The lawful bases in the Data Protection Act 2018 (DPA 2018) [1] and the UK General Data Protection Regulations (UK GDPR) [2] are broadly the same as the conditions for processing data under the Data Protection Act 1998. There are six lawful bases for processing personal information:
- Consent – clear permission has been given for the personal data to be processed for a specific reason, such as marketing (this is not the same as providing consent for treatment).
- Contract – covers the processing of personal data to fulfil contractual obligations to the individual.
- Legal obligations – covers the processing of personal data with regards to statutory obligations, such as tax law.
- Vital interest – data processing is required to protect someone’s life.
- Public task – data processing is necessary to perform a legally required task in the public interest.
- Legitimate interests – the data processing is necessary for your legitimate interests, or the legitimate interests of a third party, taking into account the rights of the individual.
An individual’s rights can be modified depending on the lawful basis under which their information is processed, e.g. an individual’s right to ask for data processed under ‘consent’ to be deleted is enhanced under this legal basis.
Within dentistry, the lawful bases which might apply are ‘contract’ or ‘legal obligation’ (i.e. the data processing is necessary for the provision of treatment by a registered dental professional and to retain essential employee information), ‘legitimate interests’ (for issuing recall notices and appointment reminders; you must justify this and show how the data processing is necessary to achieve your aims) and ‘consent’ (for issuing marketing such as newsletters or special offers).
There is also ‘special category’ information which includes any information about health which you process. This, therefore, applies to patient records and, depending on the information you record, can apply to staff records. For example, for patient records the lawful basis may be ‘contract’ and the special category condition may be ‘health care’. The Information Commissioner’s Office (ICO) has provided the following resource to help determine the lawful basis for data processing:
Identify the lawful basis for processing personal data and document this in your practice policies and procedures and un your Privacy Notice.
- The lawful basis (or bases) for processing an individual’s data should be stated when responding to a request for access to personal information.
Where processing ‘special category’ information, identify and record the ‘special category’ condition for this, as well as any legal basis which applies.