Lawfulness of the processing

The processing of information must be lawful, and therefore requires a lawful basis.  You must choose one or more lawful bases from Article 6 below for processing personal information and one or more from Article 9 below if you are processing special category data (i.e. race, ethnicity, religion, health, sexual orientation, genetic and biometric data, political opinion).

Please note:

  • Choosing ‘consent’ as the lawful basis will overrule all other lawful bass, so only use ‘consent’ where no other lawful basis applies.
  • If the purpose of processing is not for direct care, i.e. where personal information is required for secondary uses such as data analysis, reporting etc.  Be aware that where a patient has opted-out of their information being used for secondary purposes (i.e. as per the National Data Opt-Out), you will not be able to use their data.

For additional help in deciding the legal basis you can use this interactive tool from the ICO:

https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/lawful-basis-interactive-guidance-tool/

Your IG Team are available to help you identify the legal route for processing data.
Article 6 Article 9
1(a) Consent

Consent of the data subject

ONLY use where another legal basis is not applicable, or for secondary use of the information.

 

 2(a) Consent

Explicit consent of the data subject unlessreliance on consent is prohibited by EU or Member State law.

ONLY used where another legal basis is not applicable, or for secondary use of the information.
1(b) Contract

Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract.

 2(b) Legal obligation

Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.
1(c) Legal obligation

Necessary for compliance with a legal obligation (not including contractual obligations).

 2(c) Vital interests

Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.
1(d) Vital interests

Necessary to protect the vital interests of a data subject or another person.

 2(d) Not-for-profit bodies

Legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. Only processing data of individuals in regular contact with the not-for-profit body.

It is anticipated that this lawful basis would very rarely apply.

1(e) Public task

Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

This lawful basis is usually selected for projects to support direct care which process PERSONAL information.

2(e) Made public by the data subject

Processing relates to personal data which is made public by the data subject.

It is anticipated that this lawful basis would very rarely apply.
1(f) Legitimate interests

Necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Please note, public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.

 2(f) Legal claims

Purpose of the processing is to establish, exercise or defend legal claims or when the courts is acting in their judicial capacity.

It is anticipated that this lawful basis would very rarely apply.
2(g) Substantial public interest

‘Necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’.

It is anticipated that this lawful basis would very rarely apply.
2(h) Medical treatment

Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of an employee, medical diagnosis, the provision of health or social care treatment or management of health or social care systems or a contract with a health professional.

This lawful basis is usually selected for projects to support direct care which process PERSONAL information.
2(i) Public Health

‘Necessary for the reason of public interest in the area of public health, such as protecting against serious cross border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices’.
2(j) Archiving, research and statistics

‘Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’.

It is anticipated that this lawful basis would very rarely apply.

 

 

If you have chosen consent as your legal basis, describe how you will record consent and its removal if the patient changes their mind?

Note:  Consent has to be verifiable and cannot be inferred from silence, pre-ticked boxes or inactivity.

 Explicit consent is recorded when staff creates their account on Tempo portal.