NHS / PKB Model

Legal basis of patient-contributed data

to support clinical safety

The following provides an explanation on the legal bases on which PKB relies for processing personal data following the latest court decisions, updated guidance which have resulted from these, external legal advice and a comprehensive review by NHSX and NHSD.


Definition of terms:


Patient Record: comprises data uploaded and shared from health record systems which are made available to Healthcare Professionals (HCPs) and patients via the PKB platform.

Patient Account: comprises patient contributed data uploaded and shared by the patient which are made available to HCPs via the PKB platform.


In the past, Patient-contributed data has been retained on the legal basis of consent:

PKB has historically relied on consent to satisfy data protection laws to process data obtained directly from the patient. Until recently, it was thought consent was the only available legal basis for this processing, as bases on which the public sector could rely to provide a legal basis were not an option to a private supplier unless providing healthcare services under an NHS contract. External legal advisers have advised that this is not the case.


Professionals are at risk if they base a decision on patient-contributed data:

Once viewed by a HCP, the Patient Account, held by PKB, is a Health Record, as defined by section 205 of the DPA 2018, as the data is considered by a HCP when making a diagnosis or decision. PKB customers have raised concerns about relying on consent as the lawful basis, as consent can be withdrawn, and also engages the right to request erasure by the patient (GDPR Article 17). PKB, as a controller for the Patient Account, would have to comply with the withdrawal of consent, which would have the same result.


The impact of a patient withdrawing consent for patient-contributed data would be that the HCP loses the record of the basis of their clinical decision:

This represents a challenge to the HCP’s professional duty to maintain contemporaneous records. A robust audit and forensic analysis capability must be available for any healthcare-related record for medico-legal purposes.


The legal bases that Providers will use for provider-contributed data remain:


  • GDPR article 6(1)(e) - processing a task carried out in the public interest or as an official authority and

  • GDPR article 9(2)(h) - processing that is necessary for the provision of health or social care.


New legal bases for Patient-contributed data

The legal basis that PKB relies on for processing patient-contributed data has changed. GDPR Article 6(1)(a) - consent obtained - and GDPR Article 9(2)(a) - explicit consent obtained - are no longer recommended following the latest legal advice.


PKB will now rely on the following:


  • GDPR article 6(1)(f) - processing under legitimate interests. The interests, rights or freedoms of the patient would not be overridden. The activation of the account and inclusion of information within the account by the patient is entirely voluntary.


  • GDPR Article 9(2)(h) - processing that is necessary for the provision of health or social care. The PKB platform ensures patient information is available to providers, relatives and/or carers to support the delivery of care, as well as assisting the patient to access health or social care.


This legal bases as a joint data controller with the provider for patient-contributed data will ensure PKB can retain data as necessary for all HCPs. The patients’ Right to Erasure would not, apart from very limited and specific circumstances, arise in respect of the data held in the PHR, ensuring that a robust medico-legal audit trail and forensic analysis ability is maintained.


PKB and Provider as Joint Controllers

It is important to know that, determining the extent to which a party fulfils a particular data protection role is one of substance, rather than merely applying a label.