Skip to main content

GDPR — Lawful grounds for processing data

We explain the legal grounds for processing data under the General Data Protection Regulation.

Following the data mapping process, health and social care organisations will need to articulate the purpose for each category of their data processing and identify the lawful basis for processing the data identified. This briefing highlights the relevant changes to processing conditions pursuant to GDPR.

Lawful grounds for processing data

In order to ensure compliance with the GDPR, it is important for organisations to identify and record the lawful ground(s) they are relying on in order to justify their processing of personal data.

An awareness of the ground(s) relied upon is necessary to understand the extent of the obligations. This is because some of the data subject’s rights are contingent upon the controller’s reliance on particular grounds. This information will also need to be contained within privacy notices provided to the data subject.

Existing privacy notices will need to be reviewed and revised as appropriate in order to achieve compliance.

In order for the processing of personal data to be lawful under the current regime, a relevant Data Protection Act 1998 (DPA) processing condition must be met. The processing of personal data can only be justified if it is carried out in accordance with a Schedule 2 condition. In addition, compliance with a Schedule 3 condition is required for the processing of sensitive personal data. In the GDPR the equivalent provisions are contained in Articles 6 and 9 respectively.

Article 6 GDPR

Article 6(1) identifies six lawful grounds for processing personal data:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public interest task
  • Legitimate interests

In a potentially significant change from the current regime, public authorities may not rely on the legitimate interests ground for processing conducted in the performance of their tasks.

However, they can rely on the condition in Article 6(e) which applies to processing which is necessary for the performance of a task carried out in the public interest.

The current draft of the Data Protection Bill (DPB) specifies that this includes functions conferred under an enactment. It is likely that hospitals and care homes that provide services on a private basis will look to rely on Article 6(1)(b),(c) and/or (f).

Article 6(1)(b) concerns processing necessary for the performance of a contract. The extent to which the ground will be relevant in the health and social care context remains unclear.

The contract referred to in Article 6(1)(b) is one to which the data subject is party. Based on the ordinary meaning of that language, the ground will not be available where the data subject is a beneficiary of the contract but not a party to it.

In determining which provision in Article 6 is appropriate, the controller will need to consider the nature and purpose of the particular processing operation. Legal obligations with respect to record-keeping, such as under the CQC’s regulatory regime, will make reliance on 6(1)(c) appropriate in respect of certain processing operations.

When considering reliance on the legitimate interest ground (Article 6(f)), controllers must bear in mind that this ground requires a balancing exercise to be undertaken. Private contractors delivering public services should be alert to the possibility that the definition of ‘public authority’ may be amended to include them at some point in the future.

Whilst the Government rejected such a proposal as recently as 2016, the implications of the GDPR may add greater weight to the calls for a redesignation. The effect would be that the newly designated public authority would have to review all processing that was being conducted in reliance on Article 6(f).

For the purposes of the GDPR, the controller will prefer to avoid relying on the consent ground. Not least because of the challenges of ensuring that consent is obtained in a manner that is both auditable and complies with the strict requirements of the GDPR. Under the regulations, the controller bears the burden of demonstrating adequate consent has been obtained. The power imbalance between controller (care provider) and data subject (patient), whether real or perceived, means that it will be difficult for the controller to establish that consent was freely given, and therefore valid.

Much of the existing guidance issued by regulators of the healthcare professions on the topic of confidentiality refers to consent in the context of disclosures being made to third parties. The common law position that implied consent was sufficient for disclosures for the purposes of direct patient care is inconsistent with the prohibition in Article 9. Consent can only overcome that prohibition where it is explicit.

Furthermore the extent to which the GDPR modifies the common law with respect to confidentiality is unresolved and is beyond the scope of this article. Existing professional guidance must be read in light of the GDPR’s provisions.

Article 9 GDPR

Processing of personal data concerning health falls within the ‘special categories’ of data covered by Article 9. Amongst other matters, this category includes data about religious beliefs, ethnic origin and sexual orientation. Processing of such personal data is prohibited unless one of the specified exemptions applies.

The existing medical purposes exemption has been expanded to encompass social care and is applicable to management of health or social care services. It is set out in Article 9(2)(h) and permits processing necessary for the purposes of ‘medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems or services.’

However, to fall within that provision the processing must be on the basis of union or member state law or pursuant to a contract ‘with a healthcare professional’. Unlike Article 6, there is no requirement that the data subject be a party to that contract.

Furthermore, compliance with Article 9(2)(h) requires that certain safeguards are met. The processing must be undertaken by or under the responsibility of a professional subject to the obligation of professional secrecy, or by another person who is subject to an obligation of secrecy.

Reliance on Article 9(2)(h) becomes problematic where the provision of services to the data subject have ceased. The provider will need to retain records beyond that point in order to comply with various legal and regulatory requirements and to obtain relevant legal advice in the event of any later claim but processing will no longer be necessary for Article 9(2)(h) purposes.

The records may also be required for professional regulatory purposes.

Where the delivery of care has ceased, other than by reason of the data subjects death, the retention of records will need to rely on another exemption in Article 9. The full scope of the ‘substantial public interest’ exemption (9(2)(g) will not become clear until the new Data Protection Act is finalised. However, it is likely that that ground will be available in many cases.

Article 9(2)(f) provides an exemption from the general prohibition on processing where the processing is necessary to establish, exercise or defend legal claims. The full scope of the exemption remains uncertain.

To date, the ICO has treated the equivalent provision in the directive as encompassing potential future claims. Controllers should have regard to professional guidelines. Under the existing DPA regime the ICO guidance indicates that, if an organisation keeps personal data to comply with a requirement in such guidelines, it will not be considered to have kept the information for longer than necessary.

The archiving provisions in Article 9(2)(j) concerns archiving in the public interest and the associated recitals indicate this relates to the creation of publicly accessible archives, rather than the archiving of business or operational records.

Controllers will need to be aware that the vital interests exemption is likely to be of very limited application in relation to processing undertaken by health and social care providers as it concerns life and death scenarios. As noted above, controllers will wish to avoid relying on consent for the purposes of GDPR where possible.

Controllers will need to bear in mind that many aspects of a patient’s care record will contain opinions expressed by people other than the patient. It is arguable that the majority of care records contain personal data of staff as well as the patient. The rights of those data subjects will need to be considered. The current draft of the Data Protection Bill contains a provision intended to prevent the rights of staff from inhibiting the disclosure of care records to the patient/data subject. The final text is awaited.


Health and social care providers will process large volumes of special category personal data. To do so lawfully they must first establish that the prohibition on processing in Article 9(1) can be overcome, by identifying an applicable exemption in Article 9(2). They must then ensure that one of the lawful grounds for processing in Article 6 applies.

Meeting those two requirements is necessary to ensure lawful processing. However, it is not sufficient. The processing must comply with the principles in Article 5 including data minimisation, fairness, transparency, purpose limitation, accuracy, storage limitation, integrity and confidentiality.

For further guidance on the lawful processing of data, contact our data protection lawyers.

Sectors and Services featured in this article