All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and all current Data Protection Legislation.
For common law purposes, sharing information for direct care is on the basis of implied consent, which may also cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectations.
The GDPR requires that data controllers and organisations that process personal data demonstrate compliance with its provisions. This involves publishing our basis for lawful processing. As personal data is processed for purposes of the Trusts statutory functions we have considered our lawful basis for processing personal data and have deemed:
Commissioning, planning, regulatory and public health functions:
- Article 6(1)(c) - processing is necessary for compliance with a legal obligation
Direct care and administrative purposes including safeguarding:
- Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the data controller, and for medical purposes and is undertaken by a health professional, or a person who in the circumstances owes a duty of confidentiality
Where the Trust processes special categories of personal data, there is an additional legal basis for processing such data as listed below:
- Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, the provisions of the Children’s Acts 1989 and 2004, and the Care Act 2014
Commissioning and Planning:
- Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems
Research, regulatory and public health functions:
- Article 9(2)(j) – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Regulatory and public health functions:
The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing.
If your information will be used for any secondary service, you will be notified of these. Under the Data Protection Legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller (schedule 2 (6) (1)), where the legitimate interests are in supporting the running of the day-to-day operations of the organisation.
Any processing which relies on consent will be based on explicit consent under GDPR. You will be asked to make a definite decision; there will be no presumption of consent from silence, inaction or pre-selected choices.