Legal grounds for processing confidential data

Where Confidential Data is processed by User Organisations in the FDP, an additional legal ground will need to be identified so that the use of the Confidential Data does not breach confidentiality. These additional legal grounds are:

  • where it can be assumed that the individual has provided their consent (“implied consent”). The National Data Guardian’s guidance sets out that this legal ground only applies where the processing of Confidential Data in any particular circumstances is carried out for the purpose of the direct care of an individual,
  • where the User Organisation has a legal obligation to process the Confidential Data,
  • where there is a power in legislation to expressly process Confidential Data (“statutory authority”). This includes processing Confidential Data in relation to:
    • communicable diseases, such as coronavirus, under Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (“COPI Regulations”), or
    • medical purposes approved by the Secretary of State with support from the Confidentiality Advisory Group under Regulation 5 of the COPI Regulations. This is also known as an approval under Section 251 of the NHS Act 2006, or
  • where there is an overriding justification which is in the public interest.