The “Legal Basis” for processing sensitive health data

There are several occasions when the legal basis for processing health data needs to be identified, particularly in relation to data sharing and processing arrangements and when carrying out a Privacy Impact Assessment. This discussion is limited to those occasions when explicit consent is not available and the processing is not part of the direct care pathway. It also does not go into objections to such processing.

Legal Requirements
Such processing must satisfy the applicable data protection legislation. It must also avoid the common law duty of confidence. These are separate and distinct issues. Unfortunately there has been a historic tendency to confuse or merge the issues. The common law duty effectively limits the ability to share to direct care (where consent may typically be implied from the consent to treatment).
So when talking about legal basis there are in fact two legal bases required:

(1) The legal basis for processing confidential data in compliance with the common law duty of confidence
(2) The compliance with the first data protection principle in terms of identifying the required schedule conditions

Current Position
In the absence of consent the only likely bases for dis-applying the common law duty of confidence are statutory authority under S251 National Health Service Act 2006 and the Health Service (Control of Patient Information) Regulations 2002 , or a public interest justification. Public interest can itself be a basis for s251 authority, but s251 has the alternative basis “in the interests of improving patient care” which means that the full “public interest” test need not be satisfied. See HSCIC Code of Practice on Confidential Information.

Secretary of State approval under Regulation 5 is the most common means. Such approvals cover the whole range of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health and social care services (see S251(12(a) National Health Services Act 2006). Authorisations are limited to what is necessary (s251(4) and Regulation 7).

In the absence of a formal s251 approval it is also possible to make a decision based on public interest. In such cases there must be a proper assessment of necessity and proportionality. This is covered the in NHS “Supplementary Guidance: Public Interest Disclosures” issued to support the 2003 Confidentiality Code.

Processing under s251 or properly assessed public interest will ensure the processing is not unlawful, in terms of the first data protection principle, for breach of confidence. It does not however provide a condition for processing under either Schedule 2 or 3 of the Data Protection Act. Neither S251 or public interest create any functions – they simply enable existing functions.

The powers under the section 251 regulations only provide relief from the common law duty of confidence. Any activity taking place with the support of section 251 must still comply in full with the Data Protection Act.

Caldicott 2: To Share or Not to Share: The Information Governance Review at Page 69.

Where s251 approval or public interest exists it should not be difficult to find a Schedule 2 condition under the Data Protection Act. It will be one or more of either:
(a) Condition 3: The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract
(b) Condition 5(b) The processing is necessary— … for the exercise of any functions conferred on any person by or under any enactment
or
(c) Condition 6 The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

For practical purposes however, Condition 6 may be ignored. If one of the other conditions does not apply then there will almost certainly be no case to proceed as there is no Schedule 3 equivalent to Condition 6. Which of the other conditions applies may involve a careful consideration of whether the function is a duty or a power. If only a power the necessity and proportionality tests will generally be harder to satisfy and condition 3 is not available.

A Schedule 3 condition is also required. This will typically be either:
(a) Condition 7(1)(b) The processing is necessary— … for the exercise of any functions conferred on any person by or under an enactment or
(b) Condition 8 The processing is necessary for medical purposes – “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services

As noted above, where the processing is under s7(1)(b) it is important to note that s251 does not create a function so on its own cannot be the “enactment” which invokes condition 7(1)(b). This was made clear in Caldicott 2 (see above).

The function in these cases will typically be one of the duties or powers in the National Health Services Act 2006 as amended by the Health and Social Care Act 2012. See also NHS Commissioning Board Guidance “The Functions of Clinical Commissioning Group”. Most such functions will also engage Condition 8.

In practice where “legal basis” is documented it is simply recorded as “s251 Approval”. This applies at all levels in the NHS. For example there is CAG approval for CCG processing for invoice validation. The legal basis is typically referred to as “s251”. However within the CAG approval this is identified as “Medical Purposes – the management of health and social care services”.

So here the first legal basis (lawfulness under law of confidentiality) is s251 and the second legal basis (under data protection) is “Schedule 2 Condition 6 and Schedule 3 Condition 8”. Although not identified by CAG Condition 7(1)(b) will also apply in this and most cases. The statutory duty would be (amongst others) the duty under s3 NHS Act 2006/ s13 Health and Social Care Act 2012 to commission services.

In reality this lack of clarity does not cause any compliance problems as the legal requirements for recording and publicising “legal basis” are vague.
The impact of GDPR
The basic legal framework under GDPR will not change significantly. It will be supplemented by a new Data Protection Act. The common law of confidentiality and the first legal basis issue will remain.

The second legal basis is also effectively unchanged and will require:
(1) An article 6 condition. This will be either
a. Condition C: processing is necessary for compliance with a legal obligation to which the controller is subject e.g. the duty under s3 NHS Act 2006/ s13 Health and Social Care Act 2012
b. Condition E: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This will include “the exercise of a function conferred on a person by an enactment”. See Data Protection Bill Clause 7(c)

(2) An article 9 condition. This will be either
a. Condition G: processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. This includes “the exercise of a function conferred on a person by an enactment.” See clause 9(3) and Schedule 1 Part 2 Paragraph 6(2)(c)of the Data Protection Bill
b. Condition H: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems. See also clause 9(1) and Schedule 1 Part 1 of the Data Protection Bill

Whilst the underlying principles remain unchanged there will be significant risks in continuing the current relaxed attitude to recording “legal basis”.

Article 13(1)(c) requires privacy notices to identify the legal basis for processing. Consideration of the use of “legal basis” in GDPR generally makes it clear this refers to the conditions in Article 6 and 9. Accordingly referring to s251 as the “legal basis” will not satisfy Article 13. Under Article 35 (data protection impact assessments) the legal basis under Article 6 or 13 will need to be identified as part of the mandatory assessment of necessity. Article 24 requires data controllers to demonstrate compliance with the GDPR. Clearly this would include recording the “legal basis” for processing. Article 5(2) also specifically requires demonstration of compliance with lawfulness – which includes identifying the Article 6 legal basis. Recital 41 requires that any legal basis be “clear and precise”.

It follows that going forward processes and guidance should be adapted to ensure that in the future the full legal basis in GDPR terms is identified. This will be particularly important for:
(1) Privacy Notices
(2) Data Protection Impact Assessments
(3) Data Sharing / Processing Arrangements

This entry was posted in DPA. Bookmark the permalink.

Leave a Reply