Lagen om användning och tillgång till data 2025 - vad det innebär för allmänläkare
Författad av Thomas Andrew Porteus, MBCSUrsprungligen publicerad 20 aug 2025
Uppfyller patientens redaktionella riktlinjer
- Ladda nerLadda ner
- Dela
- Language
- Diskussion
- Ljudversion
- Lägg till i föredragna källor på Google
Medicinska yrkesverksamma
Professionella referensartiklar är utformade för att användas av hälso- och sjukvårdspersonal. De är skrivna av brittiska läkare och baserade på forskningsbevis, brittiska och europeiska riktlinjer. Du kanske hittar en av våra hälsoartiklar mer användbar.
Den Data (Use and Access) Act 2025 is now law in the UK. Introduced as part of the government’s digital strategy, it updates the rules around how personal data is used, shared, and protected across sectors - including healthcare.
For GP practices the Act has significant implications, particularly in how you manage patient information, respond to data requests, and interact with third-party services.
The Act does not replace the UK GDPR or the Data Protection Act 2018, but it makes important changes to how these laws are applied. Much of it will come into force over the next year, so general practices should start preparing now.
Here’s what the new legislation means for you, your team, and your patients.
More flexibility in handling access requests
GP practices often deal with data subject access requests (DSARs) - especially from patients who want to see their full medical record. Under current rules, practices have one calendar month to respond, which can be difficult when dealing with large files or vague requests.
The new Act allows you to pause the one month deadline if the request lacks key details or needs clarification. Known as 'stopping the clock' this gives practices time to ask for more information before continuing the countdown.
This change is especially useful when a patient asks for 'all information' without specifying a timeframe or topic. It gives your admin team a better chance to manage expectations and respond accurately.
What you should do:
Update your internal procedures to include this new flexibility.
Make sure staff know when and how to request clarification.
Document all pauses clearly in case you’re audited or challenged.
A new lawful basis - recognised legitimate interests
One of the most significant updates is the introduction of 'recognised legitimate interests' as a lawful basis for processing personal data. Previously, most GP data processing relied on public task, legal obligation, or consent.
This new basis allows organisations to process data without consent where the activity is in the public interest and where safeguards are in place. Examples include safeguarding, public health protection, serious crime prevention, and responding to emergencies.
For GPs, this may provide a clearer legal route for sharing data quickly with social care, safeguarding leads, or the police - especially when waiting for formal legal instructions could delay action.
However, this doesn’t remove the need for proper documentation - you’ll still need to:
Explain the purpose of the data use.
Ensure it’s proportionate and necessary.
Record your decision-making process.
This is not a shortcut, but it does allow you to act more confidently when immediate data sharing is required for public protection.
International data transfers: a more practical approach
Previously, you could only transfer personal data outside the UK to countries with an official “adequacy decision.” This made it harder to use software or services hosted abroad.
The DUAA replaces that model with risk based approach. You can now transfer data to non-UK countries if you’re satisfied the protections in place are not “materially lower” than UK standards.
This is particularly relevant for practices using:
Cloud-based patient record systems.
Online booking platforms.
Email, SMS, or video consultation tools that store data overseas.
You’ll need to assess the safeguards and possibly update your contracts or data protection impact assessments (DPIAs).
Action for practices:
Identify where your patient data is stored and processed.
Work with your suppliers to confirm compliance with the new risk-based standard.
Keep records of your assessments.
Research and smart data: new opportunities on the horizon
The Act makes it easier for personal data to be used in scientific research by commercial companies, as long as the purpose is clear and appropriate safeguards are in place.
This opens the door for practices to support a wider range of research projects, including partnerships with universities, NHS trusts, and health tech companies. It could make it easier to participate in data-led initiatives to improve population health or service design.
The legislation also lays the groundwork for smart data schemes - secure, regulated systems where people can allow approved third parties to access their data for specific purposes.
While this is still in development, smart data in health could eventually allow patients to:
Share parts of their health record with digital tools or apps.
Access personalised services using real-time information.
Transfer records more easily between services.
Practices aren’t expected to implement anything yet, but you should be aware that these schemes are likely to appear in the next few years.
Stronger ICO oversight and a duty to handle complaints
The Information Commissioner’s Office (ICO) will have greater powers to audit and investigate organisations, including GP practices.
At the same time, all organisations must now provide a clear and accessible route for people to complain if they believe their data has been misused or mishandled. You’ll need to respond to these complaints within 30 days.
This applies even if the complaint is about how long data is retained, how it’s shared, or what’s written in a patient record.
What you need to do:
Update your privacy notice with a clear complaints section.
Add a simple form or contact route on your website.
Train staff on how to log and respond to data complaints.
If a complaint isn’t resolved, patients can escalate to the ICO - and the practice may face inspection or enforcement.
What GP practices should do now
Although many parts of the Act won’t be enforced until 2026, it’s important to prepare in advance. Here’s a practical checklist to guide your next steps:
Review and update your DSAR policy, including how to use the stop-the-clock feature.
Check your privacy notice - does it explain lawful bases, data sharing, and complaints clearly?
Map your data flows, especially for international transfers.
Speak to your IT and clinical system suppliers about how they meet the new data standards.
Train your team, particularly on safeguarding-data related sharing and complaint handling.
The bigger picture: digital confidence and patient trust
The Data Use and Access Act 2025 is part of a wider government agenda to simplify data law and support innovation. For GP practices, it brings new opportunities to share data more confidently and collaborate in research and digital services.
But it also raises expectations around transparency, responsiveness, and professional accountability. How you prepare now will influence your compliance and your patient relationships in the years to come.
If your practice would benefit from a data protection review, template updates, or help with team training, your local LMC or federation may already have resources in place.
Exklusiva uppdateringar för vårdpersonal
Håll dig informerad med de senaste kliniska uppdateringarna, professionella insikter och evidensbaserad vägledning. Patient Pro-nyhetsbrevet sammanställer viktigt innehåll för vårdpersonal—levererat direkt till din inkorg.
Genom att prenumerera accepterar du våra Sekretesspolicy. Du kan avsluta prenumerationen när som helst. Vi säljer aldrig dina uppgifter.
Om författarenVisa fullständig biografi

Thomas Andrew Porteus, MBCS
Hälsoteknik
MBCS
Thomas skriver för att informera, inspirera och utrusta praktikledare och vårdpersonal som navigerar förändringar, med utgångspunkt i två decennier av praktiskt arbete inom det brittiska hälsosystemet.
Artikelhistorik
Informationen på denna sida är skriven och granskad av kvalificerade kliniker.
Artikeln finns också på Engelska, Tyska, Spanska, Franska, Italienska, Portugisiska, Hindi, Hebreiska, Arabiska, och Svenska.
20 aug 2025 | Ursprungligen publicerad
Författad av:
Thomas Andrew Porteus, MBCS

Fråga, dela, anslut.
Bläddra i diskussioner, ställ frågor och dela erfarenheter inom hundratals hälsorelaterade ämnen.

Känner du dig sjuk?
Bedöm dina symtom online gratis
Mer om informationsstyrning och säkerhet
- Hur man undviker IG-huvudvärk när man arbetar med PCN-personal
- Hur man genomför en praxisomfattande IG-riskbedömning
- Hur man skapar en kultur av IG-medvetenhet i din verksamhet
- Hur man skapar en praktisk IG-kalender som verkligen fungerar
- Hur man hanterar ett dataintrång för patientinformation
- Hur man hanterar en begäran om registerutdrag (SAR)
- Hur man hanterar vanliga patientfrågor om informationssäkerhet
- Hur man hanterar cybersäkerhet i en hybridarbetsmiljö
- Hur man förbereder sig för en DSPT-inlämning utan panik
- How to prevent smartcard sharing and why it matters
- Hur man svarar på ett misstänkt e-postmeddelande på under 60 sekunder
- Hur man genomför en 15-minuters IG-uppfräschning på nästa teammöte
- Hur man upptäcker och stoppar interna IG-risker
- Hur man utbildar personal i cybersäkerhet utan att tråka ut dem
- Hur man skriver ett patientinriktat integritetsmeddelande som bygger förtroende