Data protection · 1 July 2026
UK GDPR in healthcare: a guide for care and health providers
Health and care providers handle some of the most sensitive personal data there is. That makes UK GDPR and the Data Protection Act 2018 central to running a safe, well-led service. This guide explains what applies and how to meet it in practical terms.
The legal framework
Data protection in the UK is governed by the UK GDPR alongside the Data Protection Act 2018. The independent regulator is the Information Commissioner’s Office (ICO). Together these set out how you must handle personal data — any information about an identifiable living person.
For care providers, this sits alongside your other obligations, such as the NHS Data Security and Protection Toolkit (DSPT) and CQC’s expectations under the well-led domain. Good data protection is not a separate box to tick; it underpins safe care.
You need a lawful basis
Every time you process personal data, you must have a lawful basis for doing so. UK GDPR provides six: consent, contract, legal obligation, vital interests, public task and legitimate interests. For care delivery, you’ll often rely on legal obligation, vital interests or public task rather than consent — and it’s important to identify and record the right one rather than defaulting to consent, which can be difficult to rely on in a care setting.
Health data needs an extra condition
Information about someone’s health is special-category data under UK GDPR. This category also covers data about race, religion, sexual orientation, genetics and biometrics — but health data is the one care providers handle every day.
Because it is more sensitive, you need both a lawful basis and a separate special-category condition to process it. For health and social care, conditions such as provision of health or social care and medical diagnosis are commonly relied upon, several of which also require a policy document. Getting this right is a core part of lawful processing in a care setting.
When you need a DPIA
A Data Protection Impact Assessment (DPIA) is required whenever processing is likely to result in a high risk to people’s rights and freedoms. Given the sensitivity of health data, DPIAs come up regularly in care — for example when introducing a new electronic care records system, CCTV, medication management software or a data-sharing arrangement.
A DPIA helps you identify and reduce risks before you start. Our guide to DPIAs explains the process step by step.
Record what you do: the RoPA
Most care providers must keep a Record of Processing Activities (RoPA) — a structured record of what personal data you hold, why, who you share it with and how long you keep it. It’s a foundational document that also supports your DSPT information asset register. See our RoPA guide for what to include.
Responding to individuals’ rights
People have rights over their own data. The one care teams meet most often is the Subject Access Request (SAR) — a request to see the personal data you hold about someone. You must usually respond free of charge within one month. Requests can come from service users, relatives or representatives, so it pays to have a clear process. Our SAR guide covers how to handle them.
When something goes wrong: breach reporting
A personal data breach is any security incident that leads to personal data being lost, stolen, altered or disclosed inappropriately. If a breach is likely to risk people’s rights and freedoms, you must report it to the ICO without undue delay and within 72 hours of becoming aware of it. Where the risk is high, you may also need to tell the affected individuals. Our breach reporting guide explains the steps.
Being transparent: privacy notices
You must tell people how you use their data, in clear and accessible language, through a privacy notice. In a care setting this means explaining, in a way service users and families can understand, what you collect and why. See our privacy notices guide.
Do you need a Data Protection Officer?
A Data Protection Officer (DPO) is mandatory for public authorities and for organisations whose core activities involve large-scale processing of special-category data. Many independent care providers won’t strictly require one, but the question deserves a proper answer — see do you need a DPO?.
A practical checklist for care providers
- Identify a lawful basis and special-category condition for each processing activity
- Keep an up-to-date RoPA
- Run DPIAs for new or high-risk processing
- Have clear SAR and breach procedures your team can follow
- Publish accessible privacy notices
- Train all staff in data protection (see our staff training guide)
- Register with the ICO and pay the data protection fee (see ICO registration)
The data protection principles
Underpinning all of the above are UK GDPR’s core principles. Personal data must be processed lawfully, fairly and transparently; collected for specified purposes; limited to what’s necessary; kept accurate; not held longer than needed; and kept secure. There is also an overarching principle of accountability — you must not only comply, but be able to demonstrate that you comply. For care providers, that evidence trail (policies, records, training logs, DPIAs) is what turns good intentions into defensible compliance if the ICO or CQC ever asks.
How we can help
Data protection in health and care is entirely manageable with the right structure — but it takes time that clinical and care teams rarely have. We offer a clear, fixed-fee engagement that reviews your processing, puts the right records and procedures in place, and supports your team throughout. To find out more, explore our data protection service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our Data Protection & UK GDPR service.