For the integrated care activities selected, the care system must now be able to demonstrate their lawful basis in a robust and comprehensive manner.

The SUDGT maps common integrated care activities to the relevant statutes for statutory organisations (e.g. CCGs, providers, local authorities) and recommends applicable conditions for processing under the Data Protection Act 2018 and GDPR, approaches to the common law duty of confidence and consideration of proportionality in line with the Human Rights Act 1998.

It also identifies how the common law duty of confidence should be managed to de-identify or pseudonymise data.

The use of person-level de-identified data for secondary use integrated care analysis needs to be appropriately safeguarded. Organisations established by statute - such as NHS Trusts and CCGs - must make sure that they act within their statutory powers (vires). In addition, personal data processing must comply with data protection legislation and the common law duty of confidence.


You should now determine and record for each activity:

  • the legitimate conditions for processing under the Data Protection Act 2018 (DPA18) and GDPR, identifying the relevant legal statutes, where relying on public authority lawful basis (Article 6(1)e), which can be found in the activities tool (opens in new window)
  • confirmation that one or more controller organisations have appropriate statutory authority to carry out each processing activity 
  • how common law duty of confidence can be set aside
  • that rights under Article 8 of the Human Rights Act are qualified and the protection of health is considered a legitimate aim, ensuring that data use is proportionate.

This information can be recorded in the SUDGT input tool.


  • For activities listed in the tool, the relevant statutory duties have been mapped for you to provide assurance that statutory organisations are acting within their powers
  • Each activity needs to be linked to the statutory responsibilities of one or more of the controller organisations within your care system - it does not necessarily need to be the organisation undertaking the activity that has the statutory powers at this stage (as differences here can be managed through establishing data processing arrangements between the commissioning and provider organisations)
  • If care systems identify an activity which falls outside the reference list, they will need to check that there is an associated statutory basis and map across