Healthcare & Social Care

Data protection for healthcare providers

How healthcare providers must handle patient data under UK GDPR, including special category health data requirements, Caldicott Principles, the common law duty of confidentiality, and record retention requirements.

UK-wide
Guide summary

If you provide healthcare or social care, you must protect patient data under UK law. This includes registering with the ICO, appointing a Data Protection Officer and Caldicott Guardian if needed, and following the Caldicott Principles. You must also keep records secure, share data safely, and retain them for set periods.

  • Register with ICO as data controller (£40-£2,900 fee)
  • Appoint Data Protection Officer if processing large scale health data
  • Appoint Caldicott Guardian if NHS or care home
  • Keep patient records secure (encrypt, control access)
  • Share data only with formal agreements
  • Retain adult records 8 years, child records 25 years
  • Respond to patient access requests within 1 month
  • Report high-risk data breaches to ICO within 72 hours
  • Follow Caldicott Principles for confidentiality
  • Inform patients how their data is used
On this page
UK-wide

Related guides in Data Protection

Report a cyber incident

Emergency response guide for reporting cyber attacks and data breaches. Covers who to contact (Report Fraud, ICO, NCSC, …

Healthcare providers handle some of the most sensitive personal information: patient health records. This data receives special protection under UK law, with requirements beyond standard data protection compliance.

If you provide healthcare or social care services, you must understand three overlapping frameworks that govern patient data:

  • UK GDPR and Data Protection Act 2018 - Legal framework for all personal data processing
  • Common law duty of confidentiality - Legal duty arising from the patient-provider relationship
  • Caldicott Principles - NHS standards for handling patient-identifiable information

Failure to protect patient data can result in ICO fines up to £17.5 million, professional misconduct proceedings, loss of CQC registration, and civil claims from affected patients.

The Data (Use and Access) Act 2025 amends UK GDPR and the Data Protection Act 2018, with its main data protection provisions in force from 5 February 2026.

Health data as special category data

Under UK GDPR Article 9, health data is 'special category data' that requires additional safeguards. Health data includes:

  • Physical or mental health conditions
  • Medical history and clinical notes
  • Test results and diagnoses
  • Medication records
  • Information about disabilities

Genetic data and biometric data (where used to identify someone) are separate special categories under Article 9 in their own right, alongside health data - all three are common in healthcare settings.

To process health data lawfully, you need BOTH:

  1. A lawful basis under Article 6 (such as legitimate interests, contract, or public task)
  2. A special category condition under Article 9 (typically health or social care purposes)

The Caldicott Principles

The Caldicott Principles are the foundation of patient data protection in UK healthcare. Originally introduced in 1997 and updated in 2020, these eight principles must guide every decision about using or sharing patient-identifiable information.

Principle 1 - Justify the purpose(s) for using confidential information
Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.
Principle 2 - Use confidential information only when it is necessary
Confidential information should not be included unless it is necessary for the specified purpose(s). The need to identify individuals should be considered at each stage.
Principle 3 - Use the minimum necessary confidential information
Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount is included.
Principle 4 - Access to confidential information should be on a strict need-to-know basis
Only those who need access to confidential information should have access to it, and only to the items they need to see.
Principle 5 - Everyone with access to confidential information should be aware of their responsibilities
Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect confidentiality.
Principle 6 - Comply with the law
Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring their use of it complies with legal requirements.
Principle 7 - The duty to share information for individual care is as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles.
Principle 8 - Inform patients and service users about how their confidential information is used
A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have.

The common law duty of confidentiality

Healthcare providers have a common law duty of confidentiality arising from the patient-provider relationship. Patients reasonably expect information shared in confidence will not be disclosed without consent.

The duty can only be breached with patient consent, a legal duty to disclose, or an overriding public interest. You can share without explicit consent when:

  • Required by law - Court orders, notifiable diseases, safeguarding
  • Direct care purposes - Sharing with other healthcare professionals involved in the patient's care
  • Overriding public interest - To prevent serious harm to the patient or others

Document your decision: Record your reasoning whenever sharing patient information without explicit consent.

Appointing a Caldicott Guardian

Under National Data Guardian guidance, all public bodies in health and adult social care, and (since 30 June 2023) all organisations contracted to deliver publicly funded health or adult social care in England, must appoint a Caldicott Guardian - a senior person responsible for protecting patient confidentiality and enabling appropriate information sharing.

The Caldicott Guardian ensures the Caldicott Principles are applied, advises on lawful uses of patient information, and reviews data sharing agreements. This should be a senior clinician or nurse at board level with authority to influence policy.

Data Protection Officer requirements

Many healthcare providers must also appoint a Data Protection Officer (DPO) under UK GDPR. This is a separate role from the Caldicott Guardian (though one person can hold both roles if qualified).

Record retention for health records

Healthcare records must be retained for minimum periods set out in the NHS Records Management Code of Practice. The Code applies to NHS and NHS-funded services and to local-authority-commissioned adult social care and public health services; for purely private providers it is recommended good practice.

Adult health records
Retain for 8 years after last treatment or 8 years after death if patient died whilst in your care
Children's records
Retain until the patient's 25th birthday (or 26th if treatment continued after age 17), or 8 years after death
Maternity records
Retain for 25 years after birth of last child
Mental health records
Retain for 20 years after no further treatment, or 8 years after death
Oncology and radiotherapy records
Retain for 30 years after treatment
Records of patients involved in clinical trials
Retain as specified by the trial sponsor and research ethics committee; for trials of medicines applied for on or after 28 April 2026, trial documentation must be kept for at least 25 years
GP records
Retain for 10 years after death. Records transfer to the new GP when a patient moves practice; if a patient emigrates, electronic patient records are retained, not deleted

Secure destruction: When retention periods expire, records containing patient information must be destroyed securely. Paper records should be shredded or incinerated. Electronic records must be permanently deleted using appropriate software or media destruction.

Data security requirements

Healthcare providers must implement appropriate security measures to protect patient data. Key requirements include:

  • Encryption - Encrypt patient data at rest and in transit
  • Access controls - Role-based access ensuring staff only see data needed for their role
  • Audit trails - Log all access to patient records
  • Staff training - Mandatory information governance training, refreshed annually
  • Clear desk policy - No patient information left visible when unattended
  • Incident reporting - Clear procedures for reporting data security incidents

NHS contractors must complete the Data Security and Protection Toolkit (DSPT) annually to demonstrate compliance.

Handling data breaches

Healthcare data breaches are particularly serious because of the sensitive nature of health information. You must report breaches to the ICO within 72 hours unless they are unlikely to result in a risk to any individuals - patients, staff or anyone else whose data is affected.

When assessing breach risk, consider: sensitivity of the data (mental health, sexual health, HIV status are particularly sensitive), volume of records affected, and potential for harm. Significant data security incidents may also need reporting to CQC as a statutory notification.

Data sharing agreements

Healthcare often requires sharing patient information with other providers. Formal data sharing agreements should cover: purpose and lawful basis, security measures, retention periods, and breach notification procedures.

Processor agreements: If another organisation processes data on your behalf (e.g., cloud hosting), you need a formal data processing agreement under UK GDPR Article 28.

Practical compliance steps

Use this checklist to ensure your healthcare practice meets data protection requirements:

  1. 1

    Register with ICO and pay data protection fee

    Most healthcare providers fall into Tier 2 (£78/year). Register before you start seeing patients.

  2. 2

    Appoint Caldicott Guardian (if required)

    All public bodies in health and adult social care, and all organisations contracted to deliver publicly funded health or adult social care in England, must appoint a senior Caldicott Guardian.

  3. 3

    Appoint a DPO if required

    Mandatory for all NHS bodies and GP practices (public authorities), and for private providers processing health data on a large scale. Can be outsourced.

  4. 4

    Create healthcare-specific privacy notice

    Inform patients how their health data is used. Display in waiting areas and on website.

  5. 5

    Implement appropriate security measures

    Encryption, access controls, audit trails, staff training, secure disposal procedures.

  6. 6

    Establish data sharing agreements

    Formal agreements before sharing patient data with other organisations.

  7. 7

    Set up breach reporting procedures

    Clear process to assess and report breaches to ICO within 72 hours if required.

  8. 8

    Complete Data Security and Protection Toolkit

    NHS contractors and those connecting to NHS systems must complete annual DSPT assessment.

  9. 9

    Train all staff in information governance

    Mandatory training on confidentiality, data protection, and security. Refresh annually.

  10. 10

    Review retention periods and implement secure destruction

    Ensure records are kept for required periods then securely destroyed.

Official guidance and resources