General Data Protection Regulation (GDPR)




The General Data Protection Regulation (GDPR) is a new piece of legislation that will supersede the Data Protection Act.  It applies not only to the UK and EU but anywhere in the world in which data about UK citizens is processed.

The GDPR is similar to the Data Protection Act (DPA) 1998, but enhances many of the DPA’s principles.  The main changes are:

  • Practices must comply with subject access requests
  • Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
  • There are new, special protections for patient data
  • The Information Commissioner’s Office (ICO) must be notified within 72 hours of a data breach
  • Higher fines for data breaches – up to 20 million euros



What is ‘Patient Data’?

Patient data is information that relates to a single person, and is stored by the practice.  It contains information such as your diagnosis, name, age and full medical history. 


What does ‘Consent’ mean?

Consent is permission from you as an individual and is defined as; “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

This means that we must get explicit permission from you when using your data which we initially get from you when you complete our registration form.  This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like record certain information about you for your clinical records.  Individuals also have the right to withdraw their consent at any time.



Under the regulations we must ensure that all Data is kept full confidential and we:

  • May ask you for information so that you can receive proper care and treatment.
  • Will keep your information, together with details of your care, because it may be needed if we see you again (continuity of care).
  • May use some of this information for other reasons: e.g., to help us protect the health of the public generally and to contribute to improving the efficiency of the NHS.
  • May need to carry out medical and other health research for the benefit of everyone (in these cases your data will be fully anonymised so no-one will know who you are).
  • Sometimes have to pass on information under the law: e.g., to notify the NHS Central Register for England & Wales (this contains basic personal details of all patients registered with a general practitioner and does not contain clinical information).

What does this mean for you our Patients?

  • We must process data lawfully, fairly and transparently
  • We must only collect data for specific, explicit and legitimate purposes
  • We must limit collection to what is necessary for the purposes for which it is processed
  • Our information must be accurate and kept up to date
  • We must hold your data securely
  • We can only retain the data for as long as is necessary and for the reasons it was collected
  • We must inform you about how we use your data
  • You can have access to your own data
  • You can ask to have incorrect information changed
  • You can restrict how your data is used
  • You can move your patient data from one health organisation to  another
  • You have the right to object to your patient information being processed (in certain circumstances)

So why do we need access at the Practice?

We need to:

  • Provide you with health care and treatment
  • Look after your general health
  • Manage and plan within the NHS, e.g. we need to;
    • make sure that our services can meet patient needs in the future
    • pay your doctor, nurse, or other staff, and the hospital which treats you for the care they provide
    • audit accounts
    • prepare statistics on NHS performance and activity (anonymised)
    • investigate complaints or legal claims
    • help staff to review the care they provide to make sure it is of the highest standard
    • train and educate staff (but you can choose whether or not to be involved personally)
    • complete research approved by the Local Research Ethics Committee. (If anything to do with the research would involve you personally, you will be contacted to see if you are willing)

Everyone working for the NHS has a legal duty to keep information about you confidential

All our staff sign a confidentiality agreement when they begin work at the practice, but you may also be receiving care from other areas within the NHS.  Therefore so that we can all work together for your benefit, we may need to share some information about you.

We only ever use or pass on information about you if people have a genuine need for it in your and it is in everyone's interests.  Whenever we can we remove details which identify you.  Law strictly controls the sharing of some types of very sensitive personal information.

Anyone who receives information from us is also under a legal duty to keep it confidential.