[DAYS_LEFT] days left of your Medeconomics free trial

Subscribe now

Your free trial has expired

Subscribe now to access Medeconomics

Understanding the GDPR: Lawful processing of personal data

In the first part of a new series on the General Data Protection Regulation (GDPR), Dr Rachel Birch from Medical Protection explains what practices need to know about the legal basis for processing personal data and privacy notices.

The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Two important areas that will be subject to change under the GDPR: the legal basis for the processing of personal data and transparency regarding fair data processing.  

What is personal data?

Personal data is any information relating to an identified or identifiable natural person. It includes names, addresses, telephone numbers, dates of birth and GP and hospital registration numbers. Under GDPR, the definition has been expanded to include information processed via digital media.

In addition, special categories of personal data (formerly ‘sensitive’ data) – covering health, race, ethnicity, sexual orientation, religion and political views – will also now include genetic and biometric data.

Practices must establish their legal basis for processing data

Practices must document both a lawful basis for processing personal data and also a condition for processing special categories of data.

The GDPR has six lawful bases for processing personal data. For general practice, the relevant ones are:

  • explicit patient consent;
  • necessary for the provision of a service/performance of a contract;
  • necessary in the vital interests of the data subject;
  • necessary for a task carried out in the public interest/in the exercise of official authority.

Meanwhile, one of the 10 conditions1 must be met for processing special categories of data. The relevant options for general practices are:

  • explicit patient consent;
  • necessary for provision of healthcare.


Where ‘explicit patient consent’ is chosen, as either the legal basis for processing personal data or special categories of data, the GDPR sets a very high standard.

Consent has to be specific, freely given, informed and should constitute an unambiguous indication of the patient’s wishes, by a clear affirmative action to the processing of their data. Pre-ticked boxes, for example on new patient registration forms, would not count as valid consent for data protection purposes and there must be a positive opt-in process. Patients must also be provided with an easy way to withdraw their consent.

If practices are relying on consent as their legal basis for processing personal data, then they must ensure that their recording of patient consent meets the above standards. Otherwise, fresh consent would need to be obtained.

Given these requirements, rather than relying on explicit consent to process data, practices are likely to use another appropriate lawful basis and special category condition for the processing of personal and special categories of data, respectively. The Information Commissioner’s Office (ICO) has published specific guidance on this.2

For practices, this will mostly mean relying on ‘necessary for the provision of healthcare’ for processing sensitive data. As long as patients have been appropriately informed how their personal data will be used in ‘privacy notices’, it would usually be reasonable for GPs to rely on implied consent for sharing relevant information in order to provide direct patient care –  for example, when a patient agrees to a referral to another healthcare professional.

However, if GPs and practices are in any doubt that the patient would agree to information-sharing, or if they believe patients may be surprised to learn what information would be disclosed, then explicit consent should be sought.3

For other purposes like a request for confidential data from a third party such as an employer or insurance company, explicit consent will still be needed.

Privacy notices

The GDPR brings in detailed and specific rules on providing privacy information to data subjects.4   

Information within privacy notices should be used to inform patients at the time of collecting their data, for example, at new patient registration. It should also be provided if you are considering providing information in a way that patients would not reasonably expect.

How should privacy notices be provided?

The GDPR places emphasis on the importance of privacy notices being easily accessible to patients. Information within such notices should be concise, truthful and written in clear straightforward language.

Consider your various groups of patients and their differing needs. You may wish to provide separate notices for specific categories of patient, such as children and vulnerable patients. Privacy notices should be also translated into other languages for your non English-speaking patients.

You may choose to use various methods to display this information, including posters in the waiting room, leaflets at reception, information sheets attached to registration forms, letters to patients and details on your practice website.

What information should be provided?

The practice’s privacy notice should include

  • Data controller’s identity
  • Data protection officer’s contact details
  • Purpose of processing
  • Legal basis for processing
  • Categories of personal data processed
  • Potential recipients of personal data
  • Details of retention periods
  • List of the data subjects’ rights
  • Safeguards used if data is transferred out of an EU country.

You must also inform patients that they have a right to complain to the ICO if they have concerns with the handling of their data.

  • Dr Rachel Birch is a medico-legal adviser at Medical Protection


  1. ICO. What are the conditions for processing special category data? See inset ‘The conditions are listed in Article 9(2) of the GDPR’ (a) to (j). https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/
  2. ICO. Lawful basis for processing
  3. GMC. Using and disclosing patient information for direct care
  4. ICO. Right to be informed
More on the GDPR on Medeconomics

Have you registered with us yet?

Register now to enjoy more articles
and free email bulletins.

Sign up now
Already registered?
Sign in

Database of GP Fees

Latest Jobs