Conditions for processing personal data

Under the first data protection principle personal data shall not be processed unless at least one of the conditions in Schedule 2 is met, and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

As health data is sensitive personal data , any secondary use of patient data for research purposes will have to satisfy at least one of the conditions under both Schedules 2 and 3.

Personal data

Schedule 2 of the DPA provides that whenever you process personal data at least one of the following conditions must be met:

  1. The individual who the personal data is about has consented to the processing.
  2. The processing is necessary: (a) in relation to a contract which the individual has entered into; or (b) because the individual has asked for something to be done so they can enter into a contract.
  3. The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
  4. The processing is necessary to protect the individual’s “vital interests”.
  5. The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
  6. The processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party to whom the data are disclosed

All of these conditions carry equal weight and none provides a more valid basis for processing than the other.

The two conditions which are most relevant in the context of the secondary use of patient data for research purposes are conditions 1 and 6. In practice it is unlikely to be difficult for either condition 1 or 6 to be satisfied, provided that there are sufficient safeguards in place to protect confidentiality.

(1) Consent

Consent has not been defined in the DPA, but in the Data Protection Directive, consent is defined as ‘…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relation to him being processed.’ For more information on the definition of ‘consent’ please see the guidance page on ‘autonomy and consent.’

Consent is not an absolute necessity for data processing as it is one of several conditions  in Schedule 2 which can legitimate data processing. Indeed, as consent could be said to the most onerous of the six conditions for processing it may be easier to try and justify your processing under one of the other conditions before seeking consent, if you do not already have it. Indeed the ICO recommends that organisations should not rely exclusively on consent to legitimise its processing.

You will need to examine the circumstances of each case to decide whether consent has been given for your proposed data processing. In some cases this will be obvious, but in others closer examination will be needed to determine whether the consent is adequate.

(6) The ‘legitimate interests condition’

The DPA recognises that there may be a legitimate interest for processing the data which the other conditions do not deal with. The ‘legitimate interests condition’ is intended to permit such processing provided that certain requirements are met.

These requirements are:

  • The data must need to be processed for your legitimate interests or for those of a third party to whom you disclose it.
  • These interests must be balanced against the interest(s) of the individuals concerned- the legitimate interests conditions will not be fulfilled if the processing is unwarranted because of its prejudicial effect on the rights and freedom, or legitimate interests, of the individual. Where there is a serious mismatch between your interests and the interests of the individual, the interests of the individual will come first.
  • The processing of information must be fair and lawful and must comply with all the data protection principles.

Essentially therefore, in the context of health research, the legitimate interests conditions require a balancing act between the interests of the data subject and the interests of the public in the research project being completed. For more information see the guidance pages on confidentiality and public interest.

Return to top of page

Sensitive personal data

Schedule 3 of the DPA provides that whenever you process personal data at least one of the following conditions must be met:

  1. The individual who the sensitive personal data is about has given explicit consent to the processing.
  2. The processing is necessary so that you can comply with employment law.
  3. The processing is necessary to protect the vital interests of:  (a) the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or (b) another person (in a case where the individual’s consent has been unreasonably withheld).
  4. The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
  5. The individual has deliberately made the information public.
  6. The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
  7. The processing is necessary for administering justice, or for exercising statutory or governmental functions.
  8. The processing is the disclosure or other processing of sensitive personal data by a member of an anti-fraud organisation or under arrangements made by such an organisation, or is necessary for the purposes of preventing fraud.
  9. The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
  10. The processing is of sensitive personal data relating to racial or ethnic origin, and is necessary to review the existence or absence of equality of opportunity or treatment of persons of different racial or ethnic origins, and the processing is carried out with appropriate safeguards for the rights and freedoms of the data subjects.
  11. The processing is carried out in circumstances specified in an order made by the Secretary of State for the purposes of these conditions.

Other than the condition of ‘explicit consent,’ the conditions for processing sensitive personal data generally all require that the processing is necessary for the particular purposes to which the condition relates. This imposes a high threshold as the condition will not be met if the purposes can be achieved by some other reasonable means.

The schedule 3 conditions which are most useful in the context of the secondary use of health data for research purposes are conditions 1, 9 and11.

(1) Explicit consent

The DPA provides that a higher standard of consent, 'explicit consent', is needed to justify the processing of sensitive personal data.

‘Explicit’ consent means that the individual’s consent should be absolutely clear. It should cover the specific details of the proposed processing, the type of information involved, any disclosures that might be made, and any other details which could affect the individual’s decision whether or not to give consent.

(9) Necessary for medical purposes

The Act provides in s33 that 'medical research' is included within the term ‘medical purposes.' This means that if you can show that there is a public interest in the research project and that the processing of the specified data is necessary to achieve that public interest, then the data processing will be justified under the DPA.

(11) Processing carried out in circumstances specified in an order made by the Secretary of State

Additional conditions for the processing of sensitive data are set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000. The effect of this is to permit the processing of sensitive personal data for a range of other purposes, normally those which are substantially in the public interest.

The most relevant condition in the Order for the purposes of the secondary use of patient data is the conditions which provides that sensitive personal data can be processed if the processing is (a) in the substantial public interest, (b) is necessary for medical purposes, (c) does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject, and (d) does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person.

Return to top of page