Last updated:

GDPR and practice privacy notices (PPNs)

The GDPR requires practices to process data ‘fairly’ and in a ‘transparent manner’ which is ‘easily accessible and easy to understand’. This means that practices must provide information to patients about how the practice processes patient data in the form of ‘practice privacy notices’.

The Information Commissioner’s Office suggests that a layered approach can be used to inform patients. A suggested approach is that practices should display a poster in the waiting room and online (so the information can be seen by those who do not attend the practice).


Privacy poster

The poster must provide basic information which explains to patients how their medical records are shared. An additional option is to use the practice’s telephone answering system to play a recorded message which reminds patients to look at the website if they want to learn more about how the practice handles medical records and what their rights are.

The poster should signpost where more the detailed PPNs can be found on the practice website and elsewhere, for example leaflets at reception and/or leaflets given to new patients or provided with prescriptions.

Suggested example of text for a poster


Practice privacy notices

The four template PPNs are a suggested way for practices to provide this more detailed information for patients. The PPNs cover four key themes: provision of direct care; medical research and clinical audit; legal requirements to share; and national screening programmes.

The documents are formatted so that the key information for patients is displayed first. The ‘legal small print’ should be shown on a separate page or on the reverse side of an information sheet/leaflet.

Due to the variation in data sharing arrangements across local regions and between the four nations of the UK it is not possible to provide ‘one size fits all’ templates. It is therefore essential that practices amend and add wording to the templates so that they are relevant to local arrangements and the country in which the practice is based. Practices can copy and paste the wording in the templates where appropriate. The PPNs should be regularly reviewed and kept up to date.

Practice privacy notice 1 – Provision of direct care

Practice privacy notice 2 – Medical research and national clinical audits

Practice privacy notice 3 – Legal requirements to share data

Practice privacy notice 4 – National screening programmes


Important note

The information contained in this document is for general guidance only and cannot be relied upon as legal advice. The BMA accepts no liability for the accuracy of the information contained herein and you should always obtain specific legal advice separately before taking any action based on the information provided herein or if you are unsure as to how to act in any situation.


Return to GDPR guidance