GDPR - GPC - Blog 4

Blog 4

GDPR Privacy Notices


I mentioned in previous blogs the underlying ethos behind GDPR, the need to update and tighten up the protection of individuals’ data in the modern world; how GDPR could be thought of as a strengthening of the trusty but world weary and technologically eclipsed Data Protection Act. Well “Privacy Notices” (PNs) are an integral part of that upgrade. Under the old DPA DSs (Data subjects) were expected to be informed about the processing that was being done to their data, but it was a good practice thing and there was no definition of what “Fair informing” actually meant, it was all a bit woolly. Under GDPR a central plank of the transparency and no surprises agenda is the right to be informed. Its up front and prior notification of what you, the DC (data Controller), are planning to do with your DS’s data. It’s becomes a strict legal obligation and the information that you need to provide is proscribed, clearly defined, specified and itemised. There is no question, lack of clarity or debate, its all set out in Articles 12, 13 and 142 of GDPR but this blog is your quick fire concise bottom line synopsis.

An important point to note; the right to be informed applies to all processing no matter what the legal basis, so even if GDPR consent (GDPR consent you ask? that’s another story yet to be told, a blog on that is on its way) is not required, which will apply to most of what GPs do, the DSs must still be told about the processing. So, GPs may be under a legal cosh to deliver up the most intimate and sensitive data on their patients (aka HSCA?), but we still must let the patients know and explain why we’re doing what we’re doing. Obviously if GDPR consent is being used you can’t have the one without the other.

So, what’s the bottom line?

The bottom line is GDPR requires PNs to;


·       contain certain items of information,

·       be “easily accessible”


·       written in “clear and plain language”.

and I’m going to add, Dr Cundy says,

·       in place by 25th May

·       and kept up to date


The required information

You must provide the DS with information about the data you hold, what you do with it, why, who it goes to and what rights they have over it. There are slight differences between data you get directly from the DS vs data about them that comes other sources. Anyway, it’s a dry simple straightforward list and not easy to liven up or embellish so I’ve ducked that and simply tacked a copy of the ICO’s very helpful table to the bottom of this blog3.

Easily accessible

The “easily accessible” element means that the data subject should not have to seek out the information; it should be immediately apparent to them where this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or providing it as an answer to a question. Now as I’ve bashed on about before the new bits in GDPR are predominantly about our digital virtual world, so a lot of the accessibility stuff in GDPR is about on-line, web sites, apps, icons, symbols, pop ups, alerts and layers of detail that can be navigated. The real world of general practice remains tangible. The official GDPR guidance on PNs recognises that different organisations have different profiles and presences, that general practice is predominantly face to face and delivered in the real world, so for GPs we are talking;

·       staff who know the answers to simple questions about GDPR and data

·       or who can point patients to a noticeboard or practice web site

·       the aforementioned practice noticeboard

·       the aforementioned practice web site

·       a link or icon on the web site’s home page

·       that navigates to more detailed specific definitive areas and downloadable documents; aka “layering”

·       a practice waiting room reference file or pamphlets or leaflets

·       messages that appear every now and then on display screens

·       a reminder on a self-check-in

·       a notice given to newly registering patients

·       occasional messages on the spare areas on prescriptions

·       a PN attached to every Subject Access Request

·       and finally, clinical staff who quickly remind patients when referring or sharing care.

All the above are nonexclusive examples of ease of access and its worth noting the official GDPR guidance has a specific example for health care that identifies a combination of only a web site and “forms in receptions” as being an example of good practice4, so the EU bureaucrats have set the bar low.  Do all the above and you’ll be Platinum standard.

Clear and plain language

Well it doesn’t get much clearer or plainer than GDPR’s own guidance on the subject1 which reads; “The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. In particular the purposes of, and legal basis for, processing the personal data should be clear.

It continues in exemplary form and with elegant simplicity; “Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Paragraphs and sentences should be well structured, utilising bullets and indents to signal hierarchical relationships. Writing should be in the active instead of the passive form and excess nouns should be avoided. The information provided to a data subject should not contain overly legalistic, technical or specialist language or terminology.  


A couple of other points, PNs and the information you provide for DSs must be up to date, so you’ll need to be aware of any changes and amend all your methods of informing.

Timing of notification and informing

There is a requirement of prior notification, you are supposed to provide DSs with privacy information notifications at the time of or even before you obtain their data and do so actively. What? I can hear you all crying, “how can we prior notify X thousand patients on the 26th May?”. Don’t worry there are exceptions. Firstly, GDPR is not retrospective so you don’t have to re-consent patients, data disclosures and sharing that pre-date GDPR remain valid. Furthermore, the ICO has confirmed that actively providing privacy information to individuals can in some cases be met “by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it”. So, if you do that plus the stuff offered by the GDPR WP4 as being good practice plus any of the things mentioned above under “Easily accessible” you should be fine, or rather free of fines.

Simples, stuff from elsewhere

Its pretty logical, but just for the record, you don’t have to provide notification of information the DS already has. I’m thinking hospital letters. In theory a hospital letter is “personal data (obtained) from a source other than the individual it relates to” and therefore potentially something you’d have to inform them about. What, every hospital letter? Every 111 report? Well no, because hospital letters are copied to patients, copies of discharge summaries are handed to patients and A/E departments are going to have to give patients copies of their interactions with them. So, this will be “information that they already have“. If they’ve already got it, you don’t have to give it again.

Hey but what about this I’ve read? If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

Well I think the key here is the word “obtain” which means; to get, acquire or secure. In short obtaining something is an active process, you reach out and grasp it, receiving something sent to you is a passive action, it will still arrive even if you are lying flat on the floor face down with your eyes closed and hands over your ears. I am pretty sure GDPR does not intend for we busy GPs to be notifying patients about every item of uninvited drivel, sorry data, that we receive as inbound traffic. In any event, as pointed out above, there are virtually no events in healthcare occurring outside the practice that the patient won’t be aware of, their having presumably been present?

Receiving their previous GP’s records is of course a point in hand, that will be covered in terms of privacy notification by the registration process and in terms of lawfulness by Articles 6(1)(e) and 9(2)(h) so no worries there either.

If you go out and actively seek information about a patient without their prior knowledge you should normally inform them within one month. There are circumstances however, think mental health, where as a DC providing healthcare, you could decide to not inform the DS. If you find yourself in that situation you should record your reasons for doing so.

What about next week, month, year?


Good point, it’s not just updating privacy notification, if at any time in the future you are going to modify a data processing activity, so do something new or extend the scope of a current process, you must do that active prior notification again. Issue new or amended PNs, update your web sites and train your staff about the new work.


Excellent, so what’s next?


Well to be helpful the BMA is in the process of producing a generic template Practice Privacy Notice (PPN), we’ll let you know when they are ready. Its hoped they will be self-explanatory and you will be free to use them as you see fit.

And are there any others I can crib now?


Oh yes, there are hundreds of sample and actual PNs available from the web, but few are from UK NHS GPs, written by GPs. Without doubt the most comprehensive set I have found are Dr Neil Bhatia’s, found in my Dropbox. He’s given me permission to share them with you, it could be scare you with them, its 119 pages! As I said the most comprehensive set I’ve found. They are all specific to his practice so many will not be needed by other practices, but they can be cribbed, and your own name rank and numbers inserted. One I’d like to bring your attention to is page 116, the one concerning “marketing” of associated services to patients, see also my Blog 5 on Texts and E-mails.

More PNs


Finally, I’ve also written a few template PNs for my own practice which you can find amongst the template examples in my Dropbox. You are equally free to plagiarise, steal, copy, download, distribute and generally disseminate. They are separate PNs that can be cobbled together to produce your own compilation PPN. Sorry yes, they are English so the devolved nations will have to adapt accordingly.

All the PNs mentioned above comply with GDPR, in my opinion.

Dr Paul Cundy

GPC IT Policy Lead

30th March 2018


What information do we need to provide?

Personal data collected from individuals

Personal data obtained from other sources

The name and contact details of your organisation

The name and contact details of your representative

The contact details of your data protection officer

The purposes of the processing


The lawful basis for the processing

The legitimate interests for the processing

The categories of personal data obtained


The recipients or categories of recipients of the personal data


The details of transfers of the personal data to any third countries or international organisations



The retention periods for the personal data


The rights available to individuals in respect of the processing


The right to withdraw consent

The right to lodge a complaint with a supervisory authority


The source of the personal data


The details of whether individuals are under a statutory or contractual obligation to provide the personal data


The details of the existence of automated decision-making, including profiling


4, Example text box from WP 29 Guidelines on transparency under regulation 2016/679

All Content and Images are  the Copyright property of
The Mid Mersey Local Medical Committee. 
© 2014 - 2021. All Rights Reserved.