Lawful Basis – resources and case studies
The ICO have a Lawful basis interactive guidance tool to help organisations determine the appropriate lawful basis for their data sharing, along with lawful basis resources, including slide presentations (lawful-basis-presentation), to refer to.
For processing to be lawful under the UK GDPR, controllers must identify (and document) a lawful basis for the processing.
The basis of consent is only one of six lawful bases and the UK GDPR sets a high standard for controllers to demonstrate that the conditions required for consent have been met. Thus, in this context, consent is unlikely to be an appropriate lawful basis for adult protection purposes, due to the perceived power imbalance between client and practitioner. However both Public Task and Legal Obligation would be more appropriate - through each link you will find detailed explanations and examples where each basis is appropriate. There are also a number of case studies showing different approaches to data sharing here: Case studies | ICO and here: Annex C: case studies | ICO.
Relying on a lawful basis other than consent does not prevent practitioners seeking the adult's input or views and being transparent about the sharing, indeed it is an important component of a controller's fairness and transparency obligations under data protection law.
General Practices should, in advance of potential need, determine and document which lawful basis they can rely on in different scenarios. This should be done in consultation with their Data Protection Officer where available.
There is a problem
Thanks for your feedback