+44 (0) 121 582 0192 [email protected]


The processing of sensitive personal data, particularly within the health and social care sectors, is governed under stringent conditions to ensure the privacy and security of individuals. One such regulatory framework is outlined in Article 9(2)(h) and Article 9(3) of the UK General Data Protection Regulation (UK GDPR), read in conjunction with the Data Protection Act 2018 (DPA 2018). This provision allows for the lawful processing of special category data under specific circumstances, which are crucial for entities involved in health and social care to understand and implement.


Article 9(2)(h): The Legal Framework

Article 9(2)(h) of the UK GDPR stipulates that the processing of special category data is permissible if it is necessary for several health-related purposes. These include preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, and the management of health or social care systems. The legitimacy of such processing is contingent upon it being carried out on the basis of domestic law or pursuant to a contract with a health professional, coupled with adherence to strict conditions and safeguards as outlined in paragraph 3 of the same Article.

In the UK, the relevant legal basis is set out in Schedule 1, condition 2 of the DPA 2018, which delineates similar purposes, including:

  • Preventive or occupational medicine,
  • The assessment of an employee’s working capacity,
  • Medical diagnosis,
  • The provision of health care or treatment,
  • The provision of social care,
  • The management of health care or social care systems.


Necessity and Proportionality

The principle of necessity plays a pivotal role here; data controllers must demonstrate that the processing of such sensitive data is a reasonable and proportionate means to achieve the healthcare or social care objectives. Furthermore, data minimisation must be adhered to, ensuring no more data than necessary is processed.


Professional Secrecy and Confidentiality

A critical safeguard under Article 9(3) is that the processing must be conducted by or under the responsibility of professionals bound by secrecy obligations. In the UK, this includes a range of health and social work professionals as defined under Section 204 of the DPA 2018. This ensures that sensitive personal data is handled with the utmost confidentiality and security.


Practical Implementation in Health and Social Care

Consider a care home scenario, where sensitive health information of residents needs to be processed to provide adequate care. The staff handling such data may include both health professionals and non-healthcare professionals. However, all must either be under a professional obligation of confidentiality or possess a duty of confidence established through other means such as statutory provisions or employment contracts.

In such settings, it is imperative for care home administrators to ensure all staff are aware of and comply with their confidentiality obligations. This might include training programs on data protection laws and regular audits to ensure compliance.

Overview of Article 9(3) of the UK GDPR in the Context of Health and Social Care Data Processing

Article 9(3) of the UK General Data Protection Regulation (UK GDPR) serves as a critical safeguard for the processing of sensitive personal data, particularly in health and social care sectors. This provision complements Article 9(2)(h) by reinforcing the importance of confidentiality and professional secrecy in the management of special category data.


The Essence of Article 9(3)

Under Article 9(3), the processing of sensitive personal data, as referred to in paragraph 1 and for the purposes highlighted in point (h) of paragraph 2, is permissible only when it is carried out by or under the responsibility of a professional who is subject to a strict obligation of professional secrecy. This obligation must be established under either Union or Member State law or through rules set by competent national bodies. This can also extend to other individuals who, while not healthcare professionals per se, are similarly bound by an obligation of secrecy legislated through comparable legal frameworks.


Importance of Professional Secrecy

The requirement for professional secrecy ensures that individuals’ health and social care data are handled with the highest degree of confidentiality and security. Professionals bound by these obligations include but are not limited to:

  • Doctors,
  • Nurses,
  • Social workers,
  • Pharmacists.

These professionals are often privy to highly sensitive information, and their commitment to confidentiality is fundamental in maintaining trust in health and social care settings. It also mitigates the risk of unauthorized disclosure or misuse of personal data.


Legal Framework and Compliance

In the UK, the Data Protection Act 2018 (DPA 2018) supplements the GDPR provisions by detailing the application of these principles. For instance, Section 11 of the DPA 2018 clarifies who is considered a ‘health professional’ or a ‘social work professional’ and thus subject to these stringent confidentiality obligations.

Furthermore, entities processing sensitive personal data must ensure that their policies and practices reflect these obligations. This involves not only selecting the appropriate personnel who meet these criteria but also regularly training and auditing them to ensure compliance.


Implementing Article 9(3) in Practice

To illustrate, a hospital managing patient data for treatment purposes must ensure that all processing activities are either directly handled by healthcare professionals bound by professional secrecy or are conducted under their supervision. This ensures that all handling of patient data remains within the confines of the law and the ethical expectations of the profession.

Moreover, any breach of these obligations can have serious legal and reputational consequences for the entities involved. It is thus essential for organizations operating within the health and social care sectors to rigorously enforce these standards and ensure all personnel are familiar with their legal responsibilities.

Article 9(3) of the UK GDPR underscores the critical role of professional secrecy in the processing of special category data in health and social care. By enforcing this obligation, the regulation not only protects individual privacy but also supports the integrity and trustworthiness of health and social care services. Organizations must ensure strict adherence to these principles, reinforcing their commitment to privacy, security, and ethical responsibility in the handling of sensitive personal information. This alignment not only ensures compliance but also enhances the quality of care and the protection of vulnerable data subjects in a system where confidentiality is paramount.



Understanding and correctly applying the provisions of Article 9(2)(h) and Article 9 (3) of the UK GDPR in the context of health and social care is essential for the lawful processing of special category data. It ensures not only compliance with legal obligations but also upholds the trust and safety of patients and care recipients. Entities involved in health and social care must ensure they have robust systems and processes in place to manage sensitive data securely and in accordance with the law, thus fostering a culture of privacy and respect for individual rights within the sector.

For organisations within the health and social care industry, adhering to these guidelines is not merely a legal requirement but a cornerstone of ethical practice and patient care.