The lawful bases in the General Data Protection Regulations (GDPR) are broadly the same as the conditions for processing data under the Data Protection Act 1998. There are six lawful bases for processing personal information:
- Consent – clear permission has been given for the information to be processed for a specific reason, such as marketing.
- Contract – covers the processing of personal data to fulfil contractual obligations.
- Legal obligations – covers the processing of personal data with regards to statutory obligations, such as tax law.
- Vital interest – data processing is required to protect someone’s life.
- Public interest – data processing is necessary to perform a legally required task in the public interest.
- Legitimate interests – the data processing is necessary for your legitimate interests, taking into account the rights of the individual.
An individual’s rights can be modified depending on the lawful basis under which their information is processed, e.g. an individual’s right to ask for data processed under ‘consent’ to be deleted is enhanced under this legal basis.
Within dentistry, the lawful bases which might apply are ‘contract’ or ‘legal obligation’ (i.e. the data processing is necessary for the provision of treatment by a registered dental professional and to retain essential employee information), ‘legitimate interests’ (for issuing recall notices and appointment reminders; you must justify this and show how the data processing is necessary to achieve your aims) and ‘consent’ (for issuing marketing such as newsletters or special offers).
There is also ‘special category’ information which includes any information about health which you process. This, therefore, applies to patient records and, depending on the information you record, can apply to staff records. For example, for patient records the lawful basis may be ‘contract’ and the special category condition may be ‘health care’. The Information Commissioner’s Office (ICO) has provided the following resource to help determine the lawful basis for data processing:
Identify the lawful basis for each category of personal data that you process and document this in your practice policies and procedures and in your Privacy Notice.
- The lawful basis (or bases) for processing an individual’s data should be stated when responding to a request for access to personal information.
Where processing ‘special category’ information, identify and record the ‘special category’ condition for this, as well as any legal basis which applies.
Disclaimer
This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website [1] and via the EU GDPR learning resource [2]. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.