The below lawful reasons have been identified under GDPR these enable the Trust to process personal data without the requirement to seek consent from the data subject.
Direct Care
All health and adult social care providers are subject to the statutory duty under Section 251B of the Health and Social Care Act 2012 to share personal data about a patient for their direct care. In addition, 9 (3) applies when sharing information for direct care with third party or voluntary sector organisations.
6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
9 (2) (h): Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
9 (3): Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
Safeguarding
The Children's Act 1989 establishes implied powers for local authorities to share personal data to safeguard children. The Care Act (2014) also allows local authorities to request help from Foundation Trusts to safeguard and promote the welfare of children within their area who are in need.
The CA sets out a clear legal framework for how local authorities and other parts of the system should protect adults at risk of abuse or neglect. Local authorities have a duty to make enquiries where an adult is experiencing or is at risk of experiencing abuse or neglect, and has a duty to collaborate with partners generally and in specific cases.
6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
9 (2) (b): Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law in so far as it is authorised by Union or Member State law.
Commissioning and Planning Purposes
Most national and local flows of personal data in support of commissioning are established by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).
These flows do not operate on the basis of consent for confidentiality or data protection purposes. Where the collection or provision of personal data is a legal requirement, GDPR still needs to be complied with.
The appropriate lawful reasons for providers of the personal data is 6 (1) (e) and 9 (2) (h) under Section 251B of the Health and Social Care Act 2012. When the processing is not supported under Section 251B of the Health and Social Care Act 2012 the lawful reasons are 6 (1) (c) and 9 (2) (h).
6 (1) (c): Processing is necessary for compliance with a legal obligation.
6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
9 (2) (h): Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
Research
For research purposes, the common law duty of confidentiality must still be met through consent. This requirement has not changed under the GDPR. Consent is still needed for people outside the care team to access and use service user personal data for research, unless you have Section 251B of the Health and Social Care Act 2012 support.
Regulatory and Public Health Functions
6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
9 (2) (j): Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).
For performing regulatory and public health functions the below lawful reasons are both required. This function would also include processing contracts that the Trust has entered into.
6 (1) (c): Processing is necessary for compliance with a legal obligation.
9 (2) (i): Processing is necessary for reasons of public interest in the area of public health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
Employment purposes ((staff, volunteers and participants)
For employment purposes the below lawful reasons for lawful processing will apply this includes special categories of data such as health data for employment purposes.
All: 6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Staff and volunteers: 9 (2) (b): Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law in so far as it is authorised by Union or Member State law.
Participants: 9 (2) (i): Processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care.
Personal data processed in relation to the Disclosure and Barring Service (DBS checks) falls under the GDPR (Article 10) and the provision of Safeguarding Vulnerable Groups Act 2006
Foundation Trust Governors and Members
NHS Act 2006 sets out the legal requirements of a NHS Foundation Trust.
6 (1) (c): Processing is necessary for compliance with a legal obligation to which the controller is subject
6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
9 (2) (g): Processing is necessary for reasons of substantial public interest.