To comply with the Data Protection Act 2018 (DPA 2018) [1] and the UK General Data Protection Regulations (UK GDPR) [2], you are required to provide detailed information to the people whose data you hold in the form of a privacy notice. This should include the data that you hold about the person, where you got their data from (if not from them), the reason that you hold the data (the lawful basis), what you plan to do with the data, how long you will keep it (the data retention period) and who you share their data with. You should also make people aware that they have the right to complain to the (UK) Information Commissioner’s Office (ICO) if they think there is a problem with the way you are handling their data. These notices can be generic for each category of people that you hold data about (i.e. a privacy notice relevant to all patients) but must be concise and easy to understand.
The ICO provides a checklist which may help you develop a Privacy Notice for your practice.
Develop concise and easy to understand Privacy Notices (see GDPR Privacy Notice for Patients template) and GDPR Privacy Notice for Staff template) for your practice which include information on:
- the name and contact details of the practice owner
- the name and contact details of the data protection officer
- the personal data that you hold
- the reason that you hold the data
- the lawful basis for processing the personal data (see Lawful Basis)
- what you plan to do with the data
- who you will share the data with
- how long you will keep the data (retention period)
- how you intend to destroy the data after the retention period expires
- the individual’s right to complain to the ICO if they have concerns about how you process their data.
Ensure that your practice’s Privacy Notice is suitable for your child patients or put in place a separate age-appropriate Privacy Notice for children (see Children and GDPR Privacy Notice for Children template).
Make the Privacy Notice available to all individuals whose personal data you hold.
- Include a link to your Patient Privacy Notice on the practice’s website, if you have one, and consider displaying a copy in your waiting room.
- Give a printed copy of your Privacy Notice to new patients.
- Discuss the Staff Privacy Notice at a practice meeting.
Review your Privacy Notice regularly to ensure it remain accurate and up to date.