Healthcare GDPR and Cybersecurity FAQ: Patient Data, Breaches and ICO Obligations
UK GDPR applies to every healthcare provider that processes patient data — from large NHS trusts to single-GP practices and private aesthetic clinics. The interaction between clinical data needs and data protection obligations generates consistent questions. This FAQ provides practical answers to the most common healthcare GDPR questions.
The ICO received over 6,800 healthcare data breach reports in 2023 — most triggered by incidents that could have been prevented with basic process controls.
Healthcare GDPR Frequently Asked Questions
Frequently Asked Questions
When must a healthcare data breach be reported to the ICO?
Any personal data breach that is likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO within 72 hours of becoming aware of it. For healthcare data (special category data), the threshold for reporting is lower — even small incidents involving patient data should be assessed against the notification threshold. If in doubt, report. Late reporting or failure to report is an aggravating factor in ICO investigations.
Do we need to notify patients about a data breach?
Yes, if the breach is likely to result in a high risk to patients' rights and freedoms — for example, if sensitive health data has been accessed by an unauthorised person. Notification to affected patients should be prompt, clear about what happened and what data was involved, and should include advice about what steps patients can take to protect themselves. The ICO can order patient notification if an organisation fails to act.
What is the lawful basis for processing patient health data?
For NHS and social care providers, the primary lawful basis is Article 9(2)(h) — processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care treatment or management of health or social care systems. For NHS organisations, Article 6(1)(e) (public task) also applies. Private healthcare providers typically rely on Article 9(2)(h) combined with Article 6(1)(b) (contract). For any secondary uses of patient data (research, audit, marketing), different conditions apply and advice should be sought.
Can we share patient data with third-party suppliers?
Yes, under a Data Processing Agreement (DPA) that complies with UK GDPR Article 28. The DPA must specify what data is processed, for what purpose, for how long, and what security measures the processor will implement. You must satisfy yourself that the processor provides sufficient guarantees about their security measures — requesting Cyber Essentials Plus certification or ISO 27001 is a proportionate way to do this for high-risk processing. You remain the data controller and are responsible for ensuring your processors comply.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.