UK GDPR: data subjects' rights

GDPR makes data subjects' rights much more explicit. Here we explain your obligations.

Since Brexit, EU GDPR provisions have been incorporated directly into UK law as the UK GDPR. The Data Protection Act 2018 sets out the data protection framework in the UK, alongside the UK GDPR.

Your obligations to data subjects are summarised in the following eight rights.

1: The right to be informed

UK GDPR sets out the information that practices need to supply to data subjects - ie, patients. This could be done by displaying a privacy notice (for example, in the practice and on the website) with the following information:

  • the identity and contact details of the data controller, and the data protection officer where relevant
  • the processing purpose and the legal basis for it
  • any recipient of data or categories of recipients
  • the existence of the data subject rights
  • the right to withdraw consent at any time
  • the right to lodge a complaint with the supervisory body, the Information Commissioner's office (ICO)
  • retention periods
  • the existence of automated decision-making, including profiling and information about how decisions are made, their significance and consequences
  • details of transfers to countries outside the EU and safeguards.

The information should be concise, transparent and easily accessible. It should be written in clear and plain language, particularly if meant to be read by a child.

The GDC's Standards for the Dental Team includes the following:

"4.2.5 You must explain to patients the circumstances in which you may need to share information with others involved in their healthcare. This includes making sure that they understand:

  • what information you will be releasing;
  • why you will be releasing it; and
  • the likely consequences of you releasing the information.

"You must give your patients the opportunity to withhold their permission to share information in this way unless exceptional circumstances apply. You must record in your patient's notes whether or not they gave their permission."

"4.2.6 If a patient allows you to share information about them, you should ensure that anyone you share it with understands that it is confidential."

Most patients will understand and expect information to be shared within the direct care team, which includes administrative staff. If patients object to any or all of their information being shared, you should respect this decision - unless disclosure is in the public interest or is of overall benefit to a patient who lacks capacity.

2: The right of access

Information must be given to patients without delay, and at the latest within one month of the request.

This can be extended by a further two months if requests are complex or numerous. If you need an extension, you'll need to tell the patient why within one month.

Under UK GDPR, patients cannot be charged for subject access requests unless the request is 'manifestly unfounded or excessive'. You could then charge a 'reasonable fee' based on the administrative costs of providing the information. The Information Commissioner's office (ICO) provides guidance explaining what to consider when determining if a request is manifestly unfounded or excessive.

If the request is unfounded or excessive you can refuse to act on it, but you must explain this to patients and tell them of their right to complain to the ICO and to seek judicial remedy.

3: The right to rectification

Data subjects have the right to correct data if it is inaccurate or incomplete. You must respond to such requests within a month and inform any third parties with whom you have shared data, if possible. The one-month period may be extended by a further two months when the request is complex.

A clinical opinion is not inaccurate data, even if it later turns out not to have been correct. You are not required to remove clinical opinions but can allow the patient to add a note to the records to indicate they disagree with the opinion.

If you refuse a request for rectification, you must explain why to the patient and tell them of their right to complain to the ICO and to seek a judicial remedy.

4: The right to erasure: the right to be forgotten

This allows an individual to request removal or deletion of personal data where (for example) the data is no longer necessary for the purpose it was collected.

You can refuse to comply with a request for erasure of records if processing is necessary:

  • in the public interest
  • in the exercise of official authority vested in the controller, for health or social care purposes
  • for public health purposes in the public interest.

These are the legal bases for most NHS processing (see below) and it is unlikely the right to erasure will apply to health records that need to be maintained.

5: The right to restrict processing

Individuals can request that you stop processing their data for the following reasons, including if:

  • the data's accuracy is contested by the individual for a period while the controller verifies its accuracy
  • processing is unlawful and the data subject opposes erasure and requests restriction instead
  • the data controller no longer needs the data but the subject needs it to establish, exercise, or defend legal claims
  • the data subject has objected to the data processing necessary to perform a public interest task or purpose of legitimate interests and you are considering whether your organisation's legitimate grounds override those of the individual.

This means you can store the personal data, but not process it further. You will need to establish procedures to receive and assess requests to restrict processing. You should discuss with your systems provider how to do this technically; for example, by removing access to the whole or part of a record, prevention of changes or deletion of the data.

You will need to inform the data subject when you decide to lift a restriction on processing.

6: The right to data portability

This allows individuals to obtain and reuse their data across different services. Data must be provided in a structured, commonly used and machine-readable format.

The right only applies to the following data:

  • personal data provided by an individual…
  • …where the legal processing is based on consent, or for the performance of a contract, and
  • where processing is automated.

The information must be provided free of charge within one month.

7: The right to object

Data subjects have a right to object to you processing their data even if you believe it is legitimate to do so. The grounds for their objection must relate to their particular situation.

Controllers must stop processing the data unless they can demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the individual (such as performing a task in the public interest or exercise of official authority); or the processing is for the establishment, exercise or defence of a legal claim.

8: Rights related to automated decision-making and profiling

Individuals have the right not to be subject to a decision based on automated processing that results in a legal effect on them or significantly affects them in some other way.

The GDPR defines 'profiling' as any form of automated processing of personal data to evaluate certain personal aspects of an individual, particularly to analyse or predict certain things, including health.

Automated decisions can be made with or without profiling and profiling can take place without making an automated decision.

Lawful basis for data processing

There must be a 'lawful basis' for processing personal data. You should document and be able to justify your decision. UK GPDR sets out a number of lawful bases for processing and there is detailed guidance on the ICO's website on this complex area.

There are a further requirements to process special category data (including health data). You will need to have a lawful basis for general processing and in addition, you will need to satisfy one of the specific conditions for processing health data.

Although it is very important to tell patients how their data will be used, consent is only one of the lawful bases for processing data and is not usually the most appropriate one for processing data used for direct clinical care.

Consent as a basis for processing under GDPR has very specific requirements. In particular, data must not be processed once consent is withdrawn, if that is the chosen lawful basis on which a data controller is relying to process data.

That can be problematic in a healthcare context, where there may be an obligation to retain records for a given period, or where a practitioner can't agree to delete accurate information from a clinical record just because the patient would prefer it not to be included.

Most health and social care organisations need to establish a lawful basis derived from Article 6 (of the GDPR). Specific provisions are relevant to private practices and practices providing NHS care.

When it comes to private practices

  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract - Article 6(1)(b).

Private practices may be able to rely on this as the lawful basis if they need to process someone's personal data to fulfil their contractual obligations to them.

Relevant provisions for practices providing NHS care are:

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller - Article 6(1)(e).

Practices providing NHS care may be able to rely on this lawful basis, which may apply to the processing of personal data in the delivery of publicly funded direct care and providers' administrative purposes.

  • Processing is necessary for compliance with a legal obligation - Article 6(1)(c).

Practices providing NHS care can rely on this lawful basis if they need to process the personal data to comply with a common law or statutory (as opposed to a contractual) obligation. An example of this would be NHS Regulations.

As health data and social care data is 'special category data', you must also establish a condition from Article 9 for lawful processing. Most commonly, health and social care organisations can use Article 9(2)(h):

  • Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of UK law or a contract with a health professional.

Remember that you will need to rely on a lawful basis for carrying out your processing and you will also need to satisfy a special condition in order to process health data.

Useful link

Individual rights | ICO

This page was correct at publication on 19/08/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.