Skip to main content

What is our 'lawful basis' for processing your personal data?

Under the UK General Data Protection Regulation (UK GDPR), we must explain the ‘lawful bases’ we rely on for processing your personal data. This means that we have to explain what laws we are using to justify processing your data. We always ensure these arrangements protect your privacy.

We need to process personal data to carry out a public task

This is the most likely reason we will need to process personal data. It means that we are processing personal data in order to carry out functions which are in the public interest and which are based on the law.

The NHS has many duties and obligations. Many of these come from specific legal documents, and the laws usually explain what can and can’t be done with relevant personal data. Almost all these laws are intended to benefit the public and are considered to be in the ‘public interest’.

The most important law for the NHS in Wales is the National Health Service (Wales) Act 2006. Most of what we do under this law explains how we must carry out a range of activities in the substantial public interest. This law explains the health services that must be provided in Wales, under the instructions of the Welsh Ministers.

As a health service, when we work with personal information we also need to consider the Common Law Duty of Confidence, which restricts the ways in which we are allowed to process confidential health information. This law is particularly important when we work with partner organisations. Information should only normally be disclosed in identifiable form when that disclosure is within your reasonable expectations. This will generally be  for direct care purposes – including local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes –, and should always be supported by effective technical and organisational measures.

There are, however, other circumstances in which we may disclose confidential health information in identifiable form. These include:

·         where we have a legal obligation to do so or where a specific law permits disclosure. For example, we may disclose identifiable health data in the presence of an order of the court or where authorised by The Health Service (Control of Patient Information) Regulations 2002.

·         where there is a strong public interest in disclosure that outweighs the public interest in maintaining confidentiality and a clinician has authorised a proportionate disclosure to achieve the stated purpose. An example of this may be a disclosure to a local police force to support the prevention, detection or prosecution of serious crime.

·         Lastly, the UHB may disclose confidential information where you have agreed to the disclosure or where we are satisfied that the nature and purpose of the disclosure are within your reasonable expectations.

As a key partner within the public sector in the region, there is a range of other laws that allow us to support our partners to promote and maintain health, well-being and patient independence.

Each of these laws creates an expectation that the health service shares relevant personal information with individual partners based on specific laws:

·         The Social Services & Well-Being (Wales) Act 2014 provides for the NHS to support local authority social services to assess people’s need for care and support, and to take part in planning care for patients.

·         The Children (Wales) Act 2004 provides for the health service to cooperate with local authority in order to promote the well-being of children and young people.

·         The Additional Learning Needs and Education Tribunal (Wales) Act 2018 requires health boards to cooperate with the Local Education Authority to ensure that people under 19 who have additional needs that should be met to allow them to participate in education.

·         The Mental Health (Wales) Measure 2010 sets out a range of rules for the way in which the health service must cooperate with local authority social services in order to carry out mental health assessments and, if needed, to provide appropriate treatment, care and / or support.

In all circumstances, whether working with partner organisations or within the health service, we expect staff working under public tasks only to process the minimum data necessary for the task.

A Note About Consent to Process

The Information Commissioner explains that public services will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent. Most of the work we do with data is part and parcel of the service we provide: we could not provide safe and effective care without keeping data about it.

Your agreement will sometimes be requested before we carry out a test, procedure or examine you, for example. This agreement does not relate to the recording of personal data.

 

We need to process personal data to save a life (‘vital interests’)

Health services are at the forefront of efforts to save life. The law allows the NHS to take action to save life if it is not possible to check with the person that they agree to this. This is known as a situation affecting a person’s ‘vital interests’. This is usually in emergencies when a person may be unconscious or otherwise unable to agree to be helped.

We need to process personal data because we have a legitimate interest in doing so

Your personal data as a patient will rarely be collected for the purposes of a legitimate interest of the health board. Most of what we do is based on providing health services as a public task. Where we do consider collecting data under legitimate interests, it will be explained to you clearly and you are likely to have the right to object to what we propose to do. We will often have prepared a ‘legitimate interests assessment’ which explains why we think our legitimate interests are greater than the interests of the public. These will NOT usually be health care purposes but business purposes, such as ensuring the UHB website is maintained appropriately and meets your needs.

From time to time, ‘legitimate interests’ may be used as an emergency measure to gather data (e.g. during pandemics) until an appropriate public task can be created by law.

We sometimes work with partner organisations that are not public services, such as charities and voluntary organisations. The data processing that they do will usually be carried out in their legitimate interests as an organisation of a particular type. The Health Board will ensure it is satisfied with the privacy practices of potential partner organisations before they process data and before we will share any information with them.

We have sought your consent to process data for another purpose

In the very rare circumstances in which we seek your explicit consent to process data, our request will use clear and plain language. You will have the right to withdraw your consent and we will make it as easy for you to withdraw consent as it was for you to provide it. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. We will never seek your consent to process data where that processing is necessary for the delivery of healthcare.

 

Follow us: