Lawful bases for processing
Purpose of using personal data | Legal basis of processing | Special category of data |
Provision of direct care and related administrative purposese.g., e-referrals to hospitals or other care providers | GDPR Article 6(1)(e) – the performance of a task carried out in the public interest | GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems. |
For commissioning and healthcare planning purposese.g., collection of mental health data set via NHS Digital or local | GDPR Article 6(1)(c) – compliance with a legal obligation | GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.Special category 9(2)(i) – public interest in the area of public health |
For planning and running the NHS (other mandatory flow)e.g., CQC powers to require information and records | GDPR Article 6(1)(c) – compliance with a legal obligation (the GP practice)Regulation 6(1)(e) – the performance of a task carried out in the public interest (CQC) | GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.Special category 9(2)(i) – public interest in the area of public health |
For planning & running the NHS – national clinical audits | GDPR Article 6(1)(e) – the performance of a task carried out in the public interest | GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.Special category 9(2)(i) – public interest in the area of public health |
For research | GDPR Article 6(1)(f) – legitimate interests…except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.GDPR Article 6(1)(e) – the performance of a task carried out in the public interestGDPR Article 6(1)(a) – explicit consent | GDPR Article 9(2)(j) – scientific or historical research purposes or statistical purposes |
For safeguarding or other legal duties | GDPR Article 6(1)(e) – the performance of a task carried out in the public interestRegulation 6(1)(c) – compliance with a legal obligation | GDPR Article 9(2)(b) – purposes of carrying out the obligations of ..social protection law. |
When you request us to share your information e.g., subject access requests | GDPR Article 6(1)(a) – explicit consent | GDPR Article 9(1)(a) – explicit consent |