NEC Birmingham |  08 - 09 October 2025

CO-LOCATED WITH:
Retirement Living Show Logo

Data Protection Compliance for the Healthcare Sector

Data Protection Compliance for the Healthcare Sector
When it comes to data protection, like all organisations, those in the healthcare sector must process personal data in accordance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

However, aside from the requirements set out in UK law, healthcare organisations that handle NHS patient data have additional obligations that they must fulfil:

The Data Security and Protection Toolkit (DSPT)

The DSPT is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian's ten data security standards, which provides assurances that they are processing personal data responsibly and practising good data security.

 

Any organisation accessing NHS patient data must complete the DSPT annually. Whilst naturally applying to NHS organisations, such as Trusts and Clinical Commissioning Groups (CCGs), it also applies to many other categories of organisations across the public and private sector. Completing the DSPT is a contractual condition when working with the NHS and where you process or access NHS data and systems.

 

Normally the deadline for completing the DSPT each year is the 31st of March, however this year, due to the ongoing impact of the COVID-19 pandemic, it has been pushed back to the 30th of June.

 

Caldicott Guardians

Every NHS organisation is now required to appoint a Caldicott Guardian to ensure compliance with the “Caldicott principles” when using patient data.  Whilst not currently mandatory for social care providers and other suppliers who hold patient data to have a Guardian, it is always necessary that they understand and manage data using these principles. 

 

Caldicott Guardians were introduced after the report by Dame Fiona Caldicott’s Committee on the Review of Patient-Identifiable Information published in 1997. Whilst originally there were only six principles, there are now eight.

 

Although both the GDPR and the Caldicott principles share many of the same ideas, the seventh principle “the duty to share information can be as important as the duty to protect patient confidentiality” conflicts with the GDPR which sees patient confidentiality as paramount. Therefore, it is not advised that an organisation’s DPO also take on the role of Caldicott Guardian due to the potential for conflicts of interest to arise. To mitigate this, organisations may want to consider outsourcing one, or both, of these roles.

 

If you would like further information on how The DPO Centre can act as your appointed Caldicott Guardian or assist with your DSPT submission, please visit our website.

View all Bulletin 9
Loading

Newsletter Sign-up

Sign up for updates on the latest products, exhibitors and all the show news.