3b. LAWFUL BASIS AND DATA CONTROLLERSHIP
Once your integrated care activities have been assigned to lead organisations and described, you then need to establish whether the designated activities possess sufficient lawful basis to undertake the activity in their own right. Where this is the case, the organisation can act as a data controller and enter into a data processing agreement with the organisation hosting the data store. Where this is not the case, the organisation will need to become a data processor of other organisation(s) within the care system who do have sufficient lawful basis.
It is important to note that whether an organisation has the lawful basis to process personal data for integrated care is dependent on them possessing the statutory duties or responsibilities to undertake the activity and responsibility for the relevant registered or resident populations within its scope. It is highly unlikely that a single organisation will have sufficient lawful basis process personal data for integrated care across a care system - it will require organisations to act together as either joint data controllers or entering into a contract with data processors.
Once you have established who has the lawful basis, based on both statutory duties and geographical footprints, you can then identify your data controllers and processors for each activity (see flow chart below). Ensure to record the organisation hosting the data store as an additional processor (unless, of course, the organisation undertaking the activity also hosts the data store).
The Data Protection Act 2018 and GDPR require organisations processing personal data to assume legal responsibility for the processing. This requires them to demonstrate a lawful basis to use the data and identify data controller and, where necessary, data processor responsibilities.
For each activity you wish organisations within your care system to undertake, you should now determine and record:
- the statutory duties that underpin the activity, using the SUDGT lawful basis reference tables (opens in a new window)
- the data controllers and processors for each activity, including the data store hosts
- identify and group unique combinations of data processor and data controllers, along with the activities that sit under each (this will help you design the most efficient contractual framework in Step 5)
This information can be recorded in the SUDGT input tool.
HINTS AND TIPS
- Data processors and controllers should be identified as follows:
- where the processing organisation possesses sufficient lawful basis in its own right (i.e. that is possesses the necessary statutory duties and only intends to process personal data for its resident or registered population), identify the organisation as data controller for the activity
- where the processing organisation possesses the necessary statutory duties for the activity, but needs to process data for a wider population, identify the organisation as joint data controller along with all other organisations who together provide the lawful basis
- where the processing organisation does not possess sufficient lawful basis (i.e. it does not possess the necessary statutory duties or intends to process personal data for a wider population), identify the organisation as data processor and the organisation(s) within the care system who do possess the lawful basis as data controller(s) for the activity. The data processor must only operate under the clear instruction of the data controller.
- the organisation(s) hosting the integrated care data store needs to be identified as an additional data processor for each activity
FOR EXAMPLE: a lead provider does not have lawful basis to undertake secondary use activities on behalf of an integrated care system, so they will become a data processor of the CCGs within the care system, acting together as a joint data controller. The CSU hosting the data store will become an additional data processor of the CCGs.