Digitising your healthcare organisation can be important. The rapid expansion of CareTech means that the sector is flush with opportunities to develop service offerings. However, the data held and processed by this technology is more sensitive than most, and failure to protect data subjects could have significant legal and reputational repercussions for care providers.

This article provides you with some useful stepping-stones towards data protection compliance, during both adoption and operation.

Impact | Digitising Your Healthcare Organisation

One of the most important steps to take before you adopt the technology is to conduct a Data Protection Impact Assessment where the new technology could pose a risk to the rights and freedoms of data subjects. This will help you understand the risks you face and indicate what steps you must take to ensure the rights and freedoms of individuals are protected.

You should also consider the potential for a system’s functions, or its failure to function, to have real, physical impact on a service user – for example if a treatment notification system fails to prompt a patient to use their medication. While new tools have great potential to improve efficiency, it is important to realistically appraise their reliability and ensure that adequate fail-safes and redundancies are implemented in proportion to that risk.

Due Diligence

When considering any new technology or system, it is important to perform your own basic due diligence exercise and not just seek to rely on the sales pitch or ‘commonality’ of the use of the software by others in the sector. Asking the right questions will highlight risk factors – For example, where is the provider located? If they’re headquartered or have their data storage outside the UK or EEA, you are going to need to ensure additional safeguards are in place. Beyond that, you may wish to establish whether they are registered with the Information Commissioner’s Office, have a Data Protection Officer, hold any relevant industry-standard accreditations, or comply with the NHS Data Security and Protection Toolkit.


What is your proposed lawful basis for processing? The adoption of new technology will almost certainly allow you to process information in new ways. You are legally obliged to establish a lawful basis for each process, and your existing framework may not be sufficient.

Data Sharing

Who does the provider share data with and can they sub-contract their obligations to other organisations? As a data controller, you need to understand how your processors will handle the data and where it could end up. If your new provider is likely to sub-contract some of the service, additional contractual safeguards will be necessary.

Sensitive Information

Will the technology process data relating to vulnerable individuals, special category data, criminal conviction data or other sensitive information? Working in healthcare, the answer is almost certainly yes, and, as a data controller, you will be responsible for ensuring your processors are handling it appropriately from both a contractual and technical perspective.

Monitoring and automated-decision making

Is the technology a form of monitoring or does it evaluate, score or make automated-decisions? This is particularly relevant in AI or machine learning applications – data subjects (such as your clients) have rights not to be subjected to fully automated decisions which may have a “legal effect… or similarly affects him or her”, and healthcare decisions are almost certain to be considered similar for this purpose. Therefore, if you intend to use these tools, you will need to carefully consider the extent of the automated decisions, and carefully manage data to ensure only data with the appropriate consents is exposed to these processes.

Ongoing actions

It is important to recognise that data compliance journey is never really ‘complete’. The previous factors should be considered when adopting new technology, but the issues below can be addressed both on an ongoing basis or at the start of a new contracts:

  • Ensure your contracts with technology providers meet the minimum requirements laid out in Article 28 UK GDPR and reflect the real-life roles of the parties/ data flows. If this is not the case, you should consider taking steps to vary the contract or, where this is not possible, ensure that the necessary revisions are agreed when the contract is renewed.
  • Continually update your IT inventory and Processor Registers as new technologies are implemented. This will help ensure you maintain a good understanding of how and where the various types of personal data are processed.
  • Check if your privacy policies and notices (aimed at service users, public, employees or workers) meet transparency requirements in respect of the new technology and reflect their real-world use. If not, update them.
  • Continually review your training processes – do they need to be revised in light of the new technology? Human error is a significant factor in the majority of data breaches, and the ICO will consider the level of staff training when considering the proportionality of its response to any complaints.

By following this guide, you can ensure that your new technologies do not give rise to unknown risks for the business and its service-users.


If you have any further queries regarding the process of digitising your healthcare organisation, please feel free to contact our Intellectual Property and Information Technology team.