What do health care practitioners need to know about UK GDPR?

If you’re a health care practitioner in the United Kingdom, it’s important to be across exactly what is required from you under UK GDPR (General Data Protection Regulation). Since 2021, UK GDPR has controlled exactly how individual personal data may be processed. Ultimately following the regulations can help you do right by your patients and protect your business’s reputation, in addition to avoiding fines of up to £17.6 million or 4% of your annual turnover.

Cliniko can help you meet UK GDPR requirements (and we are a UK and EU GDPR-compliant system!), as the security of patient data is our top priority. But it’s a complex topic, and we get a lot of questions about it—some of which we’ll try to answer here.

Please keep in mind that this isn’t legal advice and we encourage you to seek professional guidance if you have specific queries. Nonetheless, we hope this gives some further general understanding for anyone who feels a bit baffled by it all!

How does UK GDPR define patient data?

Any information relating to an individual that could make them identifiable (whether directly or indirectly) is considered personal data. Unsurprisingly, this includes details such as name, address, date of birth, contact details, and any information relating to medical appointments.

UK GDPR also carves out an additional category for particularly sensitive information that requires a higher level of protection. This applies to anyone working in healthcare, as the category encompasses health data, as well as demographic attributes such as race, ethnicity, religion, politics, sexuality, and others. You can find more detail on the Information Commissioner’s Office (or ICO) website, which is the department that enforces UK GDPR.

What do I need to do in order to be UK GDPR compliant?

You’ll need to:

• Appoint a data protection officer — this is the person who will ensure that you’re complying with UK GDPR requirements.
• Create a privacy policy — this should be clear, easy to understand, and explain exactly how you go about protecting your patients’ data.
• Implement a process to obtain consent — patients should have the option to opt in or out and be given the details of exactly what they’re consenting to upfront (more on this below!).
• Offer UK GDPR training to employees — make sure your employees understand the regulations and their obligations.
• Plan your response to a data breach — it’s essential to have a game plan in place for a worst-case scenario.
• Ensure that any third-party data processors you use are compliant — do your due diligence and check the security procedures of any additional software or companies that you use.
• Regularly audit your procedures — keep checking and updating to make sure that what you’re doing aligns with best practice.

Can I send marketing messages to my patients?Only if they have explicitly opted in, as UK GDPR places strict limitations around who you can contact for marketing purposes. So before launching any digital marketing campaigns, you’ll need to separate out your contact lists. 

For example, if you want to send around a newsletter to your patient base or offer some special discounts, you’ll need to make sure it’s only going to those who have given direct consent rather than your full list of patents. Also be sure to include clear unsubscribe links on marketing emails.

These rules also apply to any targeted ad campaigns you might want to run. Before you use analytics tools or tracking pixels on your website, you’ll need to implement a banner requiring anyone who visits to actively agree to all non-essential cookies.

Managing your email marketing is something that Cliniko can help with—when your communications are channeled through Cliniko, there’s a mechanism that allows your patients to check a box and opt-in to marketing, as well as clear unsubscribe options.

Why do I need a UK GDPR consent form for patients and what should it include? A consent form is how you formally record your patients’ acceptance of their data being recorded and processed by you. UK GDPR requires that consent is:

• Freely given — your patients must be able to make their own choice without pressure or consequences.
• Specific — you should be able to define exactly what they are consenting to in narrow rather than broad terms.
• Informed — patients must have all the information upfront and know exactly what they are consenting to.
• Unambiguous — all the language used must be clear and leave no room for doubt regarding what the patient is agreeing to.
• Clear affirmative action — consent can only occur through a patient taking a direct and deliberate action.
• Reversible — it must also be easy for your patients to withdraw consent at any time, with easy-to-find instructions on how to do so.

With this in mind, any consent form must:

• Allow patients to opt in or opt out (i.e. never use a form with pre-ticked boxes).
• Give patients the option to consent to specific things, rather than asking them for blanket consent.
• Display the options to accept and reject with equal prominence.
• Link back to a more comprehensive privacy information.
• Be formatted in a way that makes it accessible to all patients.

You can set up consent forms in Cliniko that tick all these boxes. For your own records, you’ll need to note the timestamp of when consent was given, the patient details, and the version of the form that the patient agreed to.

What should I do if there’s a data breach?Despite all the best precautions, sometimes things go awry. Maybe an email went to the wrong person, or someone unauthorised gained access to patient records. The ICO defines a data breach as an occasion when: “any personal data is accidentally lost, destroyed, corrupted or disclosed.”

If this ever happens, you’ll need to:

• Assess the damage

The first thing to do is establish whether the breach is likely to result in a negative consequence to the affected patient’s rights and freedoms. This could be emotional distress, material loss, or physical harm.

• Inform the affected patient and report it to the ICO

If there is likely to be an adverse impact, let the patient know ASAP. You’ll need to tell them in plain language what occurred and the likely consequences, as well as the details of your data protection officer and what measures you’ve taken to deal with the breach. In these cases where negative consequences are likely, you’ll also need to notify the ICO within 72 hours of the breach occurring.

• Record it

This applies to all breaches! Even if it isn’t severe enough to report, you’ll still need to keep a record of it.

How do I check whether software is UK GDPR compliant?

When you’re looking for new software, you’ll need to make sure that any company you use has adequate data security measures in place. This might require some research and it’s a good start to check out their website and evaluate what claims they make.

Do they state that they are GDPR compliant? If yes, it’s easy. If not, you’ll need to review their privacy policies and evaluate the technical measures they have in place to protect data yourself. Look for statements about:

• Data sovereignty — this is the idea that any data that is collected must comply with the laws of the country where it was gathered, processed, or stored. So, in other words, regardless of where the company is based, their policies should be clear that they are adhering to UK laws around data collection.
• Encryption standards — this method of encoding data to prevent it from being accessed by unauthorised parties is a crucial security measure. Any software you consider should have statements about this on their website.
• Data retention — do they articulate a time frame as to how long data will be kept? It should really only be retained for as long as necessary, not kept indefinitely.
• Data Processing Agreement (DPA) availability — is there a viewable copy of their DPA? At a minimum, this document should outline how data is processed, what security measures are in place, policies around retention and deletion, what protocols are in place in case of a breach.
• Security testing protocol — are there regular tests to ensure that the security measures in place are effective? This should include scanning for viruses and malware, as well as an assessment as to whether there are any vulnerabilities that need addressing.

How long can patient records be kept under UK GDPR?

The answer to this isn’t completely clearcut, but the general principle according to UK GDPR is that data should only be kept for as long as it is needed. You should be able to provide a clear justification as to why you keep data for the duration that you do and a policy that outlines your standard retention. The ICO states quite specifically that individuals have a right to erasure of data you are no longer using.

However, the complexity comes from the fact that you might have obligations to retain health records beyond UK GDPR. This might vary across jurisdictions, professions, or whether or not you provide treatment in a hospital setting, so the specific timeframe that applies to you is something to double check for yourself.

We hope this helps a bit. For more tailored guidance, contact your professional association or seek independent advice. And if you have any questions about how Cliniko is GDPR compliant, please reach out to us!