General Data Protection Regulation (GDPR) makes data subjects' rights clear.
Since the UK left the EU in January 2020, EU GDPR provisions have been incorporated directly into UK law as the UK GDPR. The Data Protection Act 2018 sets out the data protection framework in the UK, and the UK GDPR defines the core principles, rights and obligations for processing personal data, including detailing the rights of data subject.
As an NHS GP practice, you are likely to be a data controller and have obligations arising from the individual rights of data subjects which are summarised in the following eight rights.
1: The right to be informed
The GDPR sets out what information data controllers need to supply to data subjects - i.e., patients. This is sometimes referred to as the “transparency requirement “. This must be actively provided by displaying a privacy notice (for example, in practice premises and on the website) with the following information:
- the name and contact details of the data controller, and your data protection officer where relevant
- your purposes for processing patients’ personal data and the legal bases for doing so, your retention periods and details of who information will be shared with
- the categories of personal data you obtain
- the rights available to individuals in respect of the processing
- the right to withdraw consent at any time (although we note that healthcare services do not generally rely on, or solely on, patient consent as a legal basis for processing their personal data)
- the right to request restriction of processing
- the right to lodge a complaint with a supervisory authority (the ICO)
- the details of any automated decision-making, including profiling and information about how decisions are made, their significance and consequences
- details of transfers to countries outside the EU and safeguards (although we note that this would be a rare consideration in the provision of healthcare to practice patients)
The information the Practice provides should be concise, transparent and easily accessible. It should be written in clear and plain language, particularly if any parts are intended to be read by a child.
The GMC's Confidentiality: Good practice in handling patient information states that when registered doctors are sharing personal information about patients for direct care, details about how it will be used and their right to object should be made readily available to patients.
Most patients understand and expect their information to be shared within the direct care team, which includes administrative staff. If patients object to any or all of their information being shared, you should respect this decision unless disclosure is considered to be in the public interest or of overall benefit to a patient who lacks capacity to make a decision about the sharing of their information.
2: The right of access
Patients have the right to access and receive a copy of their personal data on request, commonly referred to as a Subject access request (SAR). In certain circumstances, a third party can make a SAR on behalf of another person.
Practices are obliged to conduct a reasonable search for the requested information.
Information should be given to patients without unnecessary delay, and at the latest within one month of the request. This deadline can be extended by a further two months if requests are complex or numerous. If you need an extension, you will need to tell the patient why within one month.
Under GDPR, patients cannot be charged for subject access requests unless the request is 'manifestly unfounded or excessive' or is a second or repeat request for the same information. In those circumstances practices may charge a 'reasonable fee' based on the administrative costs of providing the information. The legislation does not define unfounded, excessive or reasonable fee, and the onus of determining these is on the data controller.
If the request is unfounded or excessive you can refuse to act on it, but you must explain your decision and the reasons for it to the patient and advise them of their right to complain to the ICO and/or to seek a judicial remedy if they are not satisfied.
The ICO provides detailed information about SARs including a SAR request self-service tool, which practices may find useful.
Subject access request self serve ICO
3: The right of rectification
Data subjects have the right to have inaccurate data corrected or completed if it is incomplete, although this will depend on the purposes for the processing and may involve providing a supplementary statement to the incomplete data.
If a request is received, you should take reasonable steps to check the data is accurate and rectify it if necessary. You should consider comments and material provided by the patient to support the request.
The UK GDPR does not define “accuracy” but the DPA 2018 states personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
A clinical opinion is not inaccurate data, even if it later turns out to be incorrect. You are not required to remove clinical opinions from the records but can agree a form of words with the patient to be added to the records to document they disagree with the opinion.
The ICO has published guidance on what to do about data recording a disputed opinion. The ICO notes that opinions are subjective and it can be difficult to conclude the record of an opinion is inaccurate. The ICO states that if the record shows the information is an opinion and whose opinion it is, it may be difficult to say it is inaccurate and needs to be rectified.
You must respond to rectification requests within a month. The one-month period may be extended by a further two months when the request is complex.
If you refuse a request for rectification, you must explain your decision and the reasons for it to the patient and advise them of their right to complain to the ICO and to seek a judicial remedy if they are not satisfied.
4: The right of erasure - the right to be forgotten
This allows an individual to request removal or deletion of personal data, for example, where the data is no longer necessary for the purpose it was collected. The right is not absolute and only applies in certain circumstances.
You can refuse to comply with a request for erasure of records if you consider that continued processing of the specific personal data is necessary for one of the following purposes:
- to comply with a legal obligation
- for the performance of a task carried out in the public interest or in the exercise of official authority
- for archiving purposes in the public interest, scientific research, historical research or statistical purposes.
- These are legal bases for most NHS processing, it is unlikely the right to erasure will apply to health records that need to be maintained. The UK GDPR specifies the following 2 circumstances where the right to erasure will not apply to special category data:
- where processing is necessary for public health purposes in the public interest; or
- where processing is necessary for preventative or occupational medicine; for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services- this only applies where data is processed by or under a responsible professional who is subject to a legal obligation of professional secrecy (e.g. a healthcare professional).
5: The right to restrict processing
This is not an absolute right and only applies in certain circumstances.
Individuals can request that you stop processing their data in the following circumstances:
- They have contested the accuracy of their personal data and you are verifying the accuracy of the data.
- the data has been unlawfully processed, and the individual opposes erasure and requests restriction instead.
- you no longer need the data but the individual needs you to keep it to establish, exercise, or defend a legal claim.
- the individual objects to you processing their data to perform a public interest task or purpose of legitimate interests and you are considering if your organisation's legitimate grounds override those of the individual.
The ICO advises that, as a matter of good practice, data controllers should restrict processing when considering the accuracy or legitimate grounds for processing the personal data in question.
This means you can store the personal data but not process it further. You will need to establish procedures to receive and assess requests to restrict processing. You should discuss with your system provider how to do this technically; for example, by removing access to the whole or part of a record, prevention of changes or deletion of the data.
You must inform the data subject when you decide to lift a restriction on processing and the reasons for your decision. You must inform the individual before you lift the restriction.
If you decide to refuse a request for restriction, you must advise the individual of your decision and the reasons for it.
6: The right to data portability
This allows individuals to obtain and reuse their data for their own purposes across different services. Requested data must be provided in a structured, commonly used and machine-readable format.
The right only applies to the following data:
- personal data provided by an individual
- where the legal processing is based on consent, or for the performance of a contract, and
- where processing is automated.
The information must be provided free of charge within one month.
7: The right to object
The right to object only applies in certain circumstances. Whether it applies depends on your purposes and lawful bases for processing.
Data subjects have a right to object to processing of their data even if the data controller believes it is legitimate to do so. The grounds for their objection must relate to their situation.
Controllers must stop processing the data unless they can demonstrate compelling, legitimate grounds for processing that override the interests, rights and freedoms of the individual (such as performing a task in the public interest or exercise of official authority), or the processing is for the establishment, exercise or defence of a legal claim.
If you are satisfied you do not need to comply with a request of this type you should let the individual know, explaining your decision and informing them of their right to complain to the ICO and seek a judicial remedy if they are not satisfied.
8: Rights related to automated decision-making and profiling
The UK GDPR applies to all automated individual decision-making and profiling.
Individuals have the right not to be subject to a decision based on automated processing that results in a legal effect on them or significantly affects them in some other way.
The GDPR defines 'profiling' as any form of automated processing of personal data to evaluate certain personal aspects of an individual, especially to analyse or predict certain things, including health.
Automated decisions can be made with or without profiling and profiling can take place without making an automated decision.
Lawful basis for data processing
Article 6 of the UK GPDR sets out the 6 lawful bases for processing personal data and there is detailed guidance on the ICO's website on this complex area. All personal data must be processed under one or more of these 6 lawful bases.
The relevant Article 6 basis for NHS practitioners and organisations is likely to be that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller - Article 6(1)(e).
To process special category (sensitive) personal data, a data controller must have a lawful basis under article 6 and meet one of the conditions in Article 9 (2). One of the conditions in Article 9(2)(h) is that processing is for the purposes of medical diagnosis, treatment or management of health systems.
Although it is very important to advise patients how their data will be used, consent is only one of the lawful bases available for processing personal data and is not usually the most appropriate lawful basis for organisations processing special category personal data for the provision of clinical care.
When it comes to private/independent practice:
It is likely that the appropriate lawful basis under Article 6 will be:
- data processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract - Article 6(1)(b).
Independent practitioners may be able to rely on this as the lawful basis for data processing, under Article 6.
Read more about data protection for independent practitioners.
Consent
While explicit consent is one legal basis for processing personal data under Article 6 of the UK GDPR, consent is unlikely to be the most appropriate basis for processing data used for clinical care in many health and social care contexts.
This may seem to run against the principle that patients must be made aware of how their data is to be used. However, relying upon consent as a legal basis for processing personal data under GDPR has very specific requirements. In particular it would mean that data couldn't be processed once consent is withdrawn.
That can be problematic in a healthcare context where there may be an obligation to retain records for a given period or where a practitioner cannot agree to delete accurate information from a clinical record just because the patient would prefer it not to be included in their records.
You can find more information about the GDPR including how to deal with data breaches on our website. For more, read our guide to GDPR data breaches.
This page was correct at publication on 29/04/2026. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.