Legal basis to use personal information

Data protection legislation ensures processing personal data is lawful and transparent.

The HSE must have valid and legal reasons to process personal data. This is called a ‘legal basis’. This means we must have a relevant legal basis for collecting and processing the data of patients, service users and staff.

The six legal bases laid down in the General Data Protection Regulation (GDPR) include:

  • contract
  • legal obligation
  • vital interest
  • task carried out in public interest or exercise of official authority vested in the controller
  • legitimate interests
  • consent

The HSE legal bases for processing personal data includes tasks carried out in public interest/official authority vested in the controller and vital interests. We do not use consent as the legal basis to process personal or special category data when it relates to providing healthcare services.

We are responsible for ensuring that patients, service users and staff are informed about how their information will be used. This is commonly achieved through privacy statements on our HSE websites.

Legal basis for processing personal data

Public interest or official authority

The processing is necessary for a task carried out in the public interest; or carrying out an official authority vested in the HSE (Article 6(1)(e) GDPR).

Vital interest

The processing is necessary to protect the vital interests of the data subject, for example, in emergency situations such as being unconscious in an emergency department (Article 6(1) (d) GDPR).

Legal basis for processing special category data

Special category data includes data that reveals:

  • racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership
  • health data
  • sex life details and sexual orientation
  • genetic and biometric data

The HSE's primary legal basis for processing special category data is when processing is necessary for the purposes of:

  • preventative or occupational medicine
  • medical diagnosis
  • provision of healthcare
  • treatment or social care
  • management of health or social care systems and services or pursuant to a contract with a health professional

(Article 9(2) (h) GDPR)

Legal basis and consent

Consent for medical treatment is different to using consent as the legal basis for processing personal and special category data.

Medical consent is necessary for clinical procedures; but is not appropriate for general processing of health information (for example, medical records management).

If you are unsure about using consent as a legal basis for processing personal or special category data, contact the National Data Protection Officer (dpo@hse.ie); or your regional Deputy Data Protection Officer (DDPO).

Important

The HSE may require medical consent from service users for clinical procedures. We do not require consent to process personal and special category data when it relates to providing healthcare services.