Data Protection Act 2018 and legal basis for processing

All of the personal information that we collect and use is handled in accordance with the Data Protection Act principles. These state that personal data processing must be:

  1. lawful and fair
  2. specified, explicit and legitimate
  3. adequate, relevant and not excessive
  4. accurate and kept up to date
  5. kept for no longer than is necessary
  6. in a secure manner.

As an NHS hospital we have been authorised by the government to provide healthcare and must keep accurate records for this. Under GDPR our legal basis for processing patient information is:

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject,

Article 6(1)(d) – processing is necessary in order to protect the vital interests of the data subject or of another natural person,

Article 6(1) (e) – the performance of a task carried out in the public interest or in the exercise of the controller’s official authority,

Article 9(2)(c) – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent, and,

Article 9(2) (h) – the provision of health or social care or treatment or the management of health of social care systems and services.

Last updated: October 7, 2020