Approval standards and guidelines: lawful processing (UK GDPR)
Updated 2 August 2024
Approval standard: lawful processing (UK GDPR)
When must this standard be met
This standard must be met for applications requesting to process personally identifiable data.
Standard
1. Applications must show that personally identifiable data will only processed when it is lawful to do so, by demonstrating:
- there is a lawful basis for processing personal data under Article 6 of UK GDPR
- if processing includes special category personal data, there is a lawful basis for processing under Article 9 of UK GDPR
2. Where either ‘Articles 6(1)a – Consent’ or ‘Article 9(2)a – Consent’ is selected, the application must:
- include blank versions of the consent forms and participant information materials used to gain the explicit informed consent of the data subject – each version submitted to UKHSA must be clearly labelled, and where changes to these documents have been made over time, you must submit the complete version history
- if consent is obtained for research, demonstrate the consent form and participant information materials have received favourable opinion from an appropriate ethics committee – in the context of processing NHS patient data, this ethics approval must be from the Health Research Authority (HRA), see Approval standards and guidelines: ethical assessment
- demonstrate compliance with any obligations set out in Article 7 and Recital 32, Recital 42 and Recital 43 of UK GDPR
3. Where ‘Article 6(1)e– Public Interest’ is selected, the application must specify the relevant task, function or power, and identify its basis in common law or statute.
4. Where ‘Article 6(1)f– Legitimate Interests’ is selected, the application must demonstrate that a Balancing Test or Legitimate Interest Assessment (LIA) has been conducted and provides an appropriate lawful basis for the processing. The Information Commissioner’s Officer (ICO) has published guidance on how to conduct an LIA, which includes a sample LIA template. While it is not necessary to share this assessment with UKHSA, you must keep a record of this assessment to help you demonstrate compliance if required. Note this lawful basis cannot be used if you are a public authority processing data to perform your official public task.
5. Where one or more of Articles 9(2)b, 9(2)g, 9(2)h, 9(2)i or 9(2)j are selected, the application must include the applicable conditions under Schedule 1 of the Data Protection Act 2018 to justify processing special category data.
6. All applications requesting access to personally identifiable data must demonstrate compliance with the transparency and accountability principles of UK GDPR by evidencing they have in place a UK GDPR complaint privacy notice. To learn about the requirements for privacy notices, see the Approval standards and guidelines: privacy notice.
Guidelines
The first principle of data protection Article 5(1)a of UK GDPR requires personal data to be processed lawfully, fairly and in a transparent manner.
When requesting to process personal data, your application must demonstrate lawful processing by:
- providing a valid lawful basis for the processing – there are 6 acceptable lawful bases described in Article 6, UK GDPR (at least one of these must apply whenever you process personal data):
- consent – Article 6(1)a
- contract – Article 6(1)b
- legal obligation – Article 6(1)c
- vital interests – Article 6(1)d
- public task – Article 6(1)e
- legitimate interests – Article 6(1)f
- if you’re processing special category data, you must provide both a lawful basis for processing and one or more specific conditions for processing from Article 9 of UK GDPR – processing special categories of personal data is prohibited, except for in limited circumstances, as set out in Article 9
- providing individuals with clear and transparent information about the purpose, or purposes, of processing their personal data and the legal basis, or bases, for doing so – for further information, see the Approval standards and guidelines: privacy notice
Should the data be owed a duty of confidence, you will also have to demonstrate how the duty of confidentiality is set aside. This is distinct from obligations under UK GDPR. For further information, see the Approval standards and guidelines: confidential patient information.
The ICO has published guidance on how to comply with the legal requirements laid out in UK GDPR. It has also published an interactive tool to help determine the legal basis and specific condition for processing special category personal data.
GDPR consent
Consent is defined in Article 4(11) of UK GDPR. To be valid it must be freely given, specific, informed, and unambiguous, as well as that it must be made by way of a statement or ‘clear affirmative action’.
When relying on Article 6(1)a or Article 9(2)a to process personal data or special category personal data, the application must contain blank versions of all consent and participant information sheets used to obtain the data subject’s consent. Any processing that will involve using UKHSA-protected data must be specified precisely and unambiguously.
It is important to keep in mind that UK GDPR consent deals with data protection and is separate from the duties associated with the duty of confidentiality, as set out in Approval standards and guidelines: Lawful processing - confidential patient information. But in cases where consent is determined to meet the UK GDPR standard set out in Article 7 and Recital 32, Recital 42 and Recital 43 of UK GDPR, it will also be judged to have satisfied the standard for setting aside the common law duty of confidentiality too.
For helpful guidance as to what may constitute valid consent, it is advised that you refer to the ICO guidance on consent.
Privacy notice
Lawful processing requires that you ensure accessible privacy information (also called a privacy notice or transparency information) is available to individuals who are the subjects in the data. Any information or communication relating to the processing should be easily accessible and easy to understand, using clear and plain language. For further information, see the Approval standards and guidelines: privacy notice.