UK GDPR & Data Protection Act 2018
MedConsult AI - Compliance Documentation for UK Healthcare Practices
Last Updated: _________________ | Reviewed By: _________________
1. Data Protection Act 2018 Overview
The Data Protection Act 2018 (DPA 2018) is the UK's implementation of data protection law, supplementing the UK General Data Protection Regulation (UK GDPR). Together, they govern how personal data is processed within the United Kingdom.
How MedConsult AI Complies
- Processes personal data lawfully, fairly, and transparently (Principle 1)
- Collects data for specified, explicit, and legitimate purposes only (Principle 2)
- Ensures data processed is adequate, relevant, and not excessive (Principle 3)
- Maintains accurate and up-to-date records (Principle 4)
- Retains data no longer than necessary for the stated purpose (Principle 5)
- Implements appropriate technical and organisational security measures (Principle 6)
- Maintains accountability through documentation and regular review (Principle 7)
2. UK GDPR Article 9 — Special Category Data
Health data is classified as special category data under UK GDPR Article 9. Processing is prohibited unless a specific condition under Article 9(2) applies. MedConsult AI relies on the following lawful bases for processing health data:
| Lawful Basis | Article | Application |
|---|---|---|
| Explicit Consent | Art. 9(2)(a) | Patient provides explicit, informed consent for AI-assisted consultation processing |
| Health or Social Care | Art. 9(2)(h) | Processing necessary for provision of health care under responsibility of a health professional |
| Public Interest in Health | Art. 9(2)(i) | Processing necessary for ensuring high standards of quality and safety of health care |
| Substantial Public Interest | DPA 2018 Sch. 1 | Additional conditions set out in Schedule 1 of the DPA 2018 for health data processing |
An Appropriate Policy Document (APD) is maintained as required by DPA 2018 Schedule 1, Part 4 when relying on substantial public interest or health/social care conditions.
3. NHS Data Security and Protection Toolkit
The NHS Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian's 10 data security standards. MedConsult AI aligns with these standards:
| # | NDG Standard | Status |
|---|---|---|
| 1 | Personal Confidential Data — only accessed on a need-to-know basis | ☐ Met ☐ Not Met |
| 2 | Staff Responsibilities — all staff understand their data handling responsibilities | ☐ Met ☐ Not Met |
| 3 | Training — all staff complete appropriate annual data security training | ☐ Met ☐ Not Met |
| 4 | Managing Data Access — only authorised personnel can access personal data | ☐ Met ☐ Not Met |
| 5 | Process Reviews — processes are reviewed for effectiveness at least annually | ☐ Met ☐ Not Met |
| 6 | Responding to Incidents — incidents are identified, reported, and investigated | ☐ Met ☐ Not Met |
| 7 | Continuity Planning — business continuity plans are in place and tested | ☐ Met ☐ Not Met |
| 8 | Unsupported Systems — no unsupported operating systems or software in use | ☐ Met ☐ Not Met |
| 9 | IT Protection — IT systems are protected against cyber threats | ☐ Met ☐ Not Met |
| 10 | Accountable Suppliers — IT suppliers are held to account via contracts | ☐ Met ☐ Not Met |
Organisations using MedConsult AI with NHS data should complete a DSPT assessment at dsptoolkit.nhs.uk.
4. GMC Confidentiality Guidance
The General Medical Council (GMC) publishes "Confidentiality: good practice in handling patient information" which sets expectations for doctors. MedConsult AI supports compliance with GMC guidance through:
- Ensuring patients are informed about how their data will be used in AI-assisted consultations
- Providing mechanisms for patients to object to data processing
- Supporting the Caldicott Principles for sharing patient information
- Maintaining audit trails for all access to patient records
- Enabling anonymisation and pseudonymisation where appropriate
- Restricting data sharing to the minimum necessary for clinical purposes
- Supporting consent withdrawal at any point during the consultation process
5. Data Processing Agreement
Under UK GDPR Article 28, a written contract must be in place between the data controller (your practice) and data processor (MedConsult AI). The following template outlines key provisions:
Parties
Controller: _________________ (the Practice)
Processor: MedConsult AI Ltd
Subject Matter and Duration
Processing of patient health data for the purpose of AI-assisted medical consultations, for the duration of the service agreement.
Processor Obligations
- - Process data only on documented instructions from the Controller
- - Ensure all personnel with access are bound by confidentiality obligations
- - Implement appropriate technical and organisational security measures
- - Assist the Controller in responding to data subject requests
- - Delete or return all personal data at the end of the service contract
- - Make available all information necessary to demonstrate compliance
- - Allow for and contribute to audits conducted by the Controller or ICO
- - Not engage sub-processors without prior written authorisation
Controller Signature:
Name / Date
Processor Signature:
Name / Date
6. Data Subject Rights
Under UK GDPR, data subjects have extensive rights. MedConsult AI provides mechanisms to support practices in fulfilling these rights within the required timeframes:
| Right | Timeframe | Platform Support |
|---|---|---|
| Right of Access (SAR) | 1 month | Automated data export in structured format |
| Right to Rectification | 1 month | In-platform data correction tools |
| Right to Erasure | 1 month | Automated deletion with audit trail (subject to retention obligations) |
| Right to Restrict Processing | Without undue delay | Processing pause mechanism per patient record |
| Right to Data Portability | 1 month | Machine-readable export (JSON/CSV) |
| Right to Object | Without undue delay | Opt-out mechanism with confirmation |
| Rights related to Automated Decision-Making | N/A | Human review available for all AI-generated recommendations |
7. International Data Transfers
Following Brexit, the UK operates its own international data transfer regime under the UK GDPR. Data transfers outside the UK require appropriate safeguards:
Adequacy Decisions
The UK Secretary of State may determine that a country provides an adequate level of data protection. The EU was granted adequacy status by the UK, and the UK received a time-limited adequacy decision from the EU (bridging mechanism). The UK has also adopted its own adequacy regulations for additional countries.
Transfer Mechanisms
- UK International Data Transfer Agreement (IDTA) — replacement for Standard Contractual Clauses
- UK Addendum to EU SCCs — for use alongside EU Standard Contractual Clauses
- Binding Corporate Rules approved by the ICO
- Derogations under Article 49 UK GDPR (explicit consent, contractual necessity)
MedConsult AI Data Locations
| Service | Data Location | Transfer Mechanism |
|---|---|---|
| Application Hosting (Vercel) | EU/US | IDTA / UK Addendum |
| Database (Neon) | EU Region | Adequacy / IDTA |
| AI Processing (OpenAI) | US | IDTA / UK Addendum |
| Email (Resend) | US | IDTA / UK Addendum |
8. Data Retention
MedConsult AI aligns with the NHS Records Management Code of Practice 2021, which provides guidance on retention periods for health records:
| Record Type | Retention Period | Authority |
|---|---|---|
| GP Records (adult) | 10 years after death or departure | NHS Records Management Code |
| GP Records (children) | Until 25th birthday or 10 years after death | NHS Records Management Code |
| Hospital Records | 8 years after last attendance | NHS Records Management Code |
| Mental Health Records | 20 years after last contact or 8 years after death | NHS Records Management Code |
| Maternity Records | 25 years after birth of last child | NHS Records Management Code |
| Audit Logs | Minimum 8 years | Best practice / ICO guidance |
| Consent Records | Duration of processing + 6 years | Limitation Act 1980 |
Minimum retention for most clinical records is 8 years. Practices should implement automated retention policies and review schedules within MedConsult AI.
9. Breach Notification
Under UK GDPR Articles 33-34, personal data breaches must be reported to the Information Commissioner's Office (ICO) and, where applicable, to affected data subjects.
Notification Timeline
Within 72 hours
Report to the ICO if the breach is likely to result in a risk to data subjects' rights and freedoms
Without undue delay
Notify affected data subjects if the breach is likely to result in a HIGH risk to their rights and freedoms
Ongoing
Document all breaches in the internal breach register, whether or not reportable to the ICO
ICO Reporting
Report breaches online at ico.org.uk or by calling the ICO helpline: 0303 123 1113.
10. Data Protection Impact Assessment (DPIA) Template
Under UK GDPR Article 35, a DPIA is required when processing is likely to result in a high risk to individuals. Processing health data with new technologies (such as AI) will typically require a DPIA.
Step 1: Describe the Processing
Step 2: Assess Necessity and Proportionality
| Question | Answer |
|---|---|
| Is the processing necessary for the stated purpose? | ☐ Yes ☐ No |
| Is there a less intrusive alternative? | ☐ Yes ☐ No |
| Is there a lawful basis under Article 6 and Article 9? | ☐ Yes ☐ No |
| Are data subjects adequately informed? | ☐ Yes ☐ No |
| How is consent obtained and managed? | ☐ Yes ☐ No |
| Are data subject rights supported? | ☐ Yes ☐ No |
Step 3: Identify and Assess Risks
| Risk | Likelihood | Severity | Mitigation |
|---|---|---|---|
| ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | ||
| ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | ||
| ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | ||
| ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | ||
| ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High |
Step 4: Sign-Off
Data Protection Officer:
Signature / Date
Caldicott Guardian:
Signature / Date
This documentation is provided as a template and should be reviewed by qualified legal counsel before use in a clinical setting. MedConsult AI does not provide legal advice.