Skip to main content
I want to...

Do you process health data? Know the registration rules

By their very nature health records for patients are sensitive and it is important to get processing and storing them right. Kirsty Keogh from the Information Commissioner’s Office offers a timely reminder about the registration rules.

As the nature of working in the health sector involves gathering and storing patients’ data, there is a legal requirement to be registered with the Information Commissioner’s Office (ICO).

The ICO is the UK’s independent body set up to uphold information rights. We regulate the Data Protection Act under which individuals and organisations that process personal information must be registered, unless they are exempt.

If you are processing data for the purposes of health administration and the provision of patient care then you will not be able to rely on the exemptions and will be required to register.

If you work for an organisation you may be covered by your employer’s registration.

But if you are self-employed or have your own patients’ records which you would take with you wherever you worked, you would need your own registration. That’s because you are a data controller; the person or organisation responsible for deciding how and why personal data is processed.

Please see our FAQs on our website for further advice. And if you’re still not sure, our registration self-assessment tool will help you.

Registration is quick and easy. It takes about 15 minutes to complete the form on our website. The cost for sole traders or organisations with fewer than 250 staff is currently £35 a year.

From 25 May 2018, new legislation called the General Data Protection Regulation (GDPR) will come into force, bringing with it greater accountability for organisations that handle personal data.

When the new data protection legislation comes into effect there will no longer be a requirement to notify the ICO in the same way. However, a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee.

How much an organisation pays under the new fees model will still be based on size and turnover, but will also take into account the amount of personal data an organisation is processing.  The amount of the fee is a matter for government and we expect to know more by the end of the year.

The new fee will be payable from 1 April 2018. But for now, organisations should continue to renew their registration as usual. If you’re required to register, it’s a criminal offence not to and you could be fined.

Once we know more about the new fees, we will be telling organisations about the changes and what they need to do. Until then, it is very much business as usual.

The ICO has lots of other information aimed at the health sector including valuable resources, advice, and tools on our website

There is comprehensive advice for individuals and organisations who handle information about people’s health and medical affairs, as well as health sector resources