Skip to the content

The legal basis for processing

The organisations providing your health and social care are required by law to collect and share data about you to ensure you receive effective care services.  The legal detail is set out below for your information.

Unless an individual has objected to the joint processing and sharing and the sharing organisation has accepted the individual’s objection to the processing, the legal basis for sharing and viewing the shared records includes provisions of Section 251B of the Health and Social Care Act 2012 (as amended by the Health and Social Care (Safety and Quality) Act 2015):

  1. The sharing organisation must ensure that the information is disclosed to:
    1. persons working for the sharing organisation
    2. any other relevant health or adult social care commissioner or provider with whom the sharing organisation communicates about the individual; and
  1. So far as the sharing organisation considers that the disclosure is:
    1. likely to facilitate the provision to the individual of health services or adult social care in England
    2. in the individual’s best interests.

Unless an individual has objected to the joint processing and sharing and the sharing organisation has accepted the individual’s objection to the processing the legal basis for viewing the shared records is also provided by General Data Protection Regulation:

  1. Article 6(1)e
    “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”; and
  2. Article 9(2)h
    “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.

Where access to confidential data is legitimate, the common law duties of confidentiality are satisfied because consent to view an individual’s record is implied where the individual concerned has been provided with a Share Your Care Personal Health Record service-specific privacy notice and agrees to be referred to a service or where the individual concerned refers themselves or presents to a service.