Carers (Scotland) Act 2016: statutory guidance - updated July 2021

Statutory guidance for local authorities, health boards and integration authorities on effective implementation of the provisions of the Carers (Scotland) Act 2016 (‘the Act’). It will also be of interest to other organisations working alongside statutory bodies to deliver carer support.

Annex E: Consent and the General Data Protection Regulation (GDPR)

1. The requirement to have a lawful basis in order to process personal data exists under the Data Protection Act 1998 (DPA). The GDPR places more emphasis on being accountable and transparent about an organisation's lawful basis for processing.

2. To process personal data 'fairly and lawfully' an organisation needs to identify one condition under Schedule 2[207] of the DPA, and also Schedule 3[208] if the data is sensitive (for example health data). From 25 May 2018, Article 6[209] and Article 9[210] of the GDPR apply accordingly.

3. Under the GDPR, it is mandatory for all public authorities and bodies to designate a Data Protection Officer responsible for ensuring compliance with the data protection law. Consideration should be given to the role and responsibilities of any third sector organisation commissioned to undertake duties under the Carers Act. For example, where they are the data processor acting on behalf of local authorities or the data controller. This is likely to be the case where a local carer centre completes the adult carer support plan and young carer statement.

4. Under the GDPR an organisation can process personal data without consent if it's necessary for:

  • a contract with the individual: for example, to supply goods or services they have requested, or to fulfil obligations under an employment contract. This also includes steps taken at their request before entering into a contract;
  • compliance with a legal obligation: if the organisation is required by UK or EU law to process the data for a particular purpose, then they can;
  • vital interests: organisations can process personal data if it's necessary to protect someone's life. This could be the life of the data subject or someone else;
  • a public task: if the organisation needs to process personal data to carry out official functions or a task in the public interest – and have a legal basis for the processing under UK law – then they can. If the organisation is a UK public authority, the ICO view is that this is likely to give them a lawful basis for many if not all of their activities; and
  • legitimate interests: for a private-sector organisation, they can process personal data without consent if they have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual's rights and interests.

5. A Privacy Impact Assessment has been completed to accompany the Act and published on the Scottish Government website.



Back to top