The WWL Way
Telephone: 01942 244 000

Lawful Bases for Processing Data

Introduction  

All health and social care providers, including Wrightington, Wigan and Leigh Teaching Hospitals NHS Foundation Trust, have a statutory duty under section 251B of the Health and Social Care Act 2012 to share patient information for their direct care. This duty is subject to both the common law duty of confidence and applicable data protection legislation, namely the Data Protection Act (DPA) 2018 and the General Data Protection Regulations (GDPR).

 

For common law purposes, sharing information for direct care is on the basis of implied consent and may include administrative purposes where the patient has been informed or sharing is within reasonable expectations. Common law also enables sharing when in the public interest, such as for safeguarding purposes, or when there is a legal duty to do so.

 

The GDPR requires that organisations processing personal data demonstrate compliance with its provisions, including publication of the basis for lawful processing. For further information on the lawful basis for processing identified by the Trust, please see below:

 

Personal Data  

Personal data is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The processing of personal data is covered by Article 6 of the GDPR.

 

Processing – Consent


 

Lawful Basis for Processing

 

Article 6(1)(a) ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’

 

Purpose of Processing  

The Trust processes your personal data on the basis of consent for services including, but not limited to; medical studies, newsletters, and research and development. Where consent is the lawful basis for processing your personal data, the processing will be for the purposes of indirect care only. Pertinently it must be stated that the withholding of your consent will not impact on the direct care provided by the Trust.

 

Your Rights  

You have the following rights regarding your personal data which is processed under the lawful basis of your consent:

 

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object

 

If you would like to engage any of the aforementioned rights, please contact dpo@wwl.nhs.uk.

 

Processing – Contract

 

Lawful Basis for Processing

Article 6(1)(b) ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’

 

Purpose of Processing  

The Trust processes your personal data on the basis of contractual obligations for services including, but not limited to; background checks, payments, procurement, and all other processes related to entering and performing contractual obligations. Pertinently it must be stated that where some or all of the personal data requested is withheld, the Trust may be unable to enter into and perform a contract as per its contractual obligations.

 

Your Rights  

You have the following rights regarding your personal data which is processed under the lawful basis of contractual obligations:

 

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object

 

If you would like to engage any of the aforementioned rights, please contact dpo@wwl.nhs.uk.

 

Processing – Legal Obligation

 

Lawful Basis for Processing  

Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation to which the controller is subject’

 

Purpose of Processing  

The Trust processes your personal data on the basis of legal obligations for services including, but not limited to; legal proceedings, obtaining legal advice, and establishing, exercising or defending legal rights.

 

Your Rights  

You have the following rights regarding your personal data which is processed under the lawful basis of legal obligations:

 

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to restrict processing

 

If you would like to engage any of the aforementioned rights, please contact dpo@wwl.nhs.uk.

 

Processing – Vital Interests

 

Lawful Basis for Processing  

Article 6(1)(d) ‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’

 

Purpose of Processing  

The Trust processes your personal data on the basis of vital interests only when it is deemed necessary to protect life. This basis for processing will only be utilised in situations of life and death, such as emergency health care, whereby you are unable to give consent yourself.

 

Your Rights  

You have the following rights regarding your personal data which is processed under the lawful basis of your vital interests:

 

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing

 

If you would like to engage any of the aforementioned rights, please contact dpo@wwl.nhs.uk.

 

Processing – Public Task

 

Lawful Basis for Processing  

Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’

 

Purpose of Processing  

The Trust processes your personal data on the basis of public task for services including, but not limited to; direct healthcare provision, safeguarding, and statistical analysis and reporting.

 

Your Rights  

You have the following rights regarding your personal data which is processed under the lawful basis of public task:

  •  
  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to restrict processing
  • The right to object
  •  

If you would like to engage any of the aforementioned rights, please contact dpo@wwl.nhs.uk.

 

Special Category Data  

There are special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the sharing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The processing of special categories of personal data is covered by Article 9 of the GDPR.

 

Lawful Basis for Processing Special Category Personal Data  

Article 9(2)(a) ‘the data subject has given explicit consent to the processing of those personal data for one or more specified purposes’

 

Article 9 (2)(b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law’

 

Article 9 (2)(c) ‘processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent’

 

Article 9 (2)(d) ‘processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of data subjects’

 

Article 9 (2)(e) ‘processing relates to personal data which are manifestly made public by the data subject’

 

Article 9 (2)(f) ‘processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity’

 

Article 9 (2)(g) ‘processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’

 

Article 9 (2)(h) ‘processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the relevant conditions and safeguards’

 

Article 9 (2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy’

 

Article 9 (2)(j) ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’

 

Further information  

Further information about the lawful basis for processing of personal data can be found at the Information Commissioner’s Office (ICO) website, please click here for more details. The ICO is an independent authority tasked with upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.