Part of A buyer's guide to artificial intelligence in health and care
What data protection protocols do you need to safeguard privacy and comply with the law
Data protection must be embedded into every aspect of your project. You’ll need to create a data flow map that identifies the data assets and data flows, the exchanges of data, related to your AI project.
Data governance
Where the data flow map identifies data being passed to and processed by a data processor (the vendor) on behalf of a data controller (your organisation), you’ll need a legally binding written data processing contract otherwise known as an information sharing agreement.
Further information governance measures depend on the purpose of the data processing and whether the data being processed could identify individuals. If individuals can be identified, this is sensitive personal data and you must complete a Data Protection Impact Assessment.
Rights of individuals over the use of their personal data
Where identifiable data is being processed, individuals have the right to:
- be informed about how their personal data is collected and used
- give consent to the use of their data
- access their data
You should ensure that use of data for the AI project is covered by your organisation’s data privacy notice. You’ll also need to document what’s in place to mitigate the risk of a patient or service user being re-identified in an unauthorised way -from the data held about them.
Last edited: 16 June 2025 4:04 pm