Data Processing

EthicalPersonal Data

Personal data is information which relates to a living individual who can be identified from the information itself or by linking it with other information – for example a person’s name, address or email address, an online profile or an employee’s human resources record, sickness absence or appraisal record. There is also ‘special category’ information which relates to sensitive personal data such as medical information, ethnic origin etc.  All information that is obtained in the course of caring for patients is confidential.


Processing is the name given to anything that is done with personal data – for example entering patient information into IT systems or simply having a patient record sitting in a filing cabinet.

Data Controllers and Data Processors

A data controller determines the purposes and means of processing personal data. A data processor is responsible for processing personal data on behalf of a data controller. Under the General Data Protections Regulations (GDPR), data controllers must demonstrate compliance and ensure that their data processors comply with specific legal obligations; for example, data processors are required to maintain records of personal data and processing activities. Data processors have legal liability if they are responsible for a data breach.

Data controllers must be registered with the Information Commissioner’s Office (ICO) and as of 25th May 2018, a new fee system will be put in place. This replaces the requirement to ‘notify’ (or register) with the ICO, as was required under the Data Protection Act (1998). For controllers who have a current registration with the ICO, the new fee is only payable once that registration has expired. The size of the fee is dependent on the number of staff working in your practice. The Information Commissioner’s Office (ICO) has provided following resource:
The ICO also provides a very useful checklist regarding obligations of both data controllers and data processors.

This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website and via the EU GDPR learning resource. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.