Getting to grips with GDPR – 3 and 4. Your lawful basis for processing personal data

Getting to grips with GDPR – 3 and 4. Your lawful basis for processing personal data

April 25, 2018

This article has been written by Gordon Hockey, PSNC Director of Operations and Support, and is part of a series of articles for contractors about the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018 (DPA 2018), which both come into force on 25th May 2018. The articles accompany the GDPR guidance and contractor workbook.

Under the GDPR, anybody processing personal data must have a lawful basis for doing so. For special categories of personal data, including data concerning health, additional requirements are in place. The details of this are set out in Articles 6 and 9 of the GDPR.

Community pharmacies must be able to identify their lawful basis for processing personal data, and will need to follow two steps to do this:

Step 1 – Make sure you have a valid reason why you need to process personal data (relating to Article 6 of the GDPR); and,

Step 2 – If it is data concerning health (a special category of personal data), make sure that you are processing it only as permitted for the provision of healthcare or treatment (relating to Article 9 of the GDPR). Most of the personal data processed in community pharmacy will fall into this special category and, therefore, you will need to consider both Articles 6 and 9 of the GDPR.

The Community Pharmacy GDPR Working Party has done this for you and for data concerning health processed by community pharmacy it is fairly clear – Article 6(1)(e) and Article 9(2)(h).

For those interested in the detail, let’s look at this more closely.

Step 1 – The basis or reason why you process the personal data is set out in Article 6(1) of the GDPR. There are several lawful reasons why you might be processing personal data and these can be condensed down to:

  1. Consent (where explicit consent is given by the data subject)
  2. Contract (where processing is necessary to fulfill a contractual obligation or as part of entering a contract)
  3. Legal Obligation (where processing is necessary for compliance with a common law or statutory obligation)
  4. Vital interests (where processing is necessary to protect someone’s life)
  5. Public interest (where processing is necessary to perform a specific task in the public interest that is set out in law)
  6. Legitimate interests (where processing is necessary for the purpose of legitimate interests, but public authorities cannot rely on this)

The incoming Data Protection Act 2018 clarifies aspects of Article 6.

NHS Digital’s Information Governance Alliance (IGA) advises that ‘the most appropriate basis for lawful processing that is available to publicly funded and/or statutory health and social care organisations in the delivery for their function’ is ‘public interest’.

There is an argument that the public interest lawful basis covers only the publicly funded functions of community pharmacy and not, for example, maintaining a list of patients for home delivery purposes (by a bricks and mortar pharmacy). However, I take a broader view that the overall purpose of community pharmacy is to perform a task in the public interest and that this has a sufficiently clear basis in law – meaning that all professional pharmacy activities are covered by the lawful basis of public interest (Article 6(1)(e)).

If that argument were not accepted, an alternative would be to use legitimate interests as the lawful basis for such ancillary activities. This can be used by public authorities (which for these purposes community pharmacies are) when they are not carrying out official – NHS – activities. As a last resort you could use GDPR consent, but as the IGA observes: ‘in many health and social care contexts obtaining GDPR-compliant consent (which is stricter than that required for confidentiality) may not be possible.’ (Remember, consent is important in other spheres, for example, confidentiality, see Part 1.)

Step 2 – The special categories of personal data include data concerning health (Article 9(2) of the GDPR), which is described as ‘data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status’, for example, patients’ prescription information.

The processing of special category data is prohibited unless one of the conditions listed in Article 9(2) applies. The four most relevant/quoted conditions are paraphrased below:

  1. Explicit consent (where the data subject has given explicit consent to the processing of those personal data for one or more specified purposes)
  2. Employment (where processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the data controller’s duties as an employer)
  1. Provision of health or social care treatment (where processing is necessary as part of the data controller’s role as part of a healthcare organisation, e.g. the provision of health or social care or treatment or the management of health or social care systems and services)
  2. Public health (where processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices)

Article 9(2)(h) is the most relevant to the healthcare sector, and is likely to be the basis for pharmacies processing special categories of data. If processing is under this provision, an additional requirement that must be met. This is included in Paragraph 6 (Article 9 (3)) of the GDPR (and clarified by the incoming data protection act) and requires that a healthcare professional (such as a pharmacist or a pharmacy technician subject to registration and regulatory oversight e.g. as per the Pharmacy Order 2010), social work professional or a person with a duty of confidentiality under a legal provision, must be responsible for the processing of personal data for these purposes.

You may note that, rather confusingly, ‘consent’ is included in the first set of conditions and ‘explicit consent’ in the second. We will look at this in a later article (or see Step 7 in the guidance). Generally, GDPR consent is not applicable to the provision of healthcare, including pharmacy practice.

In conclusion, identifying your lawful basis for processing personal data can be complicated, but for data concerning health processed by community pharmacy it is fairly clear – Article 6(1)(e) and Article 9(2)(h).

For more information and guidance on GDPR, please visit

Read the next instalment (5. Process according to data protection principles) here.

Posted in: , ,

More Latest News >