188体育

Approval standard: lawful processing (UK GDPR)

When must this standard be met

This standard must be met for applications requesting to process personally identifiable data.

Standard

1. Applications must show that personally identifiable data will only processed when it is lawful to do so, by demonstrating:

• there is a lawful basis for processing personal data under of UK GDPR
• if processing includes special category personal data, there is a lawful basis for processing under of UK GDPR

2. Where either 鈥楢rticles 6(1)a 鈥� Consent鈥� or 鈥楢rticle 9(2)a 鈥� Consent鈥� is selected, the application must:

• include blank versions of the consent forms and participant information materials used to gain the explicit informed consent of the data subject 鈥� each version submitted to UKHSA must be clearly labelled, and where changes to these documents have been made over time, you must submit the complete version history
• if consent is obtained for research, demonstrate the consent form and participant information materials have received favourable opinion from an appropriate ethics committee 鈥� in the context of processing NHS patient data, this ethics approval must be from the Health Research Authority (HRA), see Approval standards and guidelines: ethical assessment
• demonstrate compliance with any obligations set out in and , and of UK GDPR

3. Where 鈥楢rticle 6(1)e鈥� Public Interest鈥� is selected, the application must specify the relevant task, function or power, and identify its basis in common law or statute.

4. Where 鈥楢rticle 6(1)f鈥� Legitimate Interests鈥� is selected, the application must demonstrate that a Balancing Test or Legitimate Interest Assessment (LIA) has been conducted and provides an appropriate lawful basis for the processing. The Information Commissioner鈥檚 Officer (ICO) has published , which includes a sample LIA template. While it is not necessary to share this assessment with UKHSA, you must keep a record of this assessment to help you demonstrate compliance if required. Note this lawful basis cannot be used if you are a public authority processing data to perform your official public task.

5. Where one or more of are selected, the application must include the applicable conditions under to justify processing special category data.

6. All applications requesting access to personally identifiable data must demonstrate compliance with the transparency and accountability principles of UK GDPR by evidencing they have in place a UK GDPR complaint privacy notice. To learn about the requirements for privacy notices, see the Approval standards and guidelines: privacy notice.

Guidelines

The first principle of data protection of UK GDPR requires personal data to be processed lawfully, fairly and in a transparent manner.

When requesting to process personal data, your application must demonstrate lawful processing by:

• providing a valid lawful basis for the processing 鈥� there are 6 acceptable lawful bases described in , UK GDPR (at least one of these must apply whenever you process personal data):
  • consent 鈥� Article 6(1)a
  • contract 鈥� Article 6(1)b
  • legal obligation 鈥� Article 6(1)c
  • vital interests 鈥� Article 6(1)d
  • public task 鈥� Article 6(1)e
  • legitimate interests 鈥� Article 6(1)f
• if you鈥檙e processing special category data, you must provide both a lawful basis for processing and one or more specific conditions for processing from of UK GDPR 鈥� processing special categories of personal data is prohibited, except for in limited circumstances, as set out in Article 9
• providing individuals with clear and transparent information about the purpose, or purposes, of processing their personal data and the legal basis, or bases, for doing so 鈥� for further information, see the Approval standards and guidelines: privacy notice

Should the data be owed a duty of confidence, you will also have to demonstrate how the duty of confidentiality is set aside. This is distinct from obligations under UK GDPR. For further information, see the Approval standards and guidelines: confidential patient information.

The ICO has published with the legal requirements laid out in UK GDPR. It has also published an to help determine the legal basis and specific condition for processing special category personal data.

GDPR consent

Consent is defined in of UK GDPR. To be valid it must be freely given, specific, informed, and unambiguous, as well as that it must be made by way of a statement or 鈥榗lear affirmative action鈥�.

When relying on or to process personal data or special category personal data, the application must contain blank versions of all consent and participant information sheets used to obtain the data subject鈥檚 consent. Any processing that will involve using UKHSA-protected data must be specified precisely and unambiguously.

It is important to keep in mind that UK GDPR consent deals with data protection and is separate from the duties associated with the duty of confidentiality, as set out in Approval standards and guidelines: Lawful processing - confidential patient information. But in cases where consent is determined to meet the UK GDPR standard set out in and , and of UK GDPR, it will also be judged to have satisfied the standard for setting aside the common law duty of confidentiality too.

For helpful guidance as to what may constitute valid consent, it is advised that you refer to the .

Privacy notice

Lawful processing requires that you ensure accessible privacy information (also called a privacy notice or transparency information) is available to individuals who are the subjects in the data. Any information or communication relating to the processing should be easily accessible and easy to understand, using clear and plain language. For further information, see the Approval standards and guidelines: privacy notice.