Legal Basis for processing patient data
lawful bases for processing
Legal Basis for processing patient data
| Purpose of using personal data | Legal basis of processing | Special category of data |
| Provision of direct care and related administrative purposes
e.g., e-referrals to hospitals or other care providers
|
GDPR Article 6(1)(e) – the performance of a task carried out in the public interest | GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
|
| For commissioning and healthcare planning purposes
e.g., collection of mental health data set via NHS Digital or local
|
GDPR Article 6(1)(c) – compliance with a legal obligation
|
GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
Special category 9(2)(i) – public interest in the area of public health
|
| For planning and running the NHS (other mandatory flow)
e.g., CQC powers to require information and records |
GDPR Article 6(1)(c) – compliance with a legal obligation (the GP practice)
Regulation 6(1)(e) – the performance of a task carried out in the public interest (CQC) |
GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
Special category 9(2)(i) – public interest in the area of public health
|
| For planning & running the NHS – national clinical audits | GDPR Article 6(1)(e) – the performance of a task carried out in the public interest | GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
Special category 9(2)(i) – public interest in the area of public health |
| For research | GDPR Article 6(1)(f) – legitimate interests…except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.
GDPR Article 6(1)(e) – the performance of a task carried out in the public interest GDPR Article 6(1)(a) – explicit consent |
GDPR Article 9(2)(j) – scientific or historical research purposes or statistical purposes |
| For safeguarding or other legal duties | GDPR Article 6(1)(e) – the performance of a task carried out in the public interest
Regulation 6(1)(c) – compliance with a legal obligation |
GDPR Article 9(2)(b) – purposes of carrying out the obligations of ..social protection law. |
| When you request us to share your information e.g., subject access requests | GDPR Article 6(1)(a) – explicit consent | GDPR Article 9(1)(a) – explicit consent |