4.1 Checklist
Use the following checklist to help ensure that you have the appropriate approvals and standards in place. You can get further information on each item by clicking on the term.
❏ Do you have appropriate approvals in place if it is classified as research?
❏ Have you considered whether the technology is a medical device and notified the MHRA if so?
❏ If you are a manufacturer have you ensured that a CE or UKCA mark has been obtained if required?
❏ Does the technology conform to the NICE standards framework?
Have you considered whether the development/deployment of the technology is classified as research?
The UK Policy Framework for Health and Social Care Research defines research as the ‘attempt to derive generalisable or transferable new knowledge to answer or refine relevant questions with scientifically sound methods’. National Clinical Audits of practice and service evaluations are not research. However, product development activities may be research. The HRA provides a tool to help you work out whether what you are doing is research and, if it is, what approvals will be required.
It is important to bear in mind that this definition of research is a specific subset of the definition of research used by the ICO used in a data protection legislation context. The latter definition applies to determine whether the research provisions and requirements about safeguards that can be found in the UK GDPR and the DPA 2018 apply in any specific case. For more information, see the ICO’s new guidance on research provisions within the UK GDPR and the DPA 2018 that will give more advice on the application of data protection legislation provisions for processing personal data for research purposes.
For the purposes of this guidance, it is important to note that these two definitions of research are not mutually exclusive as the two regimes apply concurrently. Activities that meet the criteria of research under the UK Policy Framework for Health and Social Care Research will also meet the broader definition of research used by the ICO. However, activities that are not managed as research under the UK Policy Framework for Health and Social Care Research may still fall within research as defined by the ICO.
Do you have appropriate approvals in place if it is classified as research?
The Health Research Authority (HRA) manages health and social care research approvals, Research Ethics Committees (RECs), and the Confidentiality Advisory Group (CAG) in England.
HRA Approval brings together the assessment of research governance and legal compliance with independent research ethics review. If your project involves research using health and care information that relates to identified or identifiable individuals, obtained from local NHS organisations or adult social care service providers, you normally need research approvals including HRA Approval. Application for HRA Approval is through the Integrated Research Application System (IRAS).
A clinical investigation of a medical device is research so you will require HRA Approval if this is conducted within the NHS in England. Development of in-house medical devices may involve research. If so, you will need to obtain appropriate research approvals.
Have you considered whether the technology is a medical device and notified the MHRA if so?
The Medicines and Healthcare products Regulatory Agency (MHRA) regulates medical devices in the UK and determines if a product is a medical device. It has published detailed guidance on how to comply with legal requirements concerning medical devices. You can also contact the MHRA regulatory inbox at devices.regulatory@mhra.gov.uk if you want to confirm whether your product is a medical device or not.
MHRA guidance provides that accessories to devices are treated as if they are medical devices and all the relevant requirements will apply. Data-sets placed on the market as an accessory to a medical device will need to fulfil all the relevant regulatory requirements.
If your data-driven technology does not have a medical purpose as defined by the MHRA and is not a medical device, it does not need to be regulated by the MHRA. However, the law governing the use of personal data or confidential patient information, and the requirement to seek HRA Approval for research using health and care information obtained from local NHS organisations or adult social care service providers, apply in the same way whether the technology is classed as a medical device or not.
If you are a manufacturer have you ensured that a CE or UKCA mark has been obtained if required?
If you are a manufacturer of data-driven technology that is a medical device, you must obtain a CE (European Conformity) – now UKCA (UK Conformity Assessed) - mark before the device can be deployed in clinical care. You will need to carry out a clinical investigation of the device to demonstrate safety and performance, unless you can do so by other means. You must notify the MHRA before the medical device is made available to a medical practitioner for clinical investigation.
If your medical device is only intended for use with patients and service users within your organisation and you do not intend to commercialise the product, there is currently no need to obtain a UKCA mark, as in-house medical devices are exempt. If you later intend to transfer the medical device developed in-house to other organisations for use in direct care only, or use it for direct care on patients and service users outside your organisation, or commercialise it, you will need to obtain a UKCA mark.
Patient or service user data accessed for the generation of clinical evidence for UKCA marking requires a clinical investigation registered with the MHRA through IRAS. Ethics approval should be sought through the HRA and provided by a REC. Devices should be labelled “exclusively for clinical investigations”.
Does the technology conform to the NICE standards framework?
The National Institute for Health and Care Excellence (NICE) has produced a standards framework for digital health technologies that describes the evidence for effectiveness standards that different classes of medical devices need to achieve. Not complying with this framework may affect the reimbursement you receive.
Does the technology conform to the requirements of NHS Digital Clinical Risk Management and Deployment of health IT systems standards?
Before being deployed in the NHS, data-driven technology that is a health IT system must conform to the requirements of NHS Digital clinical risk-management standards in the manufacture and deployment of health IT systems.
Does the technology conform to the Guide to Good Practice for Digital and Data-Driven Health Technologies?
The development and deployment of data-driven technologies intended for the health and care system should ideally comply with the Department of Health and Social Care guide to good practice for digital and data-driven health and care technologies. The guide encourages technology companies to meet a gold-standard set of principles to protect data to the highest standards. The guide provides evidence of what good practice looks like, thereby reassuring patients, service users, and clinicians that data-driven technology is safe, effective and maintains privacy. It also aims to make sure that the NHS gets a fair deal from the commercialisation of its data resources.