What does GDPR say?
Sources
Data (Use and Access) Act 2025) (changes to DPA 2018 and UK GDPR, and other content, still being added to this site; NB the Data (Use and Access) Act is not yet fully in force)
Information Commissioner: Data Sharing Code of Practice
UK GDPR article 4: Definitions
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as
a name,
an identification number,
location data,
an online identifier
or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as
collection,
recording,
organisation,
structuring,
storage,
adaptation or alteration,
retrieval,
consultation,
use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination,
restriction,
erasure or destruction;
[Extracts from Article 4. Emphasis and bullet points added.]
Note that the definition of ‘processing’ includes an explicit reference to data sharing (“disclosure by transmission”).
UK GDPR article 5: Principles for processing personal data
Lawfulness, fairness, and transparency: Personal data must be processed in a way that is lawful, fair, and transparent.
Purpose limitation: Personal data must be collected for specific, legitimate purposes and not used in a way that is incompatible with those purposes.
Data minimization: Personal data must be limited to what is necessary and not collected on the chance that it might be useful in the future.
Accuracy: Personal data must be accurate and kept up to date where necessary.
Storage limitation: Personal data must be kept for no longer than is necessary.
Integrity and confidentiality (security): Personal data must be handled in a way that ensures appropriate security.
Accountability: Organizations must be accountable for how they process personal data.
UK GDPR article 6: Lawfulness of processing
Art. 6 (1)(a): The data subject has given consent to the processing of his or her personal data for one or more specific purposes
Art. 6 (1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject;
Art. 6 (1)(e): Processing is necessary for the performance of a task of the controller carried out in the public interest or a task carried out in the exercise of official authority vested in the controller.
[Points (c) and (e) are often jointly referred to as public task]
Art. 6 (3): The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by domestic law.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task of the controller carried out in the public interest or a task carried out in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia:
the general conditions governing the lawfulness of processing by the controller;
the types of data which are subject to the processing;
the data subjects concerned;
the entities to, and the purposes for which, the personal data may be disclosed;
the purpose limitation;
storage periods;
and processing operations and processing procedures, including measures to ensure lawful and fair processing...
The domestic law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
[Extracts from Article 6. Emphasis and bullet points added. The above entries have been updated to reflect changes brought in by the Data (Use and Access) Act 2025.]
The ICO’s Data Sharing Code of Practice clarifies this as follows:
Often, the law regulating a public body’s activities is silent on the issue of data sharing. In these circumstances, it may be possible to rely on an implied power to share information derived from the express provisions of legislation. This is because express statutory powers may be taken to authorise the organisation to do other things that are reasonably incidental to those which are expressly permitted.
Public authorities are likely to rely on the public task lawful basis in Article 6.3 of the UK GDPR. This requires the legal power to be laid down by law; however it does not need to be contained in an explicit piece of legislation, but could be a common law task, function or power. You can rely on this power to share data so long as it is sufficiently foreseeable and transparent.
UK GDPR article 9: Processing of special categories of personal data
1. Processing of personal data revealing
racial or ethnic origin,
political opinions,
religious or philosophical beliefs,
or trade union membership,
and the processing of
genetic data,
biometric data for the purpose of uniquely identifying a natural person,
data concerning health
or data concerning a natural person's sex life or sexual orientation
shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
Art. 9 (2)(a): the data subject has given explicit consent to the processing of those personal data for one or more specified purposes…
Art. 9 (2)(b): processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
Art. 9 (2)(c): processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
Art. 9 (2)(g): processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall
be proportionate to the aim pursued
and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
Art. 9 (2)(h): processing is necessary for the purposes of
preventive or occupational medicine,
for the assessment of the working capacity of the employee,
medical diagnosis,
the provision of health or social care or treatment
or the management of health or social care systems and services…
Art. 9 (3): [Processing is permitted under Art. 9 (2)(h)] when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under domestic law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under domestic law or rules established by national competent bodies.
[Extracts from Article 9. Emphasis and bullet points added for clarity.]
s.74 Data (Use and Access Act) 2025 will allow the Secretary of State to amend or clarify the detail of Article 9 by regulation, including the definition of sensitive personal data and the processing that is/isn't permitted.
UK GDPR article 89 and Data Protection Act 2018 s.19: Processing for… statistical purposes
GDPR Article 89
1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
Data Protection Act 2018, s.19: Processing for archiving, research and statistical purposes: safeguards
(1) This section makes provision about—
(a) processing of personal data that is necessary for archiving purposes in the public interest,
(b) processing of personal data that is necessary for scientific or historical research purposes, and
(c) processing of personal data that is necessary for statistical purposes.
(2) Such processing does not satisfy the requirement in Article 89(1) of the UK GDPR for the processing to be subject to appropriate safeguards for the rights and freedoms of the data subject if it is likely to cause substantial damage or substantial distress to a data subject.
(3) Such processing does not satisfy that requirement if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research.
[Extracts from s.19. Emphasis added.]
Data sharing in an urgent situation or in an emergency
[From the Information Commissioner's Data Sharing Code of Practice]
In an emergency you should go ahead and share data as is necessary and proportionate.
An example of an emergency situation is the risk of serious harm to human life.
You should plan ahead for urgent or emergency situations as far as possible.
An emergency includes:
preventing serious physical harm to a person;
preventing loss of human life;
protection of public health;
safeguarding vulnerable adults or children;
responding to an emergency; or
an immediate need to protect national security.
Tragedies over recent years such as the Grenfell Tower fire, individual instances of self-harm, major terrorist attacks in London and Manchester, and the crisis arising from the coronavirus pandemic have illustrated the need for joined-up public services responses where urgent or rapid data sharing can make a real difference to public health and safety. In these situations, it might be more harmful not to share data than to share it. You should factor in the risks involved in not sharing data to your service.
...there can be reasons why organisations and agencies are hesitant about the concept of sharing information when carrying out emergency planning, or about sharing it in the recovery phase of an incident, where the need to share information may appear less urgent.
The key point is that the UK GDPR and the DPA 2018 do not prevent you from sharing personal data where it is appropriate to do so. It is particularly relevant to factor into your considerations, training and procedures for this type of situation the risks involved in not sharing data.
[Extracts from the Code of Practice. Emphasis added. The article also provide advice on how to prepare for emergency situations by ensuring that relevant data is available and accessible for sharing.]
What else does the law say?
Sources
Key sources from primary legislation and statutory guidance:
Digital Economy Act 2017, s.35 (Disclosure of information to improve public service delivery)
Equality and Human Rights Commission: Guidance on the Public Sector Equality Duty
Data (Use and Access) Bill - currently going through Parliament. Schedule 15 grants new powers to the Health and Social Care Secretary to mandate data standards to be adopted by IT system suppliers.
Common Law Duty of Confidentiality
The Common Law Duty of Confidentiality underpins the concept of medical confidentiality.
“The so-called common law duty of confidentiality is complex: essentially it means that when someone shares personal information in confidence it must not be disclosed without some form of legal authority or justification.” (UK Caldicott Guardian Council)
Digital Economy Act 2017
The Digital Economy Act 2017 offers opportunities (“gateways”) for data sharing to improve public service delivery (s.35), specifically to support “the improvement of the well-being of individuals or households” (s.35 (10)).
Gateways can only be used by specified persons/organisations (set out in Schedule 4) for specified purposes (set out in s.35). At present Schedule 4 excludes health and social care organisations.
The Data Sharing Code of Practice issued under the Digital Economy Act gives further detail.
Equality Act 2010
The Equality Act 2010 sets out (s.20) the duty to make reasonable adjustments in response to people's disabilities.
The Equality and Human Rights Commission has published statutory guidance setting out how organisations should implement this duty.
The Money Advice Trust has released a podcast entitled "What makes a reasonable adjustment reasonable?".
The Equality Act also establishes the Public Sector Equality Duty (s.149). This is an anticipatory duty requiring public bodies to:
(a) eliminate discrimination, harassment, victimisation and any other conduct that is prohibited by or under this Act;
(b) advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
(c) foster good relations between persons who share a relevant protected characteristic and persons who do not share it.
Point B is clarified by the Equality and Human Rights Commission as "taking steps to meet the specific needs of people with protected characteristics".
This might include sharing information about someone's reasonable adjustment needs, such as communicating in a particular format or allowing longer for conversations.
The Caldicott Principles
The Caldicott Principles apply to the use of confidential information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes.
The principles were first drawn up in 2014 by Dame Fiona Caldicott. They are owned and maintained by the National Data Guardian.
The principles
Justify the purpose(s) for using confidential information
Use confidential information only when it is necessary
Use the minimum necessary confidential information
Access to confidential information should be on a strict need-to-know basis
Everyone with access to confidential information should be aware of their responsibilities
Comply with the law
The duty to share information for individual care is as important as the duty to protect patient confidentiality
Inform patients and service users about how their confidential information is used
Principle 7 in detail
The duty to share information for individual care is as important as the duty to protect patient confidentiality.
Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
How this ought to work in practice
The National Data Guardian (NDG), the Information Commissioner and the Chief Medical Officer have published a Joint Statement promoting information sharing across health and social care.
