This is the 3rd blog in our series about GDPR. Up to now we have covered the basics definitions and the core principles that underpin the new regulation. In this blog we will talk about “processing personal data” and the legal basis you have for doing so.
Processing person data is what GDPR is all about. Processing is deemed as basically anything you do with data, from collecting it, storing it right down to deleting it. So, we all do some form of processing every day. Under GDPR you need to have a legal basis for which to carry out any form of processing. You have 6 legal bases to choose from:
Necessary for a contract
These are the ones applicable to you as clinic owners and practitioners. So let’s go through these basis one by one:
This is where the data subject has given you consent to processing their data. Consent must be:
- Freely given, specific, informed and unambiguous
- A statement of consent or a clear affirmative action
In other words, they need to know what they are consenting to and make a clear action to show their consent. Pre-ticked boxes are NOT allowed.
You must demonstrate how consent was given, so keep detailed records with the date, time and method of consent given. If it’s a signed form, you would be best storing that somewhere in case consent is questioned.
Verbal consent can be used – if you rely on verbal consent you must record exactly what the person was told at the time consent was given, that they gave a clear affirmative action (so said yes) and the date and time of consent.
The downside of using consent as your legal basis is that it can be withdrawn at any time. Once consent is withdrawn you are not longer able to process the data in any way unless you can rely on another legal basis for doing so.
2. Necessary for performance of a contract
This is a basis that is good for most businesses – if they are in a contract with you then it makes sense that you need to process aspects of their data to fulfil the contract. There are 2 instances which this basis can be applied:
- Necessary for performance of a contract
So you need to use their information, make changes to it, add information and store it order to treat them.
- If an individual makes an enquiry about a product or service
If someone enquires about being treated by yourselves, you must process their data in order to respond to that enquiry.
3. In compliance with legal obligations
GDPR says that a controller may process personal data where there is a binding legal obligation to perform such processing.
Physiotherapists are lucky because they do have a legal obligation to keep records for a data subject for at least 8 years after the conclusion of their treatment.
4. Vital Interests
This is a basis to use when processing is necessary to protect the vital interests of the data subject or another person when the data subject is incapable of giving consent.
This legal basis is used in the cases of a medical emergency.
5. Public Interests
This is not likely to apply to practitioners and clinic owners, but we will explain it just in case.
This is when processing is necessary for performance of a task carried out in public interest OR in the exercise of official authority vested in the Controller. This needs to be laid down by Union law or Member State law.
6. Legitimate Interests
This can occur when the legitimate interests are pursued by the Controller.
If someone comes into you with back pain and you have a new class that they may benefit from – this is deemed as legitimate interests.
HOWEVER, these legitimate interests can be overridden by data subjects’ rights and freedoms. If the data subject does not agree with the basis of processing they can ask you to stop, you must stop unless you can depend on another legal basis for processing that information.
There are 4 additional bases that you could apply to the processing of “special category information”. We will mention them below, but we do not see an occasion when these would be able to be used by practitioners and clinicians:
When processing is required for purposes of preventative or occupational medicine.
When processing is necessary for the public interest in the area of public health, protecting against cross border threats to health etc.
When processing is necessary for public interest, scientific or historical research purposes or statistical purposes.
When personal data is manifestly made public by the data subject.
Again we cannot see too many occasions when any of these would be appropriate bases of use but it is best to know these are available when processing “special category data” such as clinical notes etc.
So that is all the legal basis you should really have to rely on for processing personal data. Ensure you have a legal basis in place for each category of data.
Accountability and Transparency
GDPR is underpinned by accountability and transparency. You must put into your Privacy Notice the legal basis for you have processing each category of personal data. Remember you must present this to the data subject at the time of data collection.
You must ensure you keep detailed and clear records on all your data processing activities in case a breach occurs. Document the following:
- Purposes for which the data is being processed – why and the legal basis for this
- Categories of data subjects and personal data you have within your clinic – what are they? Where are the held? How long they are held for? etc.
- Any transfers to non-adequate countries and the appropriate safeguards – this is unlikely to be applicable.
- General description of technical and organisational security measures – all your security procedures, data security training etc.
So that’s all the information about legal basis for processing. Be sure you look at all of the data processing you do and ensure you have a documented legal basis for processing – if you don’t you might want to consider stopping that type of processing and deleting the information. REMEMBER to update your Privacy Notice with legal basis.