Data Protection and Health-Record Rights
Use this page for UK GDPR, Data Protection Act 2018, ICO health-data guidance, subject access, accuracy, rectification, and living-patient health-record rights.
Source-Layer Position
UK GDPR and the Data Protection Act 2018 are the baseline for living-patient personal data and special category health data. ICO guidance supports subject access, accuracy, and rectification handling for health records, including the distinction between factual inaccuracy, clinical opinion, historical entries, correction, annotation, and supplementary statements.
DSA And DPIA Source Layer
Use Data Sharing Agreement (DSA) and Data Protection Impact Assessment (DPIA) references as deployment artefact labels, not as generic compliance proof. A DSA should show the sharing parties, purposes, roles, data classes, restrictions, transparency, retention, audit, and operational responsibilities. A DPIA should show the processing purpose, lawful basis, Article 9 condition, risks, mitigations, controller/processor roles, residual-risk ownership, review date, and affected data flows.
For Health Connect, HealthShare, GP Connect, MESH, ITK3, shared-care records, portals, analytics, or AI workflows, the DSA/DPIA question is deployment-specific. The evidence must name the controller or joint-controller model, processor/subprocessor boundary, confidentiality route, Caldicott or section 251 route where relevant, subject-rights workflow, complaint route, retention/exit handling, and local operating model.
What It Supports
| Area | Supported record evidence |
|---|---|
| Lawful processing | Lawful basis, Article 9 condition, purpose, transparency, minimisation, security, and accountability. |
| Subject access | Living-patient access to personal data and health information through controller procedures. |
| Accuracy and rectification | Correction, annotation, supplementary statements, and handling of accurate historical records. |
| Controller accountability | Controller/processor roles, DPIA, rights-handling process, privacy notice, retention, and security controls. |
What It Does Not Prove
Data protection evidence does not by itself satisfy common law confidentiality, Caldicott, section 251, clinical professional duties, provider governance, PECR, deceased-record access, public-records transfer, or DSIC/supplier compliance.
Route Boundaries
Living-patient access is a subject-access route. Deceased-patient access uses Access to Health Records Act 1990 or the Northern Ireland Order where applicable, and FOI/EIR is not a back-door route to personal health records.
Deployment Evidence Needed
For digital workflows, prove lawful basis, Article 9 condition, controller/processor matrix, DPIA, privacy notice, SAR procedure, rectification/annotation process, export/search workflow, retention schedule, access control, audit, and complaint handling.