Skip navigation

GDPR and HCPC Standards

25 May 2018

Most HCPC registrants are aware of General Data Protection Regulation (GDPR) which came into effect on 25 May 2018. 

Whilst the HCPC’s Standards of conduct, performance and ethics do not currently mention GDPR directly, they do say that registrants must keep up to date with and follow the law, our guidance and other requirements relevant to your practice. 

They also state that registrants must: 

  • Make sure you have consent 
  • Share relevant information, where appropriate, with colleagues involved in the care, treatment or other services provided to a service user 
  • Respect confidentiality 
  • Keep records of your work, which includes protecting them from loss, damage and inappropriate access. 

We also produce online guidance for registrants on confidentiality. The main body of this guidance is still accurate and should be applied in your practice. 

We are working to update Annex A, which outlines data protection principles under the Data Protection Act 1998 and we will be publishing an updated version, outlining data protection principles under the GDPR, in due course.

In the meantime, the Information Commissioner’s Office is the UK’s independent body set up to uphold information rights and are the authority on data protection issues. You can find general information about GDPR on their website, including a Data Protection Self-Assessment Toolkit. 

Understanding consent

Applying GDPR consent appropriately is only one aspect of your professional duty to make sure you have consent.

“You need to remember that patient consent for treatment or to share healthcare records is not the same as GDPR consent.”

- Information Commissioner’s Office, FAQs for small health sector bodies.

Page updated on: 20/11/2018