Annex 1: Lawful basis for processing including basis of legitimate interest

Direct Care

All Health and Adult Social Care providers are subject to the statutory duty under Section 251B of the Health and Social Care Act 2012 to share personal data about patient for their direct care.

GDPR UK Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.

And:

GDPR UK Article 9 (2) (h) Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

DPA schedule 1, Part 1, Section 2

Safeguarding of individuals at risk

Key organisations, including NHS Trusts have an obligation to ensure arrangements are in place to safeguard and promote the welfare of individuals at risk.

GDPR UK Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject *See below for detail of legal obligations

And:

GDPR UK Article 9(2)(g) is necessary for reasons of substantial public interest, on the basis of union or member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interest of the data subject

DPA Schedule 1, Part 2 Section 18

Compliance with data subject rights

The processing of personal data in the delivery of individuals / third party rights is supported under the following Article 6 and 9 conditions of the GDPR:

GDPR UK Article 6(1)(c) Processing is necessary for compliance with a legal obligation to which the data controller is subject *See below for detail of legal obligations

GDPR UK Article 6(1)(a) ‘The data subject has given consent to the processing of those personal data for one or more specified purposes”

Internal investigation of complaints and concerns

The processing of personal data in the assistance of internal investigations and complaints is supported under the following Article 6 and 9 conditions of the GDPR:

GDPR UK Article 6(1)(c) Processing is necessary for compliance with a legal obligation to which the data controller is subject *See below for detail of legal obligations

And:

GDPR UK Article 9 (2) (h) Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

DPA schedule 1, Part 1, Section 2

Investigation and response of complaints and concerns from an external party (excluding ombudsman)

The processing of personal data in the assistance of internal investigations and complaints is supported under the following Article 6 and 9 conditions of the GDPR:

GDPR Article 6(1)(c) Processing is necessary for compliance with a legal obligation to which the data controller is subject *See below for detail of legal obligations

And

GDPR Article 9(2)(a) The data subject has given EXPLICIT consent to the processing of those personal data for one or more specified purposes

Investigation and response of complaints and concerns via national bodies such as ombudsman / GMC / NMC / HCPC

The processing of personal data in the assistance of internal investigations and complaints is supported under the following Article 6 and 9 conditions of the GDPR:

GDPR UK Article 6(1)(c) Processing is necessary for compliance with a legal obligation to which the data controller is subject *See below for detail of legal obligations

And

GDPR UK Article 9(2)(i) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices on the basis of union or member state law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject

DPA Schedule 1, Part 1, Section 3

Commissioning and Planning Purposes

Information is sent to the commissioners of our services, the Integrated Care Board who, pay us for providing our services. We are also required to report to NHS England, and the Department of Health on our activities and performance. These uses of information would almost never involve a person looking at individual records. Most submissions of data outside of the Trust are done by computer and sent securely. Only very rarely would someone need to check into the submissions we make to focus on a specific person, and even then, it is unlikely that the information would easily identify an individual.

KMPT also undergoes external audit by the Audit Commission or other professional bodies given the legal authority to carry out audits. These audits may involve reviewing information in patient records to ensure accuracy, completeness and the competency of the staff employed by the Trust. It would rarely be the case that the auditors would ever be interested in knowing about individual patients, and only in extreme cases of misconduct or incompetence in the Trust would they be interested in tracing an individual.

Most national and local flows of personal data in support of commissioning are established by NHS digital either centrally or for local flows by the Data Services for Commissioners Regional Officers. These flows do not operate based on consent for confidentiality or data protection purposes

The legal basis supported by the GDPR provisions are:

GDPR UK Article 6(1)(c) Processing is necessary for compliance with a legal obligation to which the data controller is subject *See below for detail of legal obligations

And

GDPR UK Article 9 (2) (h) Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

DPA schedule 1, Part 1, Section 2

Research

For research purposes, the common law duty of confidentiality must still be met through consent. This requirement has not changed under the UK GDPR. Consent is still needed for people outside the care team to access and use service user personal data for research, unless the research is supported by Section 251B of the Health and Social Care Act 2012 or the data is anonymized (no longer identifiable).

The legal basis supported by UK GDPR provisions are:

GDPR UK Article 6(1)(c) Processing is necessary for compliance with a legal obligation to which the data controller is subject *See below for detail of legal obligations

And

GDPR UK Article 9 (2) (j) Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).

DPA schedule 1, Part 1, Section 4

Surveys

In some cases, the Trust may commission a survey for a specific reason, such as monitoring improvement in care; this may be commissioned with explicit consent of those taking part or on another legal basis, e.g. The Community Mental Health survey hosted by the CQC, or mental health inpatient surveys.

The Trust may contract third party organisations to work on survey development and analysis on its behalf. In such circumstances, participants will be notified in advance of their data being gathered.

The legal basis supported by UK GDPR provisions are:

GDPR UK Article 6(1)(c) Processing is necessary for compliance with a legal obligation to which the data controller is subject *See below for detail of legal obligations

And

UK GDPR Article 9 (2) (a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes

Statutory Disclosure

The Trust may be legally required to share personal data concerning health with law enforcements and regulatory bodies such as: NHS England, the Police, Courts of Justice, HMRC, DVLA, Medico-Legal, NHS Counter Fraud, and the Health Service ombudsman

In some circumstances the for the purposes of:

Safeguarding, investigation, prevention or detection of crime;
apprehension or prosecution of offenders;
the assessment or collection of any tax or duty or, of any imposition of a similar nature;
providing medical reports in connection with legal action.

Employment (Staff and Volunteers)

For employment purposes the below lawful reasons for processing will apply this includes special categories of data such as health data for employment purposes.

GDPR Article 6 (1) (b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

and

GDPR Article 9 (2) (b) Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law in so far as it is authorized by Union or Member State law.
DPA Schedule 1, Part 1, Section 1

Personal data processed in relation to the Disclosure and Barring Service (DBS checks) falls under the UK GDPR (Article 10) and the provision of Safeguarding Vulnerable Groups Act 2006.

Criminal conviction

The Trust may sometimes process data relating to criminal conviction where this data forms part of a significant life event, or where the nature of the data may have a bearing on the individuals healthcare and treatment.

The Trust ensures that personal data relating to criminal conviction that it collects in relation to individuals, are used only for health care and treatment related purposes or where there is a statutory obligation to share those data with regulatory bodies (e.g. courts or police).

Legal basis for processing data relating to criminal conviction in the area of Health care and Treatment

The Trust ensures that the lawfulness of processing of special categories of personal data and criminal convictions data necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of health care and treatment under UK GDPR Article 9 (2) (b) is permitted under DPA Section 10(1) (c):

The processing is necessary for the management of health and social care purposes.

Additional conditions for processing data relating to criminal conviction data are supported by DPA Schedule 1, Part 1

Legal obligations

UK GDPR
Health and Social Care (Quality & Safety) Act 2015
Health & Social Care Act 2012
Care Act 2014
The Children Act 1989
The Children Act 2004
Childcare Act 2006
Children (Leaving Care) Act 2000
Children and Families Act 2014
National Health Service Act 1977
National Health Service Act 2006
Education Act 2002
Special Education Needs and Disability Regulations 2014
Localism Act 2011
Immigration and Asylum Act 1999
Crime and Disorder Act 1998

Further information

About us

Confidentiality and GDPR

This is an updated piece of legislation that sets new standards for protecting information.

About us

Personal data and what we hold about you

Personal data means, any information relating to an identified or identifiable natural person (a living individual).

About us

UK GDPR Individual Rights

Every living person or their authorised representative, has the right to apply for access to their healthcare record.

About us

Purposes for using your information

We want to be clear about the purpose or purposes for which we hold personal data.