Privacy Notice


To comply with the General Data Protection Regulations (GDPR), you are required to provide detailed information to the people whose data you hold in the form of a privacy notice. This should include the data that you hold about the person, the reason that you hold the data (the lawful basis), what you plan to do with the data and how long you will keep it (the data retention period). You should also make people aware that they have the right to complain to the Information Commissioner’s Office (ICO) if they think there is a problem with the way you are handling their data.  These notices can be generic for each category of people that you hold data about (i.e. a privacy notice relevant to all patients) but must be concise and easy to understand.

The ICO provides a checklist which may help you develop a Privacy Notice for your practice.

Develop concise and easy to understand Privacy Notices (see GDPR Privacy Notice for Patients May 2018 template (Word) and GDPR Privacy Notice for Staff May 2018 template (Word)) for your practice which include information on:

  • the personal data that you hold;
  • the reason that you hold the data;
  • the lawful basis for processing the personal data (see Lawful Basis);
  • what you plan to do with the data;
  • who you will share the data with;
  • how long you will keep the data (retention period);
  • the individual’s right to complain to the ICO if they have concerns about how you process their data.

Make the Privacy Notice available to all individuals whose personal data you hold.

  • Include a link to your patient Privacy Notice on the practice’s website, if you have one, and consider displaying a copy in your waiting room.
  • Consider giving a printed copy of your Privacy Notice to new patients.
  • Discuss the staff Privacy Notice at a practice meeting.

This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website and via the EU GDPR learning resource. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.