Developers - How to comply with the UK GDPR as a developer- Step 4: Have a lawful (also known as 'legal') basis for processing health data

Identifiable health data is considered personal data, and also special category data, under the UK GDPR. There are different sets of requirements for both. To process health data, you must identify:

1. a lawful basis under Article 6 of the UK GDPR
2. a separate condition for processing special category data under Article 9 of the UK GDPR

The lawful basis and condition you choose for your processing activities must be relevant and valid for each data processing situation. There are different types of bases/conditions that could be chosen, each with different requirements attached. You must make sure you can satisfy the relevant requirements if you rely on them. The different types are summarised below, along with guidance on the lawful basis/condition most relevant to adopters.

Article 6 of the UK GDPR 

There are 6 lawful bases for processing personal data under Article 6 of the UK GDPR listed here (a) to f)). At least 1 of these must apply whenever you process personal data, and you must determine in advance which one you are relying on and make this clear in your privacy notice. In the context of technology development, the legal basis of ‘vital interests’ (Article 6(d)) will not apply.

Important note: if you want to process data for health or social care research, the ICO and the HRA strongly recommend that you do not use consent as your lawful basis. Instead, you should use ‘task in the public interest’ if your organisation has public powers (for example, universities, NHS organisations, Research Council institutes or other public authority). For private organisations (such as commercial companies and charitable research organisations), the processing of personal data for research should be done within ‘legitimate interests’.

Get more information:

Read the HRA’s guidance on consent in research and the legal basis for processing data.

Read the ICO’s guidance on the lawful basis for processing and how to apply legitimate interests in practice, including how to do a ‘legitimate interests assessment’.

The HRA provides templates with recommended wording that health organisations should use to make sure their privacy notices and other information are consistent with the use of confidential patient information for research.

Article 9 of the UK GDPR

Health and care data is considered a type of special category data under UK GDPR. So, in addition to identifying a lawful basis as described above, you will also need to meet 1 of the 10 specific conditions in Article 9 of the UK GDPR. You should note that 5 of these require you to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018. See the ICO’s guidance on special category data that describes these in detail.

Whether processed by a public authority or by a commercial organisation or charitable research organisation, special category personal data can be processed under Article 9(2)(j) for research purposes, but only if processing such data is:

• necessary for archiving purposes, scientific or historical research purposes or statistical purposes
• subject to appropriate safeguards, and
• in the public interest

Get more information:

Read the HRA's guidance on safeguards and the ICO's guidance for research provisions within the UK GDPR.