Skip to main content

BETA This is a new service - your feedback (opens in a new tab) will help us to improve it.

Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England

From:

Adopters - Complying with the UK GDPR Steps 1 - 7: an introduction- Step 4: Comply with article 6 and 9 of UK GDPR

Reviewed: 13 January 2023

Overseen by: HRA (Health Research Authority)

Health and care data is considered personal data, and also special category data, under the UK GDPR. To comply with the law, therefore, you must identify:

  1. a lawful basis for processing personal data under Article 6 of the UK GDPR, and
  2. a separate condition for processing data special category under Article 9 of the UK GDPR

The lawful basis and condition you choose for your processing activities must be relevant and valid for each data processing situation. There are different types of bases/conditions that could be chosen, each with different requirements attached. You must make sure you can satisfy the relevant requirements if you rely on them. The different types are summarised below, along with guidance on the lawful basis/condition most relevant to adopters.

Article 6 of the UK GDPR

There are 6 lawful bases for processing personal data under Article 6 of the UK GDPR. At least 1 of these must apply whenever you process personal data, and you must determine in advance which one you are relying on and make this clear in your privacy notice. In the context of technology adoption, the legal basis of ‘vital interests’ will not apply.

Important note: if you want to process data for health or social care research, the ICO and the HRA strongly recommend that you do not use consent as your lawful basis. Instead, you should use ‘task in the public interest’ if your organisation has public powers (for example, universities, NHS organisations, Research Council institutes or other public authority). For private organisations (such as commercial companies and charitable research organisations), the processing of personal data for research should be done within ‘legitimate interests’.

Get more information:

Read the HRA’s guidance on consent in research and the legal basis for processing data.

Read ICO’s guidance on the lawful basis for processing and how to apply legitimate interests in practice, including how to do a ‘legitimate interests assessment’.

Use the HRA’s templates with recommended wording to make sure your privacy notices and other information are consistent with the use of confidential patient and service-user information for research.

Article 9 of the UK GDPR

Health and care data is considered a type of special category data under UK GDPR. So, in addition to identifying a lawful basis as described above, you will also need to meet 1 of the 10 specific conditions in Article 9 of the UK GDPR. You should note that 5 of these require you to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018. See ICO’s guidance on special category data for full details.

In the context of technology adoption, you can rely on special condition Article 9(h) (‘Health or social care (with a basis in law)’) if the processing purpose is direct care. This is conditional on data being processed by a professional bound by a professional code and obligations of confidentiality or secrecy.

Important note: if you want to process data for health or social care research, whether processed by a public authority or by a commercial organisation or charitable research organisation, special category personal data should be processed under Article 9(2)(j) for research purposes, but only if processing such data is:

  • necessary for archiving purposes, scientific or historical research purposes or statistical purposes
  • subject to appropriate safeguards, and
  • in the public interest

Get more information:

Read the HRA's guidance on safeguards and ICO's guidance on research provisions.

Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England

From:

Get more support

To discover how the regulatory organisations can assist you and for contact details, visit our 'Get Support' page.

Is this article useful?

How can we improve this piece?

Error:Select how we can improve this piece
Cancel

Thank you for your feedback!

To share additional insights about this page, please use the following link (opens in a new tab) to submit your observations.

Print this guidance (opens a PDF in a new tab)

Regulations are regularly updated. For the latest information, check the website as printed documents may be outdated.