What is the lawful basis for the sharing?
The processing (sharing) of personal data for these purposes is permitted under Articles 6(1) (d) and 6(1) (e) of the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 (DPA):
- Vital Interest: processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Public Task: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
The processing (sharing) of special categories of personal data via the KM Care Record system is permitted under Article 9 (2) (b) and (h) and Article 10 of the UK GDPR and the UK Data Protection Act 2018 (DPA):
- Direct Care and Administration: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.
KM Care Record testing is required to validate accuracy and completeness of patient records within the system. This is a clinical safety issue and supported under UK GDPR Article 6(1)(e) official authority, and Article 9(2)(b) where information technology staff (who are not healthcare professionals) will be appraising the data. The data used for testing will be anonymised wherever possible, minimised where live patient data is necessary, and only used in a proportionate manner to meet the test criteria. All such data will be deleted from the test system immediately upon completion of the tests.
- Criminal Offence: Criminal offence data is limited to that which relates to your health or care, a comprehensive register of criminal convictions will not be kept and the condition of Article 10 of the UK GDPR as well as s10(5) of the DPA 2018 has been fulfilled.
The legal obligation relies on the Health and Social Care Act 2012 s251(b) (as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a statutory ‘duty to share’).
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential.