This site uses cookies.

Practical steps for complying with GDPR - Dr Mark Burgin

19/02/19. Dr. Mark Burgin BM BCh (oxon) MRCGP explains why complying with the information commissioner office will assist compliance with the GDPR andThe Data Protection Act 2018.

The Data Protection Act 2018 (DPA 2018) is 354 pages of thrilling reading that is designed to help even the most hardened lawyer with any sleep problems.

Much appears to be matters of principle rather than practice and for doctors the key feature is that the price of providing copies of medical records has fallen to zero.

The use of encryption is recognised as important particularly when transferring medical data but should only be a back up to a more secure system.

It is unreasonable to suggest that processors delete individual cases as they reach a pre-determined time threshold on the grounds of proportionality.

The GDPR is designed to provide a common-sense basis for data processing by not trying to provide a one size fits all approach for data handling.

Retrieving data

Where data is passed along a chain all parties in that chain must retain copies of any data that they may have to retrieve even if they have sent the data to someone else.

Where solicitors send medical records to the agency (MRO) both must be able to retrieve those records until they are no longer required.

It is no defence to say that the expert was expected to return the paper records once they have used them as the MRO has a separate registration with the ICO.

In practice the solicitor will send the paper records to the agency for the agency to scan and transfer the scan and store the scan before securely shredding the paper records.

This ensures that all those who need to process the data can do so without having to risk further posting of paper records which by their nature cannot be encrypted.

Transferring data

Transferring data by email is reasonably secure and it is generally not necessary to encrypt data such as instruction letters or medical records.

There are two major exceptions to this rule, first where the email supplier does not have the latest security and second where the size of the file exceeds the maximum size.

There are many secure server file transfer services that allow large files (for instance x-ray Diacom files) to be uploaded to a secure server and the recipient to download the file.

These transfers can be controlled by time limiting the link, password protecting the link or ensuring that the link is sent safely to the recipient.

The systems used to transfer data should be reasonable so that excessive complex systems are as unacceptable as having a laptop without a password protection in a clinic.

Saving data

The data processor must retain the data for as long as it is necessary for them to do so which is a circular way of saying that you will in trouble for deleting or not deleting the data.

Those dealing with medical legal matters must keep the data until the end of the case which can be as much as 20 years later for children.

A global time limit of 6 months is likely to fall foul of the need to be able to retrieve data as necessary but is reasonable where the case has been settled or for medical records.

The medical expert report should be kept for at least 3 years in case of complaints and generally as they are rarely informed about the end of a case.

My interpretation is that data should be regularly archived so that no more than 12 months is kept on email or on main computers and no more than 5 years on back-ups.


GDPR and the DPA 2018 are long complex documents which have spawned a profusion of implementation documents which can themselves be in breach of these regulations.

Processors have been ordered by controllers to destroy data that they are required to be able to retrieve leading to data breaches reported to the ICO.

For doctors it is more important to keep files to kept securely and retrieved when required as they cannot destroyed as long as their patients remain alive.

The move to online secure systems so that patients can access their own records will remove the excess workload on doctors providing copies of patient’s medical records.

The use of secure servers allowing large files to be transferred means that torn large paper envelopes containing paper medical records will become a thing of the past.

Doctor Mark Burgin, BM BCh (oxon) MRCGP is on the General Practitioner Specialist Register.

Dr. Burgin can be contacted for audits on This email address is being protected from spambots. You need JavaScript enabled to view it. and 0845 331 3304 website

General Data Protection Regulation 2018 accessible at

Image ©

All information on this site was believed to be correct by the relevant authors at the time of writing. All content is for information purposes only and is not intended as legal advice. No liability is accepted by either the publisher or the author(s) for any errors or omissions (whether negligent or not) that it may contain. 

The opinions expressed in the articles are the authors' own, not those of Law Brief Publishing Ltd, and are not necessarily commensurate with general legal or medico-legal expert consensus of opinion and/or literature. Any medical content is not exhaustive but at a level for the non-medical reader to understand. 

Professional advice should always be obtained before applying any information to particular circumstances.

Excerpts from judgments and statutes are Crown copyright. Any Crown Copyright material is reproduced with the permission of the Controller of OPSI and the Queen’s Printer for Scotland under the Open Government Licence.