To process personal information you must have a lawful basis. The Data Protection Act 2018 (DPA 2018) [1], the UK General Data Protection Regulations (UK GDPR) [2] and the Data (Use and Access) Act 2025 [3] set out the seven lawful bases for processing personal information:
- Consent – clear permission has been given for the personal data to be processed for a specific reason, such as marketing (this is not the same as providing consent for treatment).
- Contract – covers the processing of personal data to fulfil contractual obligations to the individual.
- Legal obligations – covers the processing of personal data with regards to statutory obligations, such as tax law.
- Vital interest – data processing is required to protect someone’s life.
- Public task – data processing is necessary to perform a legally required task in the public interest.
- Legitimate interests – the data processing is necessary for your legitimate interests, or the legitimate interests of a third party, taking into account the rights of the individual, using a balancing test or legitimate interests' assessment (i.e. assessing whether a person's rights. freedoms or interests outweighs the legitimate interest).
- Recognised legitimate interests - the list of pre-approved defined public interest activities. This basis removes the need for a balancing test before processing personal data.
An individual’s rights can be modified depending on the lawful basis under which their information is processed, e.g. an individual’s right to ask for data processed under ‘consent’ to be deleted is enhanced under this legal basis.
Within dentistry, the lawful bases which might apply are ‘contract’ or ‘legal obligations’ (i.e. the data processing is necessary for the provision of treatment by a registered dental professional and to retain essential employee information), ‘legitimate interests’ (i.e. for issuing recall notices and appointment reminders; you must justify this and show how the data processing is necessary to achieve your aims) and ‘consent’ (i.e. for issuing marketing such as newsletters or special offers).
There is also ‘special category’ information which includes any information about health which you process. This, therefore, applies to patient records and, depending on the information you record, can apply to staff records. For example, for patient records the lawful basis may be ‘contract’ and the special category condition may be ‘health care’.
The Information Commissioner’s Office (ICO) has provided the following resource to help determine the lawful basis for data processing:
Identify the lawful basis for processing personal data and document this in your practice policies and procedures and in your Privacy Notice.
- The lawful basis (or bases) for processing an individual’s data should be stated when responding to a request for access (known as a subject access request) to personal information.
Where processing ‘special category’ information, identify and record the ‘special category’ condition for this, as well as any legal basis which applies.