December 18, 2025

Data protection for AI and MedTech in the care sector – top tips from our legal experts

Posted in Commercial, GDPR, Health and Social Care, Tech, Health & Social Care Sector
Author
Author headshot image
Sam Berry
Solicitor
View Profile More Articles
Contributing Authors

AI and Medical Technologies (MedTech) are transforming operational efficiency, improving service user experiences and supporting employees across the care sector. From ambient AI being used to transcribe interactions with service users, to wearable devices enabling the collection and monitoring of health data, advances in MedTech bring both opportunities and risk.

With increased responsibility to handle sensitive personal data carefully to comply with data protection law, care providers must take a pro-active approach when adopting new technology.

Our top five data protection considerations for care providers when using AI or MedTech

  • 1. Identify risks early – use Data Protection Impact Assessments (DPIAs)

    Before adopting any AI/MedTech solutions, care providers should consider the impact of the technology on the privacy of individuals.

    A Data Protection Impact Assessment (DPIA) must be undertaken where high-risk data processing is involved, which is often the case in health and social care settings.

    Undertaking a DPIA will help analyse and identify risks, and by being pro-active, care providers can consider and put in place appropriate safeguards before new technology is introduced.

  • 2. Review the terms – do you understand the rights being granted to suppliers?

    Care providers should carefully review the contractual terms in place with AI/MedTech suppliers to ensure they understand exactly what rights are being granted over the personal data.

    Care providers should make sure:

    • the parties are clear on how data is accessed, used and shared;
    • the role of the supplier with regard to the data is clearly set out; and
    • there are appropriate limits in place about how and for what purpose data can be used by the supplier.

    Suppliers may seek to include broad rights for themselves to use the data for their own purposes, including development and training of their technology, or analytics. Overly generous terms should be scrutinised to ensure service user privacy is properly protected.

  • 3. Transparency – be clear about what’s happening to your data

    Transparency is one of the cornerstones of data protection, particularly when introducing new technology. Individuals, whether it’s employees or service users, have the right to understand how their data is being collected and used. Internal and external facing documents such as privacy notices and policies should be regularly reviewed and updated as new tools are introduced.

    But it’s not just about having the right documents, it’s about making sure people understand them. Avoiding jargon, considering the ways in which the notices and policies will be communicated and, where appropriate, taking the time to explain new technologies and what they mean for data use can help with this, whilst maintaining trust and avoiding overwhelm.

  • 4. Data Mapping – know what you’re working with

    To fully understand the extent of the applicable data protection obligations, it is crucial that care providers have a comprehensive and up to date record of the personal data they hold and process. This will help identify what data is collected, where it’s stored, and how it flows between systems (and who can access them).

    Without a full picture, it will be difficult to spot compliance gaps, fully assess the risk involved with bringing in new technology or put in place appropriate safeguards. Data maps should also be updated whenever new technology or systems are introduced to the business.

  • 5. Build in data protection from the start of any project

    Ultimately data protection should not be seen as a tick-box exercise and instead should be embedded into every stage of a project from the outset.

    From design and configuration to user access and system settings, a privacy first approach using only strictly necessary data will help to reduce risk, demonstrate compliance and shows a commitment to protecting individual’s rights.

Why does it matter?

The use of AI and MedTech in the care sector offers clear benefits but care providers must ensure that data protection is a core part of how these technologies are assessed, implemented and managed. Getting the foundations right is essential for legal compliance as well as protecting the rights of those receiving care.  

By way of stark reminder, the ICO recently issued a fine of £2.3 million relating to 23andMe’s failure to adequately secure sensitive user data (which included health data), and in particular, to put in place (amongst other things) multi-factor authentication, secure password protocols, and effective systems to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information. 

Remember that care providers must meet the National Data Guardian’s 10 standards for protecting confidential personal data. In addition, all care providers who work under the NHS Standard Contract having to register with the Data Security and Protection Toolkit (DSPT). CQC expect providers to demonstrate compliance with the DSPT.  Having a strategy for protecting your IT systems and ensuring that you have in place contracts with IT suppliers that hold them to account for the way they handle your information will help with meeting these requirements. 

How we can help you with data protection compliance.

Advising on policies and procedures. Ensuring contracts are compliant. Responding to subject access requests. Navigating correspondence with the ICO. We’ve got your back.

Call now

0800 923 2076
Find out more

Our data protection services for the Health & Social Care Sector.

Data protection

Data is key to modern day life, with more and more information being generated and held by businesses in both digital and physical form.
Data & privacy

GDPR & data protection | H&SC Resources

In the care and healthcare sectors, handling sensitive personal data is part of daily operations — from service user records and safeguarding reports to staff files and clinical notes.

More insights from our Tech and Health & Social Care experts.

Opinion  |  18:12:25
Data protection for AI and MedTech in the care sector – top tips from our legal experts
AI and Medical Technologies (MedTech) are transforming operational efficiency, improving service user experiences and supporting employees across the care sector. From ambient AI being used to transcribe interactions with service users, to wearable devices...
News  |  08:12:25
Northamber expands with NUC Distribution acquisition supported by RWK Goodman
AIM quoted Northamber PLC, a leading audiovisual and united communication distributor, has expanded their hardware supplying capabilities with an acquisition supported by law firm RWK Goodman.
Opinion  |  18:11:25
CQC’s Consultation: Have your say on the future of assessments & ratings
Finally, the long awaited consultation from CQC on the new assessment proposals is here – but what does the consultation actually say and what are CQC asking you to comment on?
Opinion  |  21:10:25
Sick pay reforms – top tips for health and social care providers
The Government’s Employment Rights Bill (ERB) contains sweeping reforms to Statutory Sick Pay (SSP), with significant financial and operational implications for social care providers.
Opinion  |  16:10:25
Recent Changes to the Immigration Rules Affecting the Care Sector
Since the government announced its intentions to overhaul the immigration system in the Spring there has been a recent flurry of changes to business immigration rules that employers have been forced to get their heads around with precious little notice.
press
News  |  15:10:25
Care group Springcare secure new financing to safeguard long-term future
A leading North West and Midlands care group has safeguarded the long-term future of its business after completing a refinancing deal totalling more than £20m following advice from RWK Goodman.
Opinion  |  10:10:25
Sick pay reforms – top tips for employers and children’s care providers
The Government’s Employment Rights Bill (ERB) contains sweeping reforms to Statutory Sick Pay (SSP), with significant financial and operational implications for providers of children services and supported accommodation.
Opinion  |  06:10:25
Visa options for the tech sector
In this article, we explore the ways that those in the tech sector may benefit from the UK governments current focus on improving visa routes to attract international talent, amidst the overarching goal of reducing net migration.
Opinion  |  19:09:25
Britain’s Clean Energy Strategy: Building a Net‑Zero Future
Energy transition is a core foundation of the UK’s Industrial Strategy, with a bold plan for clean energy, resilient supply chains, and advanced manufacturing.

View more articles related to Health and Social Care and Tech

Share on:
View more articles