What is the purpose of processing data?
Purpose/activity | Type of data | Lawful basis for processing including basis of legitimate interest |
|---|---|---|
Direct Care | a) Identity (b) Contact (c) Special Categories | All Health and Adult Social Care providers are subject to the statutory duty under Section 251B of the Health and Social Care Act 2012 to share personal data about patient for their direct care.
GDPR Article 6(1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.
GDRP Article (2) (h) Processing is necessary for the purposes of preventative or occupational medicine for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or management of heath or social cares systems and services on the basis of Union or Member State law or a contract with a health professional |
To respond to a request under the Freedom of Information Act, enquiries, complaints | (a) Identity (b) Contact | GDPR Article 6(1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller. Comply with a legal or regulatory obligation |
To respond to a request under Data Protection Act or the General Data Protection Regulation | a) Identity (b) Contact (c) Special Categories such as health information | GDPR Article 6(1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.
|
Safeguarding | a) Identity (b) Contact (c) Special Categories such as health information | Local Authorities have a duty to make enquiries where an adult is experiencing or is at risk of abuse or neglect and had a duty to collaborate with partners generally and in specific cases.
GDPR Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.
GDPR Article 9 (2) (b) Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law in so far as it is authorised by Union or Member State Law.
|
To investigate and respond to a complaint (including whistle-blowing) | (a) Identity (b) Contact (c) Special Categories | GDPR Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.
GDPR Article 9 (2) (a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes
|
Commissioning and Planning Purposes
| (a) Identity (b) Contact (c) Special Categories | Your information is sent to the commissioners of our services, the Primary Care Trusts who, on behalf of your GP, pay us for providing our services. We are also paid for services provided by London Borough of Islington and London Borough of Camden to provide some Social Care services. We are also required to report to the Healthcare Commission and the Department of Health on our activities and performance. These uses of your information would almost never involve a person looking at your records. Most submissions of your data outside of the Foundation Trust are done by computer and sent securely. Only very rarely would someone need to check into the submissions we make to focus on a specific person, and even then it is unlikely that the information would easily identify you as an individual. C&I also undergoes external audit by the Audit Commission or other professional bodies given the legal authority to carry out audits. These audits may involve reviewing information in patient records to ensure accuracy, completeness and the competency of the staff that served you. It would rarely be the case that the auditors would ever be interested in knowing about you directly, and only in extreme cases of misconduct or incompetence in the Foundation Trust would they be interested in tracing you as an individual. C&I cannot prevent your information from being provided to the above when it is seeking payment for its services. By engaging in care provided by the C&I you will have consented for your information to be used in these ways. Most national and local flows of personal data in support of commissioning are established by NHS digital either centrally or for local flows by the Data Services for Commissioners Regional Officers (DSCRO). These flows do not operate on the basis of consent for confidentiality or data protection purposes Article 6 (1) (c) Processing is necessary for compliance with a legal obligation.
Article 6 (1) (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 9 (2) (h) Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
|
Research | (a) Identity (b) Contact (c) Special Categories | For research purposes, the common law duty of confidentiality must still be met through consent. This requirement has not changed under the GDPR. Consent is still needed for people outside the care team to access and use service user personal data for research, unless you have Section 251B of the Health and Social Care Act 2012 support or the data is annoymised (no longer identifiable) such C&I Research Database. This includes encryption techniques, such as pseudonymisation (using special codes), to enhance your privacy and protect your confidentiality before using your information for research.
Article 6 (1) (e)Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 9 (2) (j) Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).
|
Employment Purpose (staff and volunteers) | (a) Identity (b) Contact (c) Special Categories | For employment purposes the below lawful reasons for lawful processing will apply this includes special categories of data such as health data for employment purposes.
(1) (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
9 (2) (b) Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law in so far as it is authorised by Union or Member State law.
Personal data processed in relation to the Disclosure and Barring Service (DBS checks) falls under the GDPR (Article 10) and the provision of Safeguarding Vulnerable Groups Act 2006. |
Surveys | (a) Identity (b) Contact (c) Special Categories | In some cases, the Trust may commission a survey for a specific reason, such as monitoring improvement in care; this may be commissioned with explicit consent of those taking part or on another legal basis, eg. The Community Mental Health survey hosted by the CQC, or mental health inpatient surveys. The Trust may contract third party organisations to work on survey development and analysis on its behalf. In such circumstances, participants will be notified in advance of their data being gathered.
GDPR Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.
GDPR Article 9 (2) (a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes
|