BMA guidance

GPs as data controllers under GDPR

GP data controllers' responsibilities under the GDPR, the main themes of the legislation and ensuring compliance. The guidance should be read alongside the UK Data Protection Act 2018.

Location: UK
Audience: GPs Practice managers
Updated: Friday 28 June 2024
Topics: Ethics, GP practices
GP practice article illustration

This guidance explains GP data controllers' responsibilities under the GDPR, and sets out the main themes of the legislation and what needs to be done to ensure compliance.

 

What you'll get from this guide

  • Identifying the GDPR lawful bases for processing health data.
  • How to meet requirements for transparency and accountability.
  • How to deal with requests for confidential health data.

 

How to use this guide

The guidance should be read alongside the UK Data Protection Act 2018. It applies to both doctors working in private practice and the NHS.

 

Topics
  • What is a data controller?
  • Consent and other lawful bases for processing
  • Right to object
  • Data controller responsibilities for processing: privacy notices
  • Accountability: demonstrating compliance
  • Dealing with requests for confidential health data
  • Breach reporting
  • Subject access requests
  • Breach reporting
  • Additional concepts under GDPR