Skip navigation

GDPR and HCPC standards: six months on

03 Dec 2018
  • Our standards

Olivia Bird

Policy Manager, HCPC Policy and Standards

Six months on from the introduction of the General Data Protection Regulation (GDPR), Policy officer Olivia Bird looks back on some FAQs about how the new legislation affects registrants and their practice, and gives some advice on how registrants can ensure they continue to meet HCPC’s standards.

This blog provides guidance on meeting the HCPC standards and signposts to relevant guidance from external sources, but it doesn’t seek to provide any legal advice. If you have any questions regarding this blog post or GDPR, please get in touch with the HCPC Policy and Standards team at

What is GDPR?

The General Data Protection Regulation (GDPR), supported by the Data Protection Act 2018 (DPA), governs how personal data, including service user records, should be handled.

Introduced in May 2018, this legislation replaced the Data Protection Act 1998. However, it builds on many of the main concepts and principles of the 1998 Act.

The Information Commissioner’s Office is the authority on UK data protection law. They have issued a Guide to the GDPR which explains the provisions of the GDPR, which registrants may find useful.

For more information, see Annex A of our Confidentiality Guidance or go to the ICO website.

How does GDPR affect registrants?

Registrants regularly handle personal data, and service users expect them to protect their confidentiality at all times. We expect registrants to comply with the law, and therefore when handling registrant data, registrants should be mindful of the new requirements.

Does the HCPC have any guidance on GDPR?

Our Standards of Conduct, Performance and Ethics (standards 5 and 10) and our Standards of Proficiency (standards 7 and 10) outline what we require of our registrants with respect to record keeping and confidentiality.

The HCPC does not issue specific guidance on GDPR, but we have included a summary of the requirements as an annex to our Confidentiality Guidance. The principles set out in our guidance have not changed in light of GDPR and so registrants should continue to follow them.

For more detailed guidance, registrants should refer to the ICO’s website and the Guide to the GDPR.

How long should I be keeping records for in light of GDPR?

The HCPC does not issue a retention policy for records, as what would be appropriate will vary upon an individual registrant’s scope of practice, profession and role. Instead, registrants should follow local guidance, or guidance set by their professional body.

We also recommend reviewing the Information Governance Alliance’s (IGA) Records Management Code of Practice for Health and Social Care 2021* retention schedule. Whilst an NHS resource, this should be a useful guideline for public and private sector practitioners alike.

It is worth noting that it is a requirement under GDPR to establish and document retention periods. You can find more information about this on the ICO website.

Does GDPR mean I need to obtain consent for patient care functions? Can I no longer rely on implied consent for care and treatment?

Consent under GDPR must be freely given, specific, informed and unambiguous, and involve a clear affirmative action. However this differs from consent to care and treatment and the use of patient data for that purpose, which is not affected by the legislation. For more information, we would recommend reviewing the ICO’s FAQs for small health sector bodies, which addresses this question.

Does HCPC have a template consent form for registrants?

The HCPC does not have a template consent form for registrants. We expect registrants to follow local policy, and therefore you should speak to your employer or professional body for further advice.

In addition, you may find it useful to refer to the ICO’s information page on consent under the GDPR and draft detailed consent guidance. This includes information on ‘how should you obtain, record and manage consent?’ which sets out specific advice for writing consent forms or requests.

Does the GDPR right to erasure (“right to be forgotten”) mean that, if a service user asked me to, I should delete/destroy their medical records?

Not necessarily. The GDPR sets out that a request for erasure may be denied in certain circumstances. Reasons permitted for this include:
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
- the exercise or defence of legal claims.

It is important that health records remain available throughout the recommended retention period (see IGA guidance) in case issues arise relating to the patient’s health, complaints or legal action. While it has been established that patients can request for their NHS summary care record to be deleted, original records should not be erased within the recommended retention period (with rare exceptions relating to paper records). As a result, audit trails should remain complete.

The ICO publishes guidance on deleting personal data which you may find helpful if you receive such a request. It may be possible for you to archive the relevant patient’s record such that it is ‘put beyond use’, whilst retaining their information in line with your statutory obligations.


*Blog updated on 27 August 2021 to reflect the update of the documents Records Management Code of Practice for Health and Social Care 2016 to 2021

Page updated on: 05/12/2018