1. GP practices must have a data protection officer (DPO)

All NHS-funded GP practices are considered as public authorities and are required to appoint or have in place arrangements to share a DPO.

The DPO must have proven expert knowledge of data protection law and practice. They will need to keep up to date with any changes and clarifications (for example from the ICO) and understand how these changes impact the practice.

2. Provide privacy notices

You must provide patients with information including:

explaining the lawful purpose behind why you are processing their personal data. For healthcare organisations this may be Article 6(1)(e) of the UK GDPR that it is "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…" and Article 9 for special category data, which includes personal data about health
data retention periods
who it will be shared with.

The ICO has a useful checklist explaining the information privacy notices need to contain.

If you're relying on other legal bases, you will need to specify these in the privacy notice.

3. Have in place procedures for subject access requests

Individuals may request access to their own records. In certain circumstances, third-party information may be disclosed without consent, such as in response to a court order.

In most cases, however, you should redact any third-party information unless the third party consents to the disclosure, or if they do not, if you consider disclosure is reasonable in all the circumstances. For example, if the third-party data is already known to the person requesting it. You should also redact any information if you believe disclosure may cause serious harm to the patient or to anyone else.

The UK GDPR and the Data Protection Act 2018 (DPA) only applies to the data of living individuals.

Deceased patients' records in England, Wales and Scotland are still subject to the Access to Health Records Act 1990.
Deceased patients' records in Northern Ireland are subject to the Access to Health Records (Northern Ireland) Order 1993.

Practices also need to be aware of the GMC's guidance on confidentiality.

Many of the provisions relating to subject access are long-standing. However, there are some changes to subject access request processes from the Data Protection Act 1998. These include:

the subject access request does not have to be in writing
the subject cannot be charged for copies of records unless the request is "manifestly unfounded, excessive or repetitive". You could then charge a reasonable fee. There is currently no agreed definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare, and when considering them, doctors should bear in mind their general duties towards patients as set out in the GMC's 'Good medical practice' (2024) and its specific guidance on confidentiality. It may be helpful to discuss such cases with the DPO and/or to seek advice from us
you need to provide the information within one calendar month
in Scotland, children aged 12 or over are presumed to have sufficient age and maturity to access their own records and can allow or prevent access by others, including parents. In England, Wales and Northern Ireland, competence of minors is assessed on a case-by-case basis. A child or young person may have capacity to consent to disclosure and if they do, they should be asked for consent
you should document access requests and include information about any delay in providing the information, requests that are 'manifestly unfounded or excessive', and also the information you have provided about the right to complain to the ICO or judicial remedy.

Insurance companies, solicitors or other third parties should not be charged if requesting records, with patient consent, under a subject access request. However, other requests for information or reports by third parties should be dealt with in the normal way.

4. Review checklists

Most practices will have modified their processes to become compliant with the Data Protection Act 2018. If you want to review or audit your arrangements, the ICO has a checklist.

5. Pay a data protection fee

The Data Protection (Charges and Information) Regulations came into force on 25 May 2019. These regulations introduced new fees for data controllers. They set the charge period in which the fee is due for payment and fix the fee to be paid.

The amount you need to pay will depend on how many people you have in your organisation. You can find out more on the ICO's website.

Further advice

For more advice around GDPR and data protection, read our guides on:

GPs training in England and Wales can save 70% on their first year of GP membership, with further savings for the following four years. Find out more here.

GDPR: five things GPs need to have in place

More on GDPR

Related articles

Membership in your pocket