Sharing information under the Data Protection Act

There are a number of factors for the Trust to consider when sharing any information.


Under the Data Protection Act (2018) and the General Data Protection Regulations (GDPR) there is an absolute requirement that organisations take responsibility and accountability for the personal data that they hold, control and process.  They must demonstrate that they have appropriate records and measures in place to be able to demonstrate that they are complying with both the principles and spirit of the legislation.

A key part of this is understanding that there must be an identified legal basis for the processing of all personal data.  The lawful bases are set out in Article 6 of the GDPR and at least one of these must apply whenever personal data is processed.

Legal Bases

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). – There are many laws and regulations that cover the collection and us of data in UK legislation, for example the collection of personal data collected in the process of procuring, supplying and administration of Controlled Drugs (CDs).  Therefore, we are obliged to collect and process personal data to meet the needs of the Misuse of Drugs Act 1971.

Vital interests: the processing is necessary to save or protect someone’s life. – This basis can be used when we are processing data in an acute emergency situation where an individual is unable to provide consent due to incapacity. 

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. –  There are a range of things that can fall into public task. These range form information that may be in the public interest (and this would be used by the media) through to healthcare provided by a Public Authority (NHS), public health (PHE) and many aspects or research.

Consent: An individual has given clear consent for you to process their personal data for a specific purpose. – This is why many of us received so many request texts and emails to re-confirm our consent earlier this year.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. – This is usually laid out within the body of the contract, and the NHS use a standardized contract to ensure that the GDPR and DPA (2018) are covered.

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. – This is probably the most complex of the legal basis types. This does not generally apply to a Public Authority (NHS).

The decision over which basis is used when the Trust is processing personal data is a complex task and is being adjusted as particular scenarios are being tested within the UK and European Courts.  Once a legal basis has been applied to an information asset it is recorded on the Trusts Information Asset Register for scrutiny.

If you haven’t completed it this year, please remember to complete your mandatory Information Governance update on Learnzone, or if your update is due in the new year, watch this space for more information about the new online module.

Published 19th December 2018

Please ensure if you are posting a comment, you must include your name in full (first and surname). Thank you.

Leave a Comment
Name (required)
Email Address (required, never displayed)
Enter a message

(all comments are moderated - your submission will be posted on approval.)