GDPR for Private Practitioners in the UK: A Practical Guide

GDPR private practice UK rules apply when you hold names, contact details, health information, or session notes. This guide is practical, not legal advice. It is for physiotherapists, psychologists, counsellors, nutritionists, osteopaths, chiropractors, speech therapists, occupational therapists, and anyone running a solo healthcare practice who processes client data.

For record-keeping workflow, see how to manage client records as a solo practitioner. For setup including ICO, read how to start a private practice in the UK. If you use software to store data, best tools for running a private practice covers data location and DPAs.

GDPR basics for healthcare practitioners

UK GDPR still governs personal data after Brexit. Health data is special category data, so you need both a lawful basis under Article 6 and a condition under Article 9 for processing. Transparency, data minimisation, and security are central. You are usually the data controller for your client list and notes; your email provider or practice platform may be a processor if they store data on your behalf.

A privacy notice tells clients what you do with their data. It should match reality. If you automate intake or reminders, say so. If you use subprocessors in another country, say so at an appropriate level of detail.

When to register with the ICO

Most sole practitioners who process personal data for their practice must pay the ICO fee unless a specific exemption applies. The ICO self-assessment walks you through it. Registration is annual. Keep the certificate where you can find it; some panels or landlords ask for it.

Registration is not the same as compliance. It is one visible part of accountability. You still need appropriate technical and organisational measures, retention rules, and a process for subject access requests.

Storing client records securely

One place per client beats scattered email and downloads. Access controls, strong passwords, and device encryption reduce risk. Paper records need locked storage. Digital records need backup but also a clear master location so you are not holding duplicate conflicting versions.

Processors should offer a Data Processing Agreement. Check where data is stored and whether that fits your risk assessment. Our guide on sending intake forms automatically ties consent and storage to booking flow.

Sending client documents safely

Standard email is generally not treated as secure enough for clinical content. Portals, encrypted messaging, or tools covered by your arrangements are safer. If a client insists on email, minimise what you send and document the risk. Wrong-address sends are a common breach; double-check recipients before sensitive attachments.

Large file transfers may need a secure link with expiry rather than a permanent shared folder open to the world.

Common GDPR mistakes

• Holding everything forever instead of following retention and secure disposal.
• Using personal email or consumer cloud without assessing security and processor terms.
• Privacy notice copied from a template that does not match how you work.
• No process for subject access requests until the first request arrives.
• Assuming employer or clinic policies cover your private side work without checking.

FAQ

Do I need to register with the ICO for a solo private practice?

If you process personal data as a controller and no exemption applies, you usually need to pay the ICO data protection fee. Health data is special category data; most sole practitioners holding client details or notes are processing personal data. Use the ICO self-assessment to confirm.

What is the lawful basis for holding therapy or clinical notes?

Legitimate interests and contract can apply for some processing; health data often needs explicit consent or another Article 9 condition. Your privacy notice should state what you rely on. This is not legal advice; use ICO guidance or a qualified adviser for your scenario.

Can I send client documents by email?

Standard email is generally not treated as secure enough for clinical content. Use encrypted channels, a portal, or arrangements your insurer and body accept. If you must email, minimise what you send and consider password-protected files with a separate channel for the password.

How long can I keep client records under GDPR?

GDPR requires storage limited to what is necessary. Retention length is often set by your professional body or regulator. After retention ends, delete or destroy securely. Keeping everything forever is not data minimisation.

What should a privacy notice include?

What you collect, why, how long you keep it, who you share it with, and client rights including access and complaint. It should match what you actually do. If you use processors such as practice software, name them at a sensible level of detail.

What counts as a GDPR breach in private practice?

Accidental loss, unauthorised access, or sending data to the wrong person can be breaches. You may need to notify the ICO within 72 hours if risk to rights and freedoms is likely. Have a simple incident checklist and know who to contact at your insurer.