Our Team


The Letby case and Doctors’ non-clinical regulatory obligations

The recent Lucy Letby case made headlines across the world. Interest in her trial and subsequent sentencing has brought into focus not only Ms Letby’s actions, but also the actions of those people who were managing her and the unit she was working in. Recently, it was reported that Cheshire Police are investigating if corporate manslaughter charges can be laid in relation to the events that took place at the Countess of Chester Hospital.

In addition to their corporate responsibilities, doctors have to meet the non-clinical regulatory obligations set out by the GMC. This includes ensuring that the systems they oversee and the processes which they implement and supervise are fit for purpose, and are focused on delivering good patient care.

In this blog, we look at how a doctor can meet their non-clinical regulatory obligations.

Meeting the GMC standards in leadership and management

The GMC has produced specific guidance on the standards it expects doctors to meet in relation to leadership and management.

The introduction to the guidance is instructive as it lays out the GMC’s position:

“Being a good doctor means more than simply being a good clinician. In their day-to-day role doctors can provide leadership to their colleagues and vision for the organisations in which they work and for the profession as a whole. However, unless doctors are willing to contribute to improving the quality of services and to speak up when things are wrong, patient care is likely to suffer.

This guidance sets out the wider management and leadership responsibilities of doctors in the workplace, including:

  • responsibilities relating to employment issues
  • teaching and training
  • planning, using and managing resources
  • raising and acting on concerns
  • helping to develop and improve services.

The principles in this guidance apply to all doctors, whether they work directly with patients or have a formal management role…..

….You continue to have responsibility for the safety and wellbeing of patients when you perform non-clinical duties, including when you work as a manager. You are still accountable to the General Medical Council (GMC) for your decisions and actions, even if someone without medical training could perform your role.

The highlighted last sentence is significant because it makes clear that the GMC will investigate concerns about doctors even when they are operating in a purely managerial, non clinical role. The GMC frequently investigate cases involving drink driving, fraud, assault and similar, so investigating non clinical management is not as big a step as some might imagine.

Your obligation to raise and act on concerns

As stated above, one of the important responsibilities for doctors is “raising and acting on concerns”. One of the great tragedies of the Letby case is that it appears concerns may have been raised, but that these may not have been acted upon.

The GMC consider this to be such an important subject in its own right that they have produced separate guidance on this. The guidance essentially explains how to apply in practice the relevant principles in Good Medical Practice, which is of course the primary guidance for doctors.


The GMC guidance on raising concerns states the following:

“All doctors have a duty to raise concerns where they believe that patient safety or care is being compromised by the practice of colleagues or the systems, policies and procedures in the organisations in which they work. They must also encourage and support a culture in which staff can raise concerns openly and safely.”

The wording is clear that doctors are under a duty to raise concerns and it is not optional.

If you find yourself in a position where you have a concern, you should check your practice’s own policies and procedures and read the GMC guidance in full.

If you are worried that you are not being listened to, or of potential repercussions, then DR Solicitors can offer you practical advice on best practise. For the rare occasions when things do go wrong and you find yourself in front of a regulator, we have the experience to guide you through that process.

For more information about meeting your non-clinical regulatory obligations or for any other primary care related legal issues, please get in touch for a free, no obligation chat on 01483 511555 or via email info@drsolicitors.com

Our Team


Data law compliance failures are a growing problem: tips to reduce your risk

The ICO have recently published their findings that many public sector bodies, including NHS organisations, still do not have appropriate policies, processes or staff training in place to ensure compliance with GDPR. In particular, they have identified failings in three key areas, being (i) inappropriate disclosure of data; (ii) insufficient data removal and redaction; and (iii) failure to identify and report a data breach. The failures have resulted in the ICO issuing reprimands to the organisations involved, which then go on to be published on the ICO website for all to see.  

How confident are you that your practice is properly managing the risks of GDPR, and what are the possible consequences of a reprimand from the ICO? 

What is an ICO reprimand?

In the event of a complaint about you to the ICO, or a claim for damages against you from a wronged data subject, the GDPR imposes a statutory duty on you as a data controller to demonstrate that you have implemented the GDPR Article 5(1) ‘data protection principles’ and the wider GDPR provisions. This is known as the ‘accountability principle’ and an inability to demonstrate compliance could result in you receiving a reprimand from the ICO. Note that it is not enough to simply comply, you have to be able to demonstrate how you comply. 

In June 2022, the ICO announced that they would generally rely on their wider powers of warnings, reprimands and enforcement notices when dealing with public sector GDPR breaches, and would only issue fines in the most serious of cases. It is slightly unclear whether primary care providers would be regarded as public sector for these purposes, as the ICO used the terms public authority (which most practices are) and public sector (which most are not) interchangeably, but at least initially we would expect the ICO to err towards reprimands.

Primary Care providers may not consider receiving an ICO enforcement notice or a reprimand to be overly serious (and it will certainly be preferable to a fine), but the ICO publishes the enforcement action it takes on its website, which is constantly monitored by the media and claimant solicitors. 

Providers who receive an ICO enforcement notice or reprimand may therefore quickly find themselves under the media spotlight and in receipt of damages claims from solicitors representing affected data subjects. It will be very hard to defend any data breach claim if the ICO has already published that you are not complying with the GDPR.

Top tips to avoid an ICO reprimand 

We suggest that you carry out a thorough and regular review of your policies, procedures and training and document the outcome of each review. You may wish to prioritise the following: 

  1. all data protection policies, procedures and staff guidance and training, particularly those relating to the management of data subject requests and requests for access to medical records
  2. those policies and procedures relating to the removal and redaction of third party and non-personal data and those for data disclosure and sharing
  3. procedures and training on how to detect and report a personal data breach 
  4. staff data protection instruction and training to confirm that it complies with the ICO’s Accountability Framework.  Particular attention should be given to the training of those responsible for managing data subject requests, the removal and redaction of data and the disclosure and sharing of personal data.


Data protection legislation is a complex but increasingly litigious area, and practices are particularly at risk of claims because they hold such sensitive personal data. LMCs, PCNs and primary care providers who require further information on anything covered in this article, or who would like a confidential conversation about complying with the GDPR’s Article 5 requirements can contact Nils Christiansen on 01483 511555 or send an email to enquiries@drsolicitors.com

Our Team


Podcast: David Sinclair on the threat of cyber-attacks on GP Practices and steps to take now

With the threat of cyber-attacks on the rise, coupled with a quickly evolving policy landscape when it comes to GDPR, data protection and information security, our Information Law Solicitor, David Sinclair, discusses with Ockham Healthcare what practices should be doing now to ready themselves, who should take responsibility for this critical area of work, and what to expect going forwards.

Our Team


Data Protection Officers – what’s the risk?

Every GP Practice in England and Wales should have a designated Data Protection Officer (‘DPO’) who is key to the practice being able to comply with its UK General Data Protection Regulation 2016 (‘GDPR’) duties. Unfortunately, there is a lack of understanding about the importance of the DPO role, resulting in partners and separately, the DPO, taking on potentially significant regulatory and financial liability. In many practices, the DPO is seen as a secondary function that a partner, practice manager, or relatively junior member of staff can undertake in addition to their normal duties. In this blog, our data and information security solicitor, David Sinclair, identifies some of the key risks and some steps you can take to avoid them.

The role of the DPO

A DPO has significant, statutory data protection responsibilities that require them to possess requisite professional qualities and other abilities (not defined in the legislation), together with an ‘expert knowledge of data protection law and practices’. Given the complexity and ever-changing nature of UK data protection law, this is a significant burden to impose on any professional – even one with considerable information governance experience.

Partner liability

Unless otherwise expressly set out in the partnership agreement, partners are jointly and severally liable for GDPR compliance, including for formally appointing and adequately supporting a competent DPO, and for filing the DPO appointment with the ICO.

Partners bear the full statutory responsibility of ensuring that the DPO (whether a staff member or third party) has the experience, skills and knowledge to fulfil their DPO duties, as well as the required ongoing training, support and resources to enable them to carry out their role.

DPO liability

A DPO carries significant liability if a GDPR breach is attributed in whole or in part to a failure on their part to properly undertake their DPO duties. This is the case even when it can be shown that they perhaps did not have the necessary experience for the role and/or were not provided with adequate training to understand the GDPR’s requirements (many of which are poorly defined and open to interpretation), unless the DPO can demonstrate that they raised these issues with the practice at the earliest opportunity.

A common misconception among DPOs is that they have immunity from prosecution, dismissal, or other disciplinary action by virtue of their status as a DPO. This is not the case.

Article 38 of the GDPR provides DPOs with limited protection from dismissal or other penalty relating purely to the performance of their DPO tasks. In addition, DPOs cannot be personally liable for the partnership’s non-compliance with the GDPR, which remains with the partners.

Data protection law does not, however, protect DPOs who fail to undertake their statutory role or who do so negligently, eg by them failing to advise the partners, or them giving inaccurate advice, particularly where this is due to the DPO’s lack of competence and they failed to raise that with the practice.

Further, the GDPR does not prevent partners disciplining DPO employees (up to and including dismissal) under the terms of their employment contract, or from partners seeking to recover damages (in breach of contract and/or negligence) from external DPOs, whose failure to undertake their role results in a breach of data protection law.


So how can you minimise your liabilities?

Partners should undertake due diligence on a DPO’s competence and suitability to undertake their role. The practice must also provide the DPO with the resources and support they need to carry out their duties. We strongly advise partners to review their DPO appointment on a regular basis.

Existing DPOs and those considering taking on the role should give thought to whether they have the required training, experience, skills and knowledge to undertake the role. Particular consideration should be given to whether they can advise the practice competently and confidently on complex GDPR issues. Individuals who have doubts about their competence in this area should raise this with a partner as a priority.

For more information about GDPR, the role of the DPO or on information governance issues generally, please contact David Sinclair on 01483 511555 or by email to d.sinclair@drsolicitors.com.

Our Team


Weaponising Data Subject Access Requests

If you find yourself in dispute with a partner or employee, then you may well find yourself in receipt of a Data Subject Access Request (DSAR). This is an increasingly common occurrence in civil and employment litigation and requires careful handling. In our experience many primary care practices do not have effective systems in place to deal with DSARs, which can then result in significant reputational damage and financial cost.

In this blog, we look at how and why DSARs are being used as a legal tactic in disputes, and how your Practice can minimise the risk of a claim arising out of one.

What is a DSAR?

The UK General Data Protection Regulation 2016 (‘GDPR’) provides data subjects with a right to access their personal data. Many practices do not realise that a DSAR can be made in any format, including orally, and can be made to anyone in the organisation.

The GDPR also provides data subjects with a statutory right to claim compensation from a provider where they have suffered material (eg medical bills, loss of wages) or non-material (eg distress, anxiety) damage. It has been established that non-material damage can include a data subject’s ‘loss of control over their personal data’.

Article 15 of the GDPR gives a data subject a further right to sue a data controller if they fail or partially fail to respond to a DSAR. ‘Fail’ includes responding late and/or not providing the mandatory information. Recent damages paid range from £750 for the ‘frustration’ felt by a data subject whose personal data had not been erased, to £18,000 awarded for distress following the inclusion of inaccurate personal data in a report.

Why are DSARs important?

DSARs, other than those held to be manifestly unreasonable or excessive, are a fundamental legal and human right that the Courts have held to be ‘purpose blind’. This has led to DSARs being used as a weapon by individual claimants and their solicitors to short-circuit the normal legal disclosure process. The hope is to pressurise a data controller into early and higher settlements by highlighting a breach and/or threatening civil action for compensation.

If poorly managed, DSARs can also result in claimants being given information to which they are not entitled, such as other people’s personal data, which would itself constitute a data breach. This then enables the claimant to increase the size of their own claim, and opens the possibility of further claims from new claimants. Unfortunately, the size of the likely awards means that some solicitors are prepared to act on DSARS and data breach claims on a no win/no fee basis, which simply encourages even more claimants to come forward. In this way a DSAR received on a small dispute can quickly snowball into multiple large claims against a practice.

Managing DSARs

Good DSARs management starts with processes and staff training. Since DSARs can be made to anyone in the practice, all staff must understand what to do if they receive one. This minimises the risk of a DSAR being overlooked. Practices should then have a single point of contact responsible for responding to DSARs, who is trained in the regulations and who has appropriate access to the relevant systems. They should also understand and manage the timelines for responding, and report directly to a responsible partner to enable quick decision-making. It would also be a good idea to know who you will approach in the event you need expert legal help.


The use of DSARs as a litigation weapon is increasing, as are the number and size of claims against data controllers. It is important that primary care practices have robust, formal procedures in place to ensure that:

  • all staff can recognise a DSAR;
  • all data search, collation, redaction and removal processes are GDPR compliant
  • DPA exemptions are correctly applied;
  • all non-disclosable information is withheld;
  • any consents to disclosure are valid; and
  • timeframes are strictly adhered to

Primary care providers who are uncertain about dealing with a DSAR should seek legal advice as soon as possible, particularly if there is a link to a known or potential litigation matter. If you would like more information about this or any other matter, please contact Nils Christiansen or David Sinclair on 01483 511555, email n.christiansen@drsolicitors.com

Our Team


Integrated Care Systems Consultation: Very little time to respond

NHS England recently issued a consultation on significantly extending the role of Integrated Care Systems (ICSs) in the NHS. The proposals are very far reaching for Primary Care as well as other NHS providers, and the consultation is set to close on 8 January 2021 so time is short.

What are the Proposals?

ICSs have been around for a couple of years now, and bring together CCGs, Trusts, Councils and other NHS Organisations to ‘take collective responsibility for managing resources, delivering NHS standards, and improving the health of the population they serve”. To date ICSs have been collaborations between existing organisations rather than creating anything new.

At heart, the proposals in the consultation paper are to put the ICSs on a firmer footing by introducing new legislation. There are 2 options presented, and it should be noted that ‘Doing Nothing’ is not an option. The implicit conclusion must be that the current organisation of the NHS in England is no longer considered fit for purpose. The options are:

Option 1: a statutory committee model with an Accountable Officer that ‘binds together’ current statutory organisations

Option 2: a statutory corporate NHS body model that additionally brings CCG statutory functions into the ICS.

There is a clear preference in the paper for Option 2. Under this model the current GP-led CCG model would disappear and CCG functions would move into ICSs. ICSs would instead be governed by a board consisting of representatives from the ‘system partners’, including, as a minimum, representatives of NHS providers, primary care and local government.

Under Option 2, ‘many commissioning functions for which NHSE is currently responsible could be transferred or delegated to the ICS’. Critically, it also anticipates allocating ‘combined population-level primary care, community health services and specialised services population budgets to ICSs under this option. There is no doubt that these proposals are very far reaching and, if adopted by the government, will see a radical change to the NHS in England. They will also open the door to a very different role for primary care and we will analyse these changes in a separate blog.

How to respond?

The Consultation poses 4 questions, and asks for responses by 8 January 2021. The questions are all framed as ‘Do you agree thatâ’ so you will need to be clear in your answers if you actually disagree with any of the statements. The four questions are:

1. Do you agree that giving ICSs a statutory footing from 2022, alongside other legislative proposals, provides the right foundation for the NHS over the next decade?

2. Do you agree that option 2 offers a model that provides greater incentive for collaboration alongside clarity of accountability across systems, to Parliament and most importantly, to patients?

3. Do you agree that, other than mandatory participation of NHS bodies and Local Authorities, membership should be sufficiently permissive to allow systems to shape their own governance arrangements to best suit their populations needs?

4. Do you agree, subject to appropriate safeguards and where appropriate, that services currently commissioned by NHSE should be either transferred or delegated to ICS bodies?

Quite how NHSE expects to receive carefully considered responses to such far-reaching proposals in a tight timescale in the midst of a Covid pandemic, during the flu season, and over the Christmas period is not explained. Although we would obviously recommend that readers respond by 8 January if they can, we would suggest that if you would like to respond but feel that the deadlines are too tight, as a minimum you notify NHSE of this so that later representations may possibly be considered.

If you wish to discuss the impacts of any of these changes on your practice, PCN or federation, please contact Nils Christiansen on 01483 511555, info@drsolicitors.com

Our Team


The NHS Long Term Plan: How will GP practices be impacted?

There is a tendency when new plans come out of the NHS for people to say they have seen it all before. Would this be a wise response to the Long Term Plan?

Pleasingly, there is an acknowledgement of the many issues in primary care and a commitment that investment in primary medical and community services will grow faster than the overall NHS budget. Spend should be at least £4.5bn higher in 2024, but the extra money will come with strings attached. If applied consistently, this will mean further change is coming for many GPs in England.

The Network Contract

A new ‘Network Contract’ will route the additional monies and will also incorporate local enhanced services currently commissioned by CCGs. This Network Contract will be in addition to existing GMS, PMS and APMS contracts. ‘Primary Care Networks’ (PCNs) will be responsible for these contracts and will typically cover 30-50,000 patients. Each network will be responsible for expanded community multidisciplinary teams along the lines of the Integrated Care Vanguards. The obvious question is, who will actually hold (and deliver) these contracts? In some parts of the country GP Federations are sufficiently developed to do so, and could then subcontract services to member practices or to other service providers as appropriate. In other areas super-partnerships are sufficiently large and geographically contiguous to do so, though they may be concerned about using their unlimited liability partnerships to do so. Elsewhere again, it is possible that existing community health providers may look to lead.

What is clear is that the Network Contract is supposed to facilitate ‘integrated community-based health care’ and all new money in primary care will flow that way. We are told that practice participation will be voluntary, but it is hard to see how practices will remain financially viable in the medium term if they do not participate.

Online GP consultations

Digital-first primary care will become a new option for every patient. Over the next five years every patient in England will have a new right to choose telephone or online consultations instead of face to face consultations. The plan states this will be ‘usually with their own practice or, if patients prefer, with one of the new digital GP providers’.

The plan goes on to say that a new framework will be created for digital suppliers to offer their platforms to primary care networks on standard NHS terms. It is therefore unclear whether the digital providers enabling online consultations are supposed to be suppliers of services to networks of GPs, or will be able to hold patient lists themselves.

Our recommendations

It has been clear for some time that any increases in funding will go to practices working at scale. Scale working has now been formalised into PCNs . In those areas of the country where there is already an obvious PCN in existence, the immediate focus should be on working out which approach to use for online consultations. Where there is not currently any single obvious PCN, practices would be well advised to reconsider their local joint working arrangements: be that though through federations, mergers, primary care homes or the like.

Remember that the new Network Contract will need to be held by an appropriate business vehicle (there is no indication yet of any restrictions on who could hold them) so you will need to consider who will be the local prime contractor.

We would be delighted to discuss how we can help practices and PCNs prepare for the imminent changes. Please contact Nils Christiansen in the first instance for a no obligation conversation about how we can assist.

Our Team


The advantages and disadvantages of LLPs and Mutuals in Primary Care

There are currently only four types of business vehicle permitted to hold GMS contracts. These are:

  1. Individual GPs (who have unlimited liability)
  2. Unlimited liability partnerships including at least one GP (the most common structure)
  3. Limited partnerships including at least one GP
  4. Companies limited by shares including at least one GP shareholder

There are statutory mechanisms enabling a GMS contract to be transferred between types 1, 2 and 3, but no statutory mechanism enabling a transfer to or from type 4. The rules for PMS are slightly different, but given the right of PMS contractors to return to GMS the difference is not material for the purposes of this note.

The current options for practices to limit their liability are restricted. They could transfer a GMS contract into a limited partnership, but these entities require at least one partner to have unlimited liability for all the risks of the business. Since only a subset of the partners have limited liability, this would create obvious difficulties in a GP partnership. Using a Company limited by shares would limit the exposure of all the shareholders to the value of their capital, but this is not normally available to practices as there is no mechanism to transfer the GMS contract into the company.

Limited Liability Partnerships (LLPs)

LLPs retain the central feature of partnerships, being that partners both own and manage the business. In a company, by contrast, ownership and management are split between the shareholders and directors. Partnerships are often the preferred business vehicle in the professions because the alignment of ownership and management encourages close collaborative working. This in turn facilitates the transfer of tacit skills and good risk management on which the reputation of the profession relies.

LLPs bring several advantages over other kinds of partnership:

  1. LLPs are registered legal entities and are therefore capable of contracting in their own name. This means that important assets such as the surgery freehold or lease can be held in the name of the LLP rather than individual LLP member’s names. When a member joins or leaves an LLP, there is no need to change the lease or the land registry title, because the member is not named on it. Discussions amongst members would then change from being whether or not to ‘buy-in’ to the surgery, to whether or not to contribute capital to the LLP.
  2. The liability of LLP members is limited to their capital contribution. There are ways this can be circumvented such as by a mortgagor requiring personal guarantees, but members know that their liability is limited except where they have agreed otherwise. By contrast in traditional partnerships all partners have unlimited liability except where they have agreed to limit it. The most common ways of doing so are to take out insurance (such as professional indemnity cover) or to have contractual limits to liability in service contracts. In this way it is possible to create structures which arrive at similar levels of risk, but they start from opposite extremes
  3. In an LLP a member is not responsible or liable for another member’s misconduct or negligence. This is an inevitable consequence of the limited liability status since this removes the joint and several liability inherent in an unlimited liability partnership. Some argue that this can reduce the level of collaboration between LLP members, but this has not generally been the experience of other professions.
  4. There is considerably more formality around LLPs. Unlimited liability partnerships can be created and dissolved with no documentation, whereas LLPs cannot exist unless they are registered at Companies House. This increased formality eliminates some of the uncertainty around whether a partnership has been created or dissolved, which is at the heart of many GP partnership disputes. However, Companies House requires LLPs to file and disclose information about their membership and accounts which is normally kept private in an unlimited liability partnership.

Mutuals and Social Enterprises

There are a variety of legal structures which enable employee and community ownership of, and involvement in, a business. These are usually known collectively as social enterprises. The only form of social enterprise which is currently open to primary care is a Community Interest Company Limited by Shares (“CIC-CLS”). Since the same ownership rules apply to a CIC-CLS as to an ordinary company limited by shares, it is not possible to use it to broaden employee and community involvement in the practice.

If other social enterprises were to be permitted to hold GMS and PMS contracts, they would most likely include Companies limited by Guarantee (“CLG”), Community Benefit Societies (“BenComs”) and Industrial Provident Societies (IPS).

The primary difference between the various different types of enterprise comes down to who they ultimately seek to benefit:

  • Partnerships and LLPs look to provide financial benefit (profit) for the partners/members
  • Companies limited by shares look to provide financial benefit (profit) for the shareholders
  • CLGs look to provide financial and non-financial benefit to a defined purpose and are often charities
  • BenComs look to benefit the community
  • IPS’s seek to benefit their members

If social enterprises were able to hold GMS and PMS contracts, they would have similar advantages to LLPs. They all generally have legal personality and so can hold assets and contracts, they have limited liability by default, and they are regulated and must be registered. Social enterprises come with the additional disclosure requirement beyond those of LLPs, to ensure that their social purpose is being complied with.

A further possible advantage with social enterprise is that it might make it easier to integrate across other elements of healthcare, since it would be easier to involve the care and voluntary sectors in a social enterprise such as a BenCom.

Transitioning issues

If LLPs and mutuals were permitted to hold GMS and PMS contracts, this would not resolve the question of how to move existing GMS and PMS contracts into them. As LLPs and mutuals are distinct legal entities, they would suffer from the same procurement problem as Companies limited by shares currently do. This is that procurement law states that public bodies must tender all contracts above a certain value. Because GMS and PMS contracts do not generally have a fixed term, their cumulative value normally exceeds this threshold. Since moving a contract from one legal entity to another is technically a termination and re-grant, the re-grant would by default have to occur through a tender process. There are exceptions to the public tender rule, but it is a matter of some debate whether these exemptions can be applied to GMS and PMS contracts.

If you have any questions or for more information, please contact Nils Christiansen on 01483 511555 or email n.christiansen@drsolicitors.com

Our Team


What does GDPR mean for GP Practices?

What is GDPR and what does it mean to be compliant?

I am sure that you will all by now be aware of GDPR. GDPR comes into effect on 25th May 2018 and seeks to give individuals more control over how organisations use their data.

GDPR is a European regulation, and automatically becomes law in the UK because of our membership of the European Union. Although Brexit would take us out of the European Union, the current plan is to incorporate all EU law into UK law, so GDPR is almost certainly here to stay.

Confusingly, the UK Parliament is drafting its own data protection law called the Data Protection Act 2018 (DPA 2018). This law will supplement the GDPR and replace the existing 1998 Data Protection Act. The DPA 2018 is still working its way through Parliament so is not finalised. Much of the commentary on ‘GDPR’ combines it with the DPA 2018, and so mixes actual law with a draft bill.

Who does it apply to?

GDPR applies to all individuals and businesses who have responsibility for handling personal data. GP practices are ‘data controllers’ registered with the Information Commissioner (ICO) and are responsible for deciding how and why data is processed.

In our experience, practices have long been familiar with the concepts of data confidentiality, but GDPR requires additional levels of process and control, and forces practices to think about all personal data, not just the confidential health data they hold.

The key to understanding compliance with GDPR is not to see it as a tick-box exercise to be completed by 25th May, but rather as developing and embedding a permanent change of culture, whereby protection of personal data is central to every decision made within the practice. When all staff are able to recognise personal data and make informed decisions about protecting and processing it, and know what to do in the event of a breach, you will be well on the way to compliance.

What can GP practices do to prepare for GDPR?

  • If you haven’t found it already there is a very helpful 12 Steps to Take Now and Data Controller Self Assessment Toolkit on the ICO Website. Given that the ICO is the data regulator, they are the best place to start with your preparation.
  • It is critical that practices can demonstrate that they have sought to comply. The ICO has been clear that they are looking to see reasonable efforts being made. To do this you will need to have identified, documented and explained the legal basis for all the data flows to and from the practice. This is likely to be a time consuming undertaking and will be difficult to do unless you have a member of staff who is familiar with documenting processes and data flows. Remember that this documentation will have to be kept up-to date, so be careful not to outsource all your understanding of this information audit.
  • Data Protection policies and procedures must also be updated. Many practices have historically relied on ‘template’ policies, but these are unlikely to be adequate, as procedures will have to relate to the data flows identified in the information audit.
  • Privacy Notices are another important part of GDPR. These must be displayed prominently, which as a minimum is likely to be on the practice website and the noticeboard. Practices should think hard about opportunities to draw patient attention to these Privacy Notices, since one of the key principles underlying GDPR is transparency about how you deal with data. New information which must be added to privacy notices includes how you intend to use data, and the ‘lawful basis’ for what you are doing.
  • Be aware that much health data falls under one of the GDPR special categories. In addition to the ‘lawful basis’ that all data controllers must identify, practices need to satisfy a second separate condition that the processing is necessary for the purposes of healthcare.
  • Staff training is also an important part of compliance. Practices will need to be able to demonstrate that they have trained all their staff, including Partners, in GDPR and have an ongoing program to ensure that they are kept up to date as the law changes.
  • One significant change is that practices can no longer charge patients for access to their medical records except in exceptional circumstances. This may unfortunately increase the administrative workload as patients and others get used to making ‘subject access requests’. The time limit for dealing with these has been reduced from 40 days to one month.
  • An interesting example of the current uncertainty is the role of the Data Protection Officer (DPO). Under GDPR, it is not at all clear that practices are required to appoint a DPO. However, the DPA 2018 if enacted in its current draft form would certainly require practices to appoint a DPO.

So what happens if there is a breach and what are the risks of non-compliance?

In the event of a data breach affecting patient’s privacy rights, you must notify the Information Commissioner’s Office (ICO) no later than 72 hours after you become aware of the breach. If the breach is likely to present a high risk to their data, the patient must also be informed. You should have a clearly documented process for managing a data breach. This is another example of how proper documenting of processes and staff training is going to be vital.


It is important that practices take ownership of GDPR themselves. Compliance is not really something that can be outsourced, although there are plenty of commentators looking to profit from it. The ICO have made clear that the world will not end on the 25 May 2018 as they realise this is a journey for all businesses and they want to be supportive rather than punitive, but they will want to see evidence that practices are taking data security seriously throughout the organisation.

If you are concerned about your GDPR readiness, then please give us a call and we would be happy to talk through your plans. In our experience, most local medical committees are also aware of what needs to be done and are able to assist members and share good practices on GDPR.

If you would like to discuss GDPR or any other legal matter, please contact Nils Christiansen on 01483 511555, n.christiansen@drsolicitors.com

Our Team


Should a GP practice accept gifts and legacies?

Every now and then, a practice might be fortunate enough to be remembered in a patient’s Will or to receive gifts from grateful patients. Research has shown that the proffering of small gifts is relatively common place. Whilst it is obviously nice to be recognised for one’s good work, it does give rise to a number of professional and legal issues.

Professional issues

Good Medical Practice Guidance states that “You must not encourage patients to give, lend or bequeath money or gifts that will directly or indirectly benefit you.” However you “may accept unsolicited gifts from patients or their relatives” provided that it doesn’t affect the treatment you provide.

Whilst this appears to permit the receipt of unsolicited gifts and legacies, there is a big caveat. In each case, you must “also consider the potential damage this could cause to your patients’ trust in you and the public’s trust in the profession. You should refuse gifts or bequests where they could be perceived as an abuse of trust.” This is clearly a judgmental matter which will be easier to balance for a box of chocolates than for a £100k legacy.

Legal issues

The PMS and GMS Regulations are clear that practices must keep a register of gifts from patients or their relatives that have a value of £100 or more. You should record the name, the NHS number or address of the donor, the nature of the gift, its estimated value and the name of the recipient.

The next question which arises is how should the gift or legacy be shared?

To determine the answer to this question, you need to look at both the gift or legacy itself and the partnership deed.

For example, a legacy may be left ‘to the partners at the XXX Surgery’. So has the gift been left to the GP partners individually in equal shares, or left to the partnership to be divided between the partners in their respective profit sharing ratios? Was it intended for the partners in the practice at the time the Will was written, at the time of death or when the legacy is actually received? Alternatively, is it actually intended for the benefit of the patients and therefore shouldn’t be taken as income at all, but rather invested in healthcare within the practice area? Sometimes the intended purpose is clear because the donor has perhaps left a letter of wishes stating how they want the money to be spent or shared. Unfortunately, this is frequently not the case and a large legacy can often be a source of dispute between the partners.


Practices need to be careful about what gifts and legacies they accept and how these are recorded. The larger the gift, the more care needs to be taken.

Remember that this is, at heart, an ethical issue and whatever decision you make, would you be comfortable in justifying it in front of the GMC, or perhaps even a journalist?

For larger gifts and legacies, in addition to recording them in the gift register, we would recommend that you prepare a paper trail setting out your thinking behind the decision you took and any professional advice that you sought.

You would also be well advised to check what your partnership deed has to say about sharing of gifts and legacies to minimise the risk of future partnership disputes.

If you have any queries relating to legacies and gifts, or any other matter, then please contact Daphne Robertson on 01483 511555 or email d.robertson@drsolicitors.com