor should put in place, as well as mandatory UK GDPR clauses for all data processing contracts. The HRA has published model template agreements for use in research.
At each stage you also need to consider whether you need to meet the requirements set by the ICO, HRA and the MHRA, as well as considering whether you can rely on implied consent to use data in providing direct care on the basis of reasonable expectations. The following flowchart will support you in understanding the requirements for each stage.
3.1 The common law duty of confidentiality
The flow chart shows how the common law may be satisfied for each of the stages.
Under the common law duty of confidentiality, confidential patient information can be accessed where the data-driven technology is being used to deliver direct care on the basis of implied consent (Stage C). For information on the circumstances necessary to rely on implied consent, see Information: To share or not to share? The Information Governance Review.
Stages A, B and D are not solely for direct care. The basis for processing confidential patient information is therefore not implied consent. If it is necessary to access confidential patient information to undertake the activities, a legal basis is required. Usually, this is explicit consent e.g. if live testing involves contact with individual patients or service-users, it may be practical to gain explicit consent to the use of confidential patient information for this testing.
However, if it is not feasible to ask patients and service users to consent to access their information, you need to apply to the CAG which will provide independent advice to the HRA (for research) or the Secretary of State (for non-research) on whether support under section 251 NHS Act 2006 should be provided.
3.2 Data protection legislation
To process personal data concerning health and care for scientific research, you need a legal basis under Article 6 UK GDPR, and to process personal data concerning health, you need a condition for processing special category data under Article 9 UK GDPR. See section 2.1.1 above.
The HRA guidance provides guidance on the appropriate legal bases and conditions for processing personal data for scientific research.
The ICO provides guidance on the appropriate legal bases for processing personal data generally.
3.3 Do I need research approval?
You do not need research approval to process confidential patient information for direct care(Stage C).
Stages A and B may constitute research. If you want to do research in England you will normally need research approval from the HRA, including Research Ethics Committee (REC) approval. For more information on research approval, see Section 4 - checklist.
In relation to Stage D:
Service evaluation is designed and conducted solely to monitor or judge current care. Once a data-driven technology is deployed in direct care, service evaluation that measures the service without reference to a standard is not research and you do not need research approval.
Post-Market Surveillance studies of CE-marked devices may be classified as service evaluation, not requiring Health Research Authority (HRA) Approval, where all the following criteria are met:
● The product is used unmodified and within its intended purpose
● The assignment of any patient or service user involved in the study to a particular therapeutic strategy or diagnostic procedure is not decided in advance by a protocol but falls within current clinical practice
● The decision to use the product is clearly separated from the decision to include the patient or service user in the study
● No diagnostic or monitoring procedures are applied to the patients or service users included in the study, other than those which are ordinarily applied in the course of current clinical practice
● Epidemiological methods are to be used for the analysis of the data arising from the study
If the study does not meet all these criteria, it should be regarded as research. In particular, any case series study involving additional research procedures (e.g. scans, questionnaires) or additional clinical monitoring should be regarded as research and will require HRA Approval if conducted within the NHS in England.
Please see the checklist in Section 4 for guidance on the additional approvals and standards that you may require relating to the stage in the development, deployment, or monitoring of the data-driven technology.