Legal Basis for Processing Patient Data

Lawful bases for processing

Purpose of using personal dataLegal basis of processingSpecial category of data
Provision of direct care and related administrative purposese.g., e-referrals to hospitals or other care providers  GDPR Article 6(1)(e) – the performance of a task carried out in the public interestGDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.  
For commissioning and healthcare planning purposese.g., collection of mental health data set via NHS Digital or local  GDPR Article 6(1)(c) – compliance with a legal obligation GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.Special category 9(2)(i) – public interest in the area of public health    
For planning and running the NHS (other mandatory flow)e.g., CQC powers to require information and recordsGDPR Article 6(1)(c) – compliance with a legal obligation (the GP practice)Regulation 6(1)(e) – the performance of a task carried out in the public interest (CQC)GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.Special category 9(2)(i) – public interest in the area of public health 
For planning & running the NHS – national clinical auditsGDPR Article 6(1)(e) – the performance of a task carried out in the public interestGDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.Special category 9(2)(i) – public interest in the area of public health
For researchGDPR Article 6(1)(f) – legitimate interests…except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.GDPR Article 6(1)(e) – the performance of a task carried out in the public interestGDPR Article 6(1)(a) – explicit consentGDPR Article 9(2)(j) – scientific or historical research purposes or statistical purposes
For safeguarding or other legal dutiesGDPR Article 6(1)(e) – the performance of a task carried out in the public interestRegulation 6(1)(c) – compliance with a legal obligationGDPR Article 9(2)(b) – purposes of carrying out the obligations of ..social protection law.
When you request us to share your information e.g., subject access requestsGDPR Article 6(1)(a) – explicit consentGDPR Article 9(1)(a) – explicit consent