As a doctor in independent medical practice in the UK, you control patients' personal data as the 'data controller' under the Data Protection Act 2018 (DPA). As the data controller, you may ask others to process data on your behalf (a practice manager or secretary) and they will be 'data processors'.

The GDPR applies to data controllers and processors, but the principal responsibility for compliance sits with you as the data controller.

Here are some things independent practitioners should consider.

1. Identify whether you need a data protection officer

The UK GDPR requires data controllers to appoint a data protection officer (DPO) if they are a public authority or a 'large scale' processor of special category personal data. It's not clear what large scale processing entails, but it's unlikely this would apply to an individual independent practitioner.

However, while a single independent practitioner is unlikely to need to appoint a DPO, larger multiple location or corporate private medical providers may need to.

If practices are not required to appoint a DPO, they may nevertheless wish to have a data protection lead. The title 'data protection officer' has a specific legal meaning and legal duties that relate to it; if your practice is not required to appoint a DPO but has a data protection lead, make sure the title DPO is not used to describe that role.

2. Identify your lawful basis for processing personal data

The UK GDPR applies to 'personal data', meaning any information relating to an identifiable person who can be directly or indirectly identified. You must determine a valid lawful basis for processing personal data, and inform the subject of the basis or bases you are relying on (if there is more than one).

Consent may seem an attractive lawful basis for processing, but keep in mind that you may need to continue to process information for other reasons if the patient withdraws consent. While consent is clearly an important part of making sure data is used appropriately, it is unlikely to be the only lawful basis in independent healthcare settings.

More appropriate might be Article 6(1)(b): 'processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract'.

In addition, health data is regarded as 'special category data' - as sensitive data, it requires more protection. This means that as well as having a lawful basis for processing information, you must identify a special condition for processing under Article 9.

3. Privacy notices

You must provide individuals with information including:

your purposes for processing their personal data
your retention periods for that personal data
who it will be shared with.

This privacy information must be provided to individuals at the time you collect their data. The ICO has a useful template explaining what information privacy notices need to have.

4. Procedures for subject access requests

Individuals may request access to their own records. You should redact any third-party information or anything that you believe may cause serious harm to the patient.

The UK GDPR and the DPA 2018 will only apply to the data of living individuals. Deceased patients' records in England, Wales and Scotland are still subject to the Access to Health Records Act 1990 and in Northern Ireland to the Access to Health Records (Northern Ireland) Order 1993. Practices also need to be aware of the GMC's confidentiality guidance.

Under the new data protection regime, there are some differences to the subject access request process.

A subject access request does not have to be in writing.
The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. There is currently no agreed definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare and, when considering them, doctors should bear in mind their general duties towards patients set out in 'Good medical practice' (2024) and the GMC's specific advice in its confidentiality guidance. It may be helpful to discuss such cases with the DPO and/or seek advice from us.
You need to provide the information within one calendar month.
Children should be assessed for capacity to consent to access to their records. Children and young people with capacity have the right to access their own records and can allow or prevent access by others including parents. In Scotland, anyone aged 12 or over is legally presumed to have such capacity.
You should document access requests and include information about any delay in providing the information, requests that are 'manifestly unfounded or excessive', and also the information you have provided regarding the right to complain to the ICO or judicial remedy.

Insurance companies, solicitors or other third parties should not be charged if requesting records, with patient consent, under a subject access request. However, other requests for information or reports by third parties should be dealt with in the normal way.

5. Review checklists

The ICO has a self-assessment checklist that can be useful in making sure you have appropriate arrangements in place.

6. Review new data protection fees

The Data Protection (Charges and Information) Regulations came into force on 25 May 2018. These regulations introduce new fees payable by data controllers. The regulations set the charge period in which the fee is due for payment and fix the fee to be paid. The amount you need to pay will depend on how many people you have in your organisation.

You can find out more about how to register as a data controller and paying the relevant fees from the ICO's website.

If you're unsure whether you need to register, there is also a self-assessment tool.

Further advice

Read more on GDPR and data protection in our guides on:

Introduction to data protection for independent practitioners

Related articles

Membership in your pocket