The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


Good information handling provides a range of benefits as well as helping you to comply with the Data Protection and Freedom of Information Acts. Our information rights checklist (pdf) lists the benefits and risks, along with practical suggestions for how to be open and responsible.

Earlier this year, the NHS Commissioning Board (NHS England) announced plans to introduce a new system for collecting and analysing data called

In October we received an updated plan from NHS England which confirms that the data extraction for the system will not begin until spring 2014. Further guidance has been provided by NHS England to GPs to enable them to more clearly understand the process and to ensure they are fully aware of their fair processing obligations under the Data Protection Act.

We've also written some FAQs for GPs in relation to the fair processing requirements of the Data Protection Act.

Changes to the health and care system

On 1 April 2013 there were significant changes in the NHS. We've written some FAQs for bodies involved in the transition to process the information they hold in accordance with the Data Protection Act and the Freedom of Information Act.

Data protection – looking after the information you hold about patients

If you handle and store information about identifiable, living people – for example, about patients – you are legally obliged to protect that information.

Under the Data Protection Act, you must:

  • only collect information that you need for a specific purpose;
  • keep it secure;
  • ensure it is relevant and up to date;
  • only hold as much as you need, and only for as long as you need it; and
  • allow the subject of the information to see it on request.

Find out more about your data protection obligations.

Requests for personal information

Your patients have rights to see their personal information. They can make a subject access request to see the personal information you hold about them.

Data breaches in the health and care system

The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after. It is important that all IG SIRI (Serious Incident Requiring Investigation) which occur in health, public health and adult social care services are reported at the earliest opportunity, and are handled effectively.

All health service organisations in England must now use the IG Toolkit Incident Reporting Tool. This will report IG SIRIs to the Health and Social Care Information Centre (HSCIC), Department of Health, ICO and other regulators. Health service bodies in Scotland, Wales and Northern Ireland should submit a report to the ICO using our Security breach notification form.

Registering with the ICO

If you handle personal information, you may need to register with us as a data controller. Notification is a statutory requirement and every organisation that processes personal information must notify the ICO, unless they are exempt. Failure to notify is a criminal offence.

Find out if you need to register.


As an employer, you are obliged to protect your employees’ personal information.


We've published two reports detailing some of the good practice and areas for improvement we have seen in both the NHS, and the health sector at large.

Advisory visits

We’ve published a report highlighting some areas of good practice and potential improvement for GPs practices.

General practitioners and primary healthcare providers – Outcomes from advisory visits (pdf)

Freedom of information – making public information available

The Freedom of Information Act means that public authorities must disclose official information when people ask for it (unless there is a good legal reason not to), and they must reply within 20 working days. Find out more about your freedom of information obligations.

If you work for a public authority, the Freedom of Information Act says you must produce a publication scheme, which outlines the information you will routinely make available to the public - such as minutes of meetings, annual reports or financial information. To help you do this, we have produced definition documents.

Find out about the obligations of health practitioners:

Medical records of the deceased

Health organisations often get freedom of information requests relating to the medical records of the deceased. There are no special exemptions under the Act about the deceased, but you do need to consider whether the information is sensitive.

Health and safety

Some information may be exempt from release under the Freedom of Information Act if it would be likely to endanger people’s health and safety.

Freedom of information: health and safety (pdf)

Training materials

Our training page has videos and practical toolkits to help you promote good data protection practice in your own organisation.