With Editor’s Notes – updated September 2025
This guidance note aims to provide SEMPRIS members with an overview of their obligations and of good practice. It will also assist with some questions that SEMPRIS medico-legal advisers are frequently asked. We hope it is helpful, but more specific advice is always available to SEMPRIS members via the 24/7 SEMPRIS medico-legal helpline service. The NHS Records code of practice was updated 19 October 2023, but this guidance note does not touch on that, as it is not directly relevant to your obligations in private practice.
Does the GDPR ‘right to be forgotten’ require me to destroy medical records?
The EU General Data Protection Regulation (“GDPR”) was incorporated into UK law by the Data Protection Act 2018 (“DPA 2018”). It remains part of UK law even after Brexit.
UK data-protection remains rooted in the UK-GDPR and the Data Protection Act 2018, but the UK legislative framework is changing. The new Data (Use and Access) Act 2025 (DUAA) has received Royal Assent and the ICO is rolling out related guidance and implementation timetables. This does not change the core principle that clinical records will usually be excepted from erasure, but it does mean organisations should monitor ICO updates and revise local procedures accordingly.
One GDPR protection is the Article 17 right for individuals to have their personal data erased, also known as the ‘right to be forgotten’. It is exercised regularly, and the Information Commissioner’s Office has some general guidance on how to respond to data erasure requests. However, it is not an unrestricted right, and there are limits on what data an individual can get erased.
The ICO’s “Right to Erasure” guidance remains authoritative: erasure is not an absolute right and only applies in specific circumstances. For healthcare providers the key tests are (a) whether the data is necessary for the provision of healthcare or to comply with a legal obligation, and (b) whether another lawful basis exists for retention. Make sure your erasure-response process documents the lawful basis for any refusal (e.g., “legal obligation” / “healthcare provision”) and the legal/regulatory reason for retaining the record.
Doctors, surgeons and clinics in private practice often receive requests from patients to erase their data. If the patient is only asking to be removed from a marketing database, this is unproblematic. But difficulties arise where the data forms part of the patient’s medical records. Several SEMPRIS members have received such requests, with some patients actually citing GDPR. Patients have expressly asked doctors, surgeons and clinics to permanently destroy medical records, including (in some cases specifically) clinical photographs. The patient’s reasons are not always clear. Sometimes they genuinely feel vulnerable because their highly personal clinical photos are held for long periods, even though the doctor, surgeon or clinic is highly regulated and will keep the images safe. In other instances, it seemed that the patient was making a cynical attempt to get rid of evidence in preparation to make a complaint or claim.
So are doctors, surgeons and clinics obliged to destroy medical records in response to a GDPR ‘right to be forgotten’ request?
Fortunately, they are not, so records needed to defend a potential claim should be preserved. The right does not apply where the data is being held to comply with a legal obligation, and there are also exceptions where the data (in this case medical records) is being held under a duty of patient confidentiality for medical diagnosis or for the provision of healthcare. Therefore even where the course of treatment has completely finished, medical records including correspondence and clinical photos must not be destroyed. In private practice, doctors, surgeons and clinics must keep the patient records and clinical photographs complete, safe and secure for the periods required by The Private and Voluntary Health Care (England) Regulations 2001 (Schedule 3), which is usually eight years but can be longer for some classes of patient. SEMPRIS insureds have access to a detailed guidance note on records retention periods.
So as a doctor, surgeon or clinic manager in private practice, what should you do if a patient asks for their data or any part of their medical records and clinical photos to be erased?
SEMPRIS insureds have access to excellent medico-legal guidance from dual-qualified doctors and lawyers. You should seek medico-legal guidance right away whenever you receive a ‘right to be forgotten’ request. The medico-legal team can help you assess whether there is any data that can and should be erased in response to the request, but also accurately identify any data which is actually part of the medical records and cannot be destroyed.
The medico-legal team can also help assess the likely reasons behind the request. They can help create a reassuring and sensitive response where it seems that the patient is making the request out of a sense of vulnerability, to help preserve the relationship with the patient and prevent unnecessary complaints. But they can also help identify situations where the data erasure request indicates that the patient intends to make a complaint or claim. They can make sure that notification to insurers and other steps are taken to protect the position of the doctor, surgeon or clinic.
Just as importantly, the medico-legal team can help you look at any permissions you might previously have received to use the medical records for other purposes such as training or even marketing, and assess whether the patient has now withdrawn those permissions so you should stop using the records for those other purposes.
But what about situations where you (or an employee or medical secretary on your behalf) has already erased patient records in response to a ‘right to be forgotten’ request, without realising that the right does not apply to medical records?
In these situations you need to contact the SEMPRIS medico-legal team urgently. There can be regulatory implications for destroying medical records that should have been retained, even where this was done under a genuine misunderstanding of the law. Therefore the medico-legal team needs to get involved right away to help you manage and mitigate the situation. SEMPRIS insureds have cover for lost and destroyed records, so depending on the exact circumstances there could be insurance funding to help restore any records that can still be retrieved. The medico-legal team can also make notifications to protect your position in case the incident leads to an investigation from the regulator and you need insurance funding for your defence. The medico-legal team can also get you early advice from specialist healthcare regulatory lawyers where necessary, to make sure that any remediation work you need to do to protect you from regulatory sanctions is done promptly.
While patients might perceive the GDPR ‘right to be forgotten’ as very simple, in fact this is a complex area of law and regulation, with potentially serious implications for you if you take the wrong steps in response to an erasure request. If you are a doctor, surgeon or clinic in private practice and a patient asks you to erase the data you hold on them, or if you or an employee has inadvertently erased medical records that should have been retained, get proper medico-legal guidance immediately. SEMPRIS insureds have cover for lost or destroyed records, and cover for defence in regulatory investigations and claims, together with an outstanding medico-legal team who will help you manage and mitigate these difficult situations, to get the best available outcomes in these often difficult situations.
Please Note: This article does not constitute legal advice. If you require any clarification, please contact our medico-legal helpline in the usual way.
More UncategorizedShare this post:
- - -