GDPR: what are the implications for NHS Foundation Trust memberships?

Posted 10:44 Friday 9 March 2018
Nick Goodman

Nick Goodman

About this blogger

The GDPR is the General Data Protection Regulation, a European-wide initiative, which will change how organisations can collect, use and transfer data. It comes into force 25th May 2018 via a new Data Protection Act which is currently travelling through Parliament. A new Data Protection Act 2018 will therefore repeal the current Data Protection Act 1998. Brexit has no affect here – the Government has confirmed that the UK will still be implementing the GDPR.

It is being introduced to harmonise existing data protection legislation across the EU and strengthen data protection rights for individuals. In particular it is to update protection for individuals about how personal data is generated, manipulated and used. This has changed significantly since the Data Protection Act of 1998 with digital channels (including Cookies) and changing consumer attitudes being notable factors.

MES work with the majority of NHS Foundation Trusts, helping support their memberships with a variety of services and systems. With just under three months to go, we thought now would be a good time to share our thoughts and observations (note it is not legal advice but hopefully some helpful pointers for your legal teams) about Foundation Trust membership and GDPR.

A good starting point for a Foundation Trust’s GDPR team is the question of what is the legal basis for processing membership data?

The processing of personal data is lawful if one of six necessary conditions apply:

  • There is a legal obligation on the Data Controller
  • There is a contractual agreement between the Data Subject (i.e. staff member) and the Data Controller
  • Processing is in the public interest or in the exercise of official authority vested in the Data Controller
  • Processing is in the legitimate interest of the Data Controller*
  • Processing is in the vital interest of the Data Subject
  • The Data Subject has given consent to the processing for one or more specific purposes

Only one of the above conditions is required for processing personal data although different conditions can apply for different purposes.

*A public authority cannot rely upon legitimate interest when they are carrying out their public tasks (they should use the public interest/official authority condition instead). However, the Data Protection bill as it currently stands has been amended by the government so that when a public authority is performing non-public tasks, it can rely on legitimate interests.

There a number of Acts of Parliament that have created and govern the role and functioning of Foundation Trusts: the Health & Social Care (Community Health & Standards) Act 2003, the National Health Service Act 2006 and the Health and Social Care Act 2012.

Consent or not consent … that is the question

There is a strong argument to be made therefore that FTs are processing membership data because there is a statutory requirement to do so and/or because it is exercising its official authority as a public body.

To that end, consent, though ordinarily obtained of course when signing members up, is NOT the legal basis on which that data is being processed. The data is being processed because there are alternative lawful bases obliging an FT to maintain a membership, run elections, and ensure the membership is representative of the locality and so on.

Were consent to be the basis on which an FT is processing data, and if a Foundation Trust does judge this to be the basis on which it is processed, then consent does need to be obtained from members and needs to be up to date, perhaps even reconfirmed if it has not been obtained for some time. And it is important to remember, if this is done, then members need to positively confirm their membership i.e. it is not enough to say ‘unless we hear from you, we will assume you wish to continue being a member’.

Nevertheless, you should still make sure your data is good and up to date

Even if your Foundation Trust decides that it is processing data because of a legal requirement to do so (and is therefore not reliant on consent) there is still an onus on Trusts to ensure it is holding accurate, up to date data. MES would therefore suggest you consider whether this is a good time to check the quality of your membership data whether staff, public, patient or carer. When was the last time you communicated with them? Are there members you believe may not be ‘active’ and is it worth checking and cleansing your database more fully at this time and putting in place a process to do this every so often? 

Member engagement is only as good as the engagement initiatives you are putting in place – and the better quality engagement you are doing the better your data is likely to be. With GDPR just a few months away, now may be a good time to check in with your members.

A good resource for more detail about what is changing is the Information Commissioner’s (ICO) own guide:

The ICO has also prepared a readiness document for organisations: “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”:

If you need to discuss any aspect of GDPR in relation to Foundation Trust membership schemes, or need advice or help in reaching out to your members, please get in touch. We are here to help.

Back to blog posts

Add new comment