Legal basis for processing information
You need to understand the term ‘Legal Basis’. This is because you must be able to justify and articulate the legal basis on which you collect and process all personal data that you hold.
The 6 legal bases for processing data are:
1. Consent
The individual has given clear consent for you to process their personal data for a specific purpose. This is not an appropriate legal basis for patient record keeping or for staff employment records. It is appropriate for direct marketing, automated decision making e.g. texts and emails and for permission to share information with another individual e.g. a family member or other named person.
2. Contract
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. This is an appropriate reason for processing data supplied to a patient payment plan provider or for a contract with a patient or employee.
3. Legal obligation
The processing is necessary for you to comply with the law or a statutory requirement e.g. GDC standards, NHS regulations or HMRC requirements.
4. Vital interests
The processing is necessary to protect someone’s life. This could be applied to the patients’ medical histories but there may be other more appropriate legal bases for this.
5. Public task
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. This could be used for processing information in relation to patients who are treated under the NHS, because practices that hold an NHS contract are viewed as ‘public authorities’. You can also use legal obligation and contract for this.
6. Legitimate interests
The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This can’t be used for processing information in relation to patients treated under the NHS but it could be used for processing information in relation to treatment provided under private contract.
Determining the most appropriate legal basis for the information you hold
More than one legal basis may apply to the differing personal data you hold and the uses to which you will put that data.