The UK General Data Protection Regulation (UK GDPR) is a UK law that took effect on 01 January 2021 and sets out the key principles, rights and obligations for most processing of personal data in the UK.   It is a law that determines how your personal data is processed and kept safe, and the legal rights you have regarding your data. 

What GDPR means for patients

The GDPR sets out the key principles we apply when processing personal data, for staff or patients:

• Data must be processed lawfully, fairly and transparently
• It must be collected for specific, explicit and legitimate purposes
• It must be limited to what is necessary for the purposes for which it is processed
• Information must be accurate and kept up to date
• Data must be kept securely
• It can only be retained for as long as it necessary for the reasons it was collected.

There are also stronger rights for patients regarding the information we hold about them. These include:

• Being informed about how their data is used
• Having access to their own data
• Asking to have incorrect information changed
• Restricting how their data is used
• Moving their data from one health organisation to another
• Having the right to object to their patient information being processed (in certain circumstances).

To learn more, please read our Privacy Notice, or download and view our GDPR Patient Information Leaflet here.