If you handle information about people's health and medical affairs, we've collected together the relevant guidance here.

Last updated 25 April 2017: Added new health sector resources.

Data protection – looking after the information you hold about patients

If you handle and store information about identifiable, living people – for example, about patients – you are legally obliged to protect that information.

Under the Data Protection Act, you must:

  • only collect information that you need for a specific purpose;
  • keep it secure;
  • ensure it is relevant and up to date;
  • only hold as much as you need, and only for as long as you need it; and
  • allow the subject of the information to see it on request.

Requests for personal information

Your patients have rights to see their personal information. They can make a subject access request to see the personal information you hold about them.

Subject access code of practice

Access Aware toolkit for health

Accessing sharing information: acting on behalf of a person with Dementia, Alzheimer's Society website

Medical records of the deceased

Health organisations often get freedom of information requests relating to the medical records of the deceased. There are no special exemptions under the Act about the deceased, but you do need to consider whether the information is sensitive.

Health sector resources

The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after.

We have created a number of resources for the sector based on findings from audits and advisory visits carried out by the ICO.

They are practical tools data protection officers, records managers and information governance specialists can use to help educate colleagues on how to ensure they are operating in line with the Data Protection Act.

Freedom of information – making public information available

 The Freedom of Information Act means that public authorities must disclose official information when people ask for it and reply within 20 working days.

If you work for a public authority, you must produce a publication scheme. This outlines the information you will routinely make available to the public - such as minutes of meetings, annual reports or financial information.

We have provided publication schemes and definition documents in order to help you do this.

Find out about the obligations of health practitioners:

Health and safety

Some information may be exempt from release under the Freedom of Information Act if it would be likely to endanger people’s health and safety.

Audits, advisory visits and overview reports

See the latest reports detailing some of the good practice and areas for improvement we have seen in both the NHS, and the health sector at large.


See the latest monetary penalties, enforcement notices, undertakings and prosecutions we have issued in the health sector. 

Data breaches in the health and care system

The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after. It is important that all IG SIRI (Serious Incident Requiring Investigation) which occur in health, public health and adult social care services are reported at the earliest opportunity, and are handled effectively.

All health service organisations in England must now use the IG Toolkit Incident Reporting Tool. This will report IG SIRIs to the NHS Digital, Department of Health, ICO and other regulators.


Health service bodies in Scotland, Wales and Northern Ireland should submit a report to the ICO using our Security breach notification form

Further reading