HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers


Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours


Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

A Dose of Privacy? The Impact of GDPR on the NHS

Article Cover Image

About The Author

Ceylan Simsek (Regular Writer)

Ceylan Simsek is a law school graduate whose main area of interest is medical law and international law. Alongside her studies, she has obtained certifications from Stanford University School of Medicine on overprescription of antibiotics and unconscious bias in medicine. She works at Medical Protection Society, the world's leading medical defence organisation for medical, dental and healthcare professionals. Outside of law, she enjoys learning new languages and, in order to combat her fear of heights, rock climbing.

[Read More]

You have to fight for your privacy or you lose it.

Eric Schmidt

Following the highly publicised Cambridge Analytica scandal, which allegedly saw the covert use of the data of Facebook users in an attempt to influence the outcome of vitally important political events, such as the Brexit referendum, there could have been a more appropriate time for the implementation of new legislation governing privacy and data protection.

The European Union’s new General Data Protection Regulation (the GDPR) – which came into effect on 25 May 2018 – does away with the previous European Data Privacy Directive that was implemented into UK law by Data Protection Act 1998. As the GDPR has been imported into UK law by the Data Protection Act 2018, the regime – examined in detail for Keep Calm Talk Law by Aydeniz Baytaş – which it sets out will remain applicable in the UK post-Brexit.  

The GDPR applies not only to private commercial organisation, but also to public entities: as Article 4(7) of the GDPR confirms, it imposes obligations on any person – whether they be a natural person, a company or a public body – who decides how and when personal data is processed. It is therefore of no surprise that, as the fifth largest employer in the world, the implementation of the GDPR will pose considerable challenges to the UK’s flagship health service system, the NHS.

Indeed, this article examines how a selection of the new rules that the GDPR introduces will impact on the NHS, and seeks to answer the crucial question of whether the new regime will be a burden or benefit for the healthcare sector.

What Obligations Will Impact the NHS?

Widely Applicable Administrative Obligations

A vast array of new obligations contained within the GDPR will impact the NHS in the same way that they impact upon any other organisation that processes data. As such, the NHS will have to – as required by Article 32(1) of the GDPR – implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved in the processing they are carrying out.

Other similar administrative obligations include that under Article 37(1) of the GDPR, which requires organisations carrying out a public function (or, indeed, those whose processing involve regular and systematic monitoring of data subjects on a large scale) to appoint a Data Protection Officer, whose duties (according to Article 39 of the GDPR) will be to monitor compliance with the GDPR and inform and advise data controllers of their obligations. They must have adequate resources and standing within the organisation to do this.

An obligation that may prove particularly cumbersome for the NHS given its size stems from the new accountability principles set out in Article 5(2) of the GDPR. As Article 30(1)(3) of the GDPR explains, this will require the NHS to produce written records of processing activities that describe, among other things, the purposes of the processing, descriptions of the categories of data subjects and personal data and envisaged time limits for erasure of the different categories of data.

Patients and The Right of Erasure

Article 17 of the GDPR provides persons with a right to be forgotten in limited circumstances. This allows persons to request an organisation that is, or has been, processing their personal data to erase their personal data it without undue delay where they withdraw their consent, where the data collected is no longer relevant to the original purposes for processing, or where there is no legitimate ground for keeping the data.

The concept of a right to be forgotten is not a completely novel idea in European law. As Chris Bridge has documented for Keep Calm Talk Law, the European Court of Justice in Google Spain v AEPD [2014] – though not explicitly granting a general right to be forgotten – placed an obligation on search engines to consider requests from individuals to remove links to web pages in certain circumstances.

For present purposes, the crucial aspect of the decision in Google Spain v AEPD [2014] is the practical consequences that it had for search engines which can now be applied by analogy to the new right set out in Article 17 of the GDPR. In this respect, the economic ramifications that the decision in Google Spain v AEPD [2014] had for search engines look set to apply equally to the NHS. Thus, channelling Chris Bridges’s analysis for Keep Calm Talk Law, the NHS must be prepared to recognise that:

From a business perspective, investigating and honouring these requests is going to be extremely resource intensive [and that] economics should never take precedence over a person’s right to privacy and data protection.

However, the extent to which legitimate request that require the NHS to take action under Article 17 of the GDPR might arise is yet to be seen. Even where a patient or employee – on making an erasure request – withdraw their consent, it is clearly open for the NHS to argue that its processing of that personal data remains relevant to the original purposes or that there is a legitimate ground for keeping the data.

For example, in the context of patients, it is arguable that the retention of a patient’s data may aid the NHS to plan the way in which it funds certain departments or invests in certain equipment or employees for certain geographical locations. Given the public interest in ensuring that a particular NHS Trust can respond to the demands of the citizens living within its purview, this could surely constitute a legitimate ground for keeping the data.

In fact, this line of argument is explicitly recognised by the GDPR: though Article 9(1) of the GDPR prohibits the processing of personal data concerning – among other things – health, one of the exceptions to this prohibition contained in Article 9(2) of the GDPR permits the processing of such personal data where it is:

[N]ecessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

That said, some has argued that it is the NHS’s interest to be more open to accommodate requests by patients under Article 17 of the GDPR, particularly following recent data breaches. For example, Michael Geary – co-founder and CEO of Consentz – has suggested that the honouring the right to be forgotten constitutes:

[A] great opportunity to reset relationships and build trust between companies, staff and customers or patients.

NHS Employees and the Lawful Bases for Processing

The NHS has an employee headcount that totals over 1.5 million people. With the GDPR regime applying to these individuals, as well as patients, it is clear that significant time and investment is needed to ensure systems are in place for ensuring obligations in relation to these persons are met. One issue that could face the NHS in relation to its employees stem from the GDPR’s changes to how organisations can gather consent for processing.

Under both the DPA 1998, organisations could only process personal data when they have a ‘lawful’ basis' to do so. As set out in Schedule 2 of the DPA 1998, this included where the individual has given their consent to the processing, or where the processing was necessary for the performance of a contract to which the data subject is a party, or for the exercise of any other functions of a public nature exercised in the public interest by any person. Thus, in order to ensure that it had a lawful basis for processing, the NHS relied heavily on standard consent provisions contained in employment contracts that – in theory – covered at least two of those conditions.

Under the GDPR, organisations still require a ‘lawful’ basis' to process data. The potential lawful bases that can be relied upon, as set out in Article 6(1) of the GDPR, are consent, contract, legal obligation, vital interests, public interest and legitimate interests.

Though it seems that the bases under the past and new regimes overlap, the regulator’s consent guidance is clear that consent will very rarely be valid in an employer-employee context due to the clear imbalance of power that exists in that relationship. The NHS will therefore likely need to revise any and all of its employment contracts that include those standard consent provisions.

Effectively Responding to Emergencies

In practical terms, certain 21st Century developments in the provision of healthcare services may make it it difficult to implement the requirements of the GDPR in relation to all personal data concerning health. For example, it has been reported that many doctors increasingly using WhatsApp in order to discuss patients, mostly in the face of major incidents in order to operate more efficiently and quickly. This is undeniably the quickest way to reach out to an entire team when seeking to provide care in an intense working environment.

An example of this was illustrated during the Grenfell Tower tragedy that occurred in June 2017. Here, Dr Helgi Johannsson – a consultant anaesthetist at St. Mary’s Hospital – set up a WhatsApp group among the doctors proved to be an invaluable method of coordinating and communicating the emergency response. In But Dr Johannsson’s call for the NHS to ‘take the opportunities that this kind of technology offers and incorporate it into our everyday practice’ might no longer be feasible in light of the GDPR rules.

Take, for example, a new requirement placed on organisations by Article 35(7) of the GDPR to carry out a comprehensive ‘data protection impact assessment’ when making a change to the way in which data is processed that can be classed as high-risk. Changing from the NHS’s regular methods of sharing data to more informal systems like WhatsApp could be considered high-risk, particularly given the fact that information being shared is likely to be sensitive. However, the need for a ‘data protection impact assessment’ for hamper and delay this ingenious solution to communications problems in emergency cases that require major coordinated efforts like the Grenfell Tower response.

Conclusion: Is the NHS Prepared for the GDPR?

The predicted net expenditure of the NHS is predicted to reach a record £126.269 billion for the 2018/2019 financial year. These rising costs, in an era of austerity and tight fiscal budgeting, has pushed the NHS towards a financial crisis that is widely considered to be one of biggest political challenges of the modern age.

With the NHS needing to meet and prepare for the significant obligations prescribed by the GDPR regime, it is clear that the NHS will be placed under further financial strain as it attempts to prepare to comply with the new regime. Research published in April 2018 discovered that across the 46 different NHS Trusts surveyed (there are 217 NHS trusts in total), a total of over £1 million had been spent on the development of systems to try and ensure GDPR-compliance.

However, it is clear that – for all the pressures that it may initially place on the NHS – the GDPR should be considered a welcome development, not just for NHS patients and employees, but by the NHS as an organisation in itself. The new regime should help to build trust between all parties, help tighten security in an age where sensitive material like medical records are prime targets for hackers, and may even see the NHS develop new and efficient ways to use personal data to provide a better service for everyone.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Consumer Rights, Contract Law, Employment Law, European Union, Medical Law & Ethics, Privacy Law, The GDPR

Comment / Show Comments (0)

You May Also Be Interested In...

GDPR: Challenges for Businesses, Eighteen Months On

3rd Dec 2019 by Kerry Gibbs (Guest Author)

An Introduction to the GDPR and its Impact on Competition Law

25th May 2018 by İnayet Aydeniz Baytaş

Fixed-Term Contracts in Football: Foul Play or Fair Game?

9th Feb 2018 by Ben Cisneros

Should Obesity be Protected as a Disability?

30th Jan 2018 by Sol Gelsomino (Guest Author)

Dead on Arrival: The Investigatory Powers Act 2016

29th Sep 2017 by Alexios Ektor Koursopoulos

Unproductible! Losing Clarity In The Law of Product Liability

4th Nov 2015 by Keir Baker

Section Pick May

The Caspian Sea Convention: International Law Meets International Relations

Editors' Pick Image

View More


Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015


Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription