The Impact of GDPR on Private Practice

Incision Indemnity
Surgeons -
4th September 2020
6 mins read

On the 25th May 2018 the General Data Protection Regulation (“GDPR”) came into force.  This was a significant development for the way that we all process and deal with data in our professional lives.  The provision of new stricter requirements required many surgeons or doctors to review their data handling procedures and implementing changes, and hopefully most surgeons and doctors are now familiar with the requirements on them. 

However, even now, over two years later, it is not uncommon for surgeons or doctors to inadvertently have a data protection problem, or at least find themselves unsure about whether a data protection question has arisen.  Therefore it is worthwhile for all surgeons or doctor to refresh their memory of the requirements, and reconsider whether there is anything more to be done to ensure data compliance.  The ICO has published information for healthcare professionals at, including further guidance and resources for use in healthcare practice.

Here is a summary of some particular issues that have affected some Incision members recently, by way of food for thought about situations where surgeons and doctors need to be alert to potential data problems.

How long to store patient records

The Incision helpline commonly receives questions from Members about the correct length of retention of patient records and how these records are stored.

The publicity around GDPR and the Data Protection Act 2018 seems to have contributed to some uncertainty amongst surgeons and doctors.  One of the GDPR principles is data minimisation, including that data should be stored for no longer than is necessary.  This means that it is not acceptable to keep all records indefinitely, even if the cost of doing so was manageable. 

However, this GDPR principle does not affect the long-standing requirement on medical professionals to retain medical records for a specified period – a minimum of eight years, and often longer for particular groups of patients such as children.  All surgeons and doctors need to retain their records for at least that period.

Also, patient records often prove crucial in the defending of any claims for negligence with many being a starting point for recollections or treatment and/or as evidence that the treatment provided was not negligent.  The destruction of records prematurely could potentially limit the effective of any defence to future claims.

We don’t know of any official guidance about whether the Coronavirus Lockdown means that medical records should be stored for longer.  However, it is clear that there has been extensive disruption to medical care across most specialties, with swathes of surgery being postponed for long periods.  Also, it is clear that many claimant solicitors were significantly affected by Lockdown and had difficulty progressing claims that were already in the pipeline, or were about to start.  Therefore it is possible that records may be needed for somewhat longer than they would be in normal times.  We would suggest that it would be prudent to pause any data destruction activities, for a few months at the very least.  For example, if you have records that are now eight years old that you would usually have securely destroyed, it would probably be prudent to keep those records for a further six months at least, and then review matters again at that stage.

Mass Emails and other Mass Mailings

Surgeons and doctors sometimes do send out mass emails or other mass mailings.  Sometimes this could be essentially marketing – perhaps raising awareness of an offer or opportunity.  Other examples could include information such as changes of clinic address or contact details.  It may be that Coronavirus has prompted more mass mailing than usual.  Many surgeons and doctors will have had to send out mass emails or other mailings to patients to provide essential information about changes to their practice – everything from remote treatment options, changes to whether and if so how in-person consultations can happen, and Coronavirus safety measures for when they do happen.  Even once the emergency is over, some surgeons or doctors may find that they need to engage in more marketing to re-build their practises after the interruption of Coronavirus.

Under the GDPR, in order to process a person’s personal data, a controller of personal data must have a “lawful basis” on which to do so.  Therefore in order to avoid inadvertent data breaches, the surgeon or doctor must carefully consider the basis on which they are sending the mass communication, including whether they have each patient’s consent for their data to be used for that purpose. 

To take marketing communications as an example, under GDPR it is acceptable to send marketing emails on the basis of “consent” or “legitimate interests”.  If you have a record of the patient’s agreement that you could contact them for marketing purposes, then that is sufficient.  But if you do not the position is more complicated.  For example, if you were contacting a former patient from a long time ago, it is unlikely that the patient (the data subject) would reasonably expect to receive marketing material after a lengthy period.  The sending of the marketing email could, therefore, be a violation of the GDPR.  As a controller of personal data, this could expose you to the risk of receiving a financial penalty imposed by the ICO.

By contrast, if you are sending a mass mailer that does not contain any personally identifiable details of any patient, strictly to a group of existing patients who are still under your care, to inform them about something relevant to their care with you (such as updated Covid-19 safety measures), then this would likely be acceptable under GDPR.  Having said that, it is still important to be vigilant, because if any of those patients responded to the mass mailer with a request relating to your communications with them, particularly if they ask that you cease contacting them or change them, then you and your administrators need to make sure that all those requests are complied with.

What about my medical indemnity insurance?

If you find that some patient records or data have been lost, damaged or even stolen, or if anyone alleges that you have breached your obligations to retain patient records or your data protection obligations in relation to mass mailings or anything else, you should contact the medico-legal helpline straight away.  Incision’s expert medico-legal advisers will give you guidance on what to do next, including assisting you with notifying your insurers to protect your interests.  If it transpires that you need specialist or detailed advice on data protection as it applies to your practice, Incision works closely with specialist lawyers who advise on data protection matters who can assist (although it may be necessary for them to charge fees for that advice).

September 2020