Guide

Data protection for healthcare providers

How healthcare providers must handle patient data under UK GDPR, including special category health data requirements, Caldicott Principles, the common law duty of confidentiality, and record retention requirements.

Healthcare & Social Care UK-wide

Healthcare providers handle some of the most sensitive personal information: patient health records. This data receives special protection under UK law, with requirements beyond standard data protection compliance.

If you provide healthcare or social care services, you must understand three overlapping frameworks that govern patient data:

  • UK GDPR and Data Protection Act 2018 - Legal framework for all personal data processing
  • Common law duty of confidentiality - Legal duty arising from the patient-provider relationship
  • Caldicott Principles - NHS standards for handling patient-identifiable information

Failure to protect patient data can result in ICO fines up to £17.5 million, professional misconduct proceedings, loss of CQC registration, and civil claims from affected patients.

Health data as special category data

Under UK GDPR Article 9, health data is 'special category data' that requires additional safeguards. Health data includes:

  • Physical or mental health conditions
  • Medical history and clinical notes
  • Test results and diagnoses
  • Medication records
  • Information about disabilities
  • Genetic data and biometric data used to identify someone

To process health data lawfully, you need BOTH:

  1. A lawful basis under Article 6 (such as legitimate interests, contract, or public task)
  2. A special category condition under Article 9 (typically health or social care purposes)

The Caldicott Principles

The Caldicott Principles are the foundation of patient data protection in UK healthcare. Originally introduced in 1997 and updated in 2020, these eight principles must guide every decision about using or sharing patient-identifiable information.

Principle 1 - Justify the purpose
Every proposed use or transfer of patient-identifiable information must be clearly defined, scrutinised and documented, with continuing uses regularly reviewed.
Principle 2 - Use minimum necessary information
Patient-identifiable information should only be used when absolutely necessary. De-identified or anonymised data should be used where possible.
Principle 3 - Use on a strict need-to-know basis
Access to patient-identifiable information should only be available to those who need it, and only as much access as they need for their role.
Principle 4 - Everyone must understand their responsibilities
Action should be taken to ensure that those handling patient-identifiable information understand their responsibilities and obligations.
Principle 5 - Comply with the law
Every use of patient-identifiable information must be lawful. Someone must be accountable for ensuring this.
Principle 6 - The duty to share can be as important as the duty to protect
Health and social care professionals should have the confidence to share information for safeguarding and to protect patients, while maintaining confidentiality appropriately.
Principle 7 - Inform patients about how their data is used
Patients should be informed of how their confidential information is used, and open and transparent about choices they have.
Principle 8 - Support patients' rights
Patients' rights to access their data, have it corrected, and in some circumstances erased, must be respected and upheld.

The common law duty of confidentiality

Healthcare providers have a common law duty of confidentiality arising from the patient-provider relationship. Patients reasonably expect information shared in confidence will not be disclosed without consent.

The duty can only be breached with patient consent, a legal duty to disclose, or an overriding public interest. You can share without explicit consent when:

  • Required by law - Court orders, notifiable diseases, safeguarding
  • Direct care purposes - Sharing with other healthcare professionals involved in the patient's care
  • Overriding public interest - To prevent serious harm to the patient or others

Document your decision: Record your reasoning whenever sharing patient information without explicit consent.

Appointing a Caldicott Guardian

NHS organisations and most CQC-registered providers must appoint a Caldicott Guardian - a senior person responsible for protecting patient confidentiality and enabling appropriate information sharing.

The Caldicott Guardian ensures the Caldicott Principles are applied, advises on lawful uses of patient information, and reviews data sharing agreements. This should be a senior clinician or nurse at board level with authority to influence policy.

Data Protection Officer requirements

Many healthcare providers must also appoint a Data Protection Officer (DPO) under UK GDPR. This is a separate role from the Caldicott Guardian (though one person can hold both roles if qualified).

Record retention for health records

Healthcare records must be retained for minimum periods set out in the NHS Records Management Code of Practice. These periods apply to all healthcare providers, not just NHS organisations.

Adult health records
Retain for 8 years after last treatment or 8 years after death if patient died whilst in your care
Children's records
Retain until the patient's 25th birthday (or 26th if treatment continued after age 17), or 8 years after death
Maternity records
Retain for 25 years after birth of last child
Mental health records
Retain for 20 years after no further treatment, or 8 years after death
Oncology and radiotherapy records
Retain for 30 years after treatment
Records of patients involved in clinical trials
Retain for 15 years after trial completion
GP records
Retain for 10 years after death or permanent emigration; transfer to new GP if patient moves practice

Secure destruction: When retention periods expire, records containing patient information must be destroyed securely. Paper records should be shredded or incinerated. Electronic records must be permanently deleted using appropriate software or media destruction.

Data security requirements

Healthcare providers must implement appropriate security measures to protect patient data. Key requirements include:

  • Encryption - Encrypt patient data at rest and in transit
  • Access controls - Role-based access ensuring staff only see data needed for their role
  • Audit trails - Log all access to patient records
  • Staff training - Mandatory information governance training, refreshed annually
  • Clear desk policy - No patient information left visible when unattended
  • Incident reporting - Clear procedures for reporting data security incidents

NHS contractors must complete the Data Security and Protection Toolkit (DSPT) annually to demonstrate compliance.

Handling data breaches

Healthcare data breaches are particularly serious because of the sensitive nature of health information. You must report breaches to the ICO within 72 hours if they pose a risk to patients.

When assessing breach risk, consider: sensitivity of the data (mental health, sexual health, HIV status are particularly sensitive), volume of records affected, and potential for harm. Significant data security incidents may also need reporting to CQC as a statutory notification.

Data sharing agreements

Healthcare often requires sharing patient information with other providers. Formal data sharing agreements should cover: purpose and lawful basis, security measures, retention periods, and breach notification procedures.

Processor agreements: If another organisation processes data on your behalf (e.g., cloud hosting), you need a formal data processing agreement under UK GDPR Article 28.

Practical compliance steps

Use this checklist to ensure your healthcare practice meets data protection requirements:

  1. Register with ICO and pay data protection fee

    Most healthcare providers fall into Tier 2 (£78/year). Register before you start seeing patients.

  2. Appoint Caldicott Guardian (if required)

    NHS organisations and larger CQC-registered providers must appoint a senior Caldicott Guardian.

  3. Appoint DPO if large-scale health data processing

    Required for hospitals, larger GP practices, care home groups. Can be outsourced.

  4. Create healthcare-specific privacy notice

    Inform patients how their health data is used. Display in waiting areas and on website.

  5. Implement appropriate security measures

    Encryption, access controls, audit trails, staff training, secure disposal procedures.

  6. Establish data sharing agreements

    Formal agreements before sharing patient data with other organisations.

  7. Set up breach reporting procedures

    Clear process to assess and report breaches to ICO within 72 hours if required.

  8. Complete Data Security and Protection Toolkit

    NHS contractors and those connecting to NHS systems must complete annual DSPT assessment.

  9. Train all staff in information governance

    Mandatory training on confidentiality, data protection, and security. Refresh annually.

  10. Review retention periods and implement secure destruction

    Ensure records are kept for required periods then securely destroyed.

Report a cyber incident

Emergency response guide for reporting cyber attacks and data breaches. Covers who to contact (Report Fraud, ICO, NCSC, Police Scotland), what information to provide, legal deadlines, and what happens after you report.

Read guide

Data protection for businesses

How to comply with UK GDPR and the Data Protection Act 2018. Covers ICO registration, lawful bases for processing, data subject rights, breach notification requirements, and penalties for non-compliance.

Read guide

Data protection annual compliance checklist

Annual checklist for verifying your data protection compliance. Covers ICO fee renewal, privacy notices, records of processing, breach procedures, staff training, DPIAs, retention schedules, and international transfers.

Read guide