If you handle information about people's healthcare and medical affairs, we've collected together the relevant guidance here.


Do we need consent to process personal data for our patient care functions? How are medical and dental records affected by the right to erasure? These are just a couple of questions we have been getting from organisations, that work with health and medical data, about the new data protection law.

Our FAQs document answers these questions and many more.

The NHS Digital Information Governance Alliance has also produced guidance and FAQs about the GDPR.

Data protection fee

If you handle personal data, you will probably need pay a fee to the ICO. If you are unsure if you need to pay you can take our quick self assessment to find out. Paying the data protection fee is a statutory requirement and every organisation that processes personal information must pay it, unless they are exempt. Failure to pay is a civil offence.

Data protection – looking after the information you hold about patients

Requests for personal information

Your patients have rights to see their personal information. They can make a subject access request to see the personal information you hold about them.

Right to access guidance

Access Aware toolkit for health

Medical records of the deceased

Health organisations often get freedom of information requests relating to the medical records of the deceased. There are no special exemptions under the Act about the deceased, but you do need to consider whether the information is sensitive.

Health sector resources

The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after.

We have created a number of resources for the sector based on findings from audits and advisory visits carried out by the ICO.

They are practical tools data protection officers, records managers and information governance specialists can use to help educate colleagues on how to ensure they are operating in line with data protection law.

Freedom of information – making public information available

 The Freedom of Information Act means that public authorities must disclose official information when people ask for it and reply within 20 working days.

If you work for a public authority, you must produce a publication scheme. This outlines the information you will routinely make available to the public - such as minutes of meetings, annual reports or financial information.

We have provided publication schemes and definition documents in order to help you do this.

Find out about the obligations of health practitioners:

Health and safety

Some information may be exempt from release under the Freedom of Information Act if it would be likely to endanger people’s health and safety.

Data breaches in the health and care system

The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after. It is important that all information governance SIRIs (Serious Incident Requiring Investigation) which occur in health, public health and adult social care services are reported at the earliest opportunity, and are handled effectively.

All health service organisations in England must now use the Data Security and Protection Incident Reporting tool (the incident reporting tool for the NHS in England). This will report SIRIs to the NHS Digital, Department of Health, ICO and other regulators. If you are signed up to the tool you should use it to report the breach. Guidance on how to use the tool is currently being updated by NHS Digital, and we will update this page when it becomes available.

Further reading