It’s important that when using patient data to develop apps or software, developers and NHS organisations work together to build and maintain patient trust in their use of their data. Understanding the different laws and approvals surrounding access to patient data is crucial, as is working with patients and the public.
It is vital that you establish the purpose of processing the
data before any data is transferred. Is the data being used for direct care or
is it being used for research?
Direct care is defined in the Information Governance Review as:
The Information Governance Review, March 2013
A clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society.
It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.
Use of patient data in research
If you’re using confidential patient information to develop a new technology or product which is not for direct care, this is classed as research and should conform to the UK Policy Framework for Health and Social Care Research. It must also meet the standards and criteria for research undertaken in the NHS, including information governance standards.
Joint guidance from the HRA, MHRA, Department of Health and Social Care and NHS Digital summarises the key data protection, data governance and medical device regulatory requirements for data driven technology in the NHS and adult social care.
Using patient data without consent
If it is not feasible to obtain patient consent to the use of their confidential data and your research is of public benefit, you need to apply to the Confidentiality Advisory Group (CAG) for support to access this data.