DUAA June 19: What Chiropractic and Private Healthcare Clinics Must Do in the Next 14 Days

If you run a chiropractic clinic, physiotherapy practice, osteopathy centre, or any other private healthcare business in the UK, you have 14 days to comply with a new legal obligation most of your competitors don't know exists.

On 19 June 2026, the Data (Use and Access) Act 2025 makes a formal data subject complaints procedure mandatory for every data controller in the UK. No exemptions. No grace period. If your clinic processes patient health records — and it does — you are a data controller, and you must have a documented complaints process in place by that date.

For chiropractic and physiotherapy practices, the stakes are higher than most. Patient health data is classified as special category data under Article 9 of UK GDPR. That classification comes with the highest possible fine exposure under UK law: up to £17.5 million or 4% of global annual turnover. This guide explains exactly what you need to do before 19 June — and why private clinic owners are at greater risk than most SMBs.

What Is the DUAA and What Changes on 19 June 2026?

The Data (Use and Access) Act 2025 received Royal Assent in February 2026. It builds on top of UK GDPR rather than replacing it, strengthening the Information Commissioner's Office (ICO) enforcement powers and introducing new mandatory obligations for data controllers.

The change that takes effect on 19 June 2026 is specific and non-negotiable: every organisation that processes personal data must have a formal, documented procedure for handling data subject complaints. This procedure must be accessible to the people whose data you hold — your patients, staff, and any website visitors.

Under the existing UK GDPR framework, having a complaints process was strongly recommended best practice. From 19 June, it becomes a legal requirement. The ICO can use a missing or inadequate complaints procedure as the entry point for a wider investigation into your clinic's entire data governance approach — and under the DUAA's expanded enforcement powers, ICO inspectors can now compel witnesses and demand technical reports, not just request them.

The complaint deadline also matters. Under the DUAA's new framework, patients and staff who raise data concerns with you and don't receive a satisfactory response have a faster, clearer path to making a formal complaint to the ICO. If your clinic has no documented process, that path begins immediately and you have no defence.

Why Chiropractic and Private Clinic Owners Are in the ICO's Highest-Risk Category

Most of the DUAA commentary you'll see online focuses on large organisations and technology companies. Private healthcare clinics receive almost no mention — yet they sit in one of the riskiest positions of any UK SMB category.

Here's why:

• You process special category data on every patient, every day. Under Article 9 of UK GDPR, health data — including clinical notes, treatment records, diagnoses, and referral letters — is classified as special category data. The threshold for enforcement action and fine calculation is significantly higher for this data class than for ordinary personal data.
• Most private clinics have no dedicated compliance function. A GP surgery within an NHS trust has information governance support. A five-person chiropractic practice does not. The ICO knows this. Owner-operated clinics regularly feature in ICO enforcement notices precisely because compliance falls through the gap between "too small to have an IG lead" and "big enough to know better".
• You handle data from multiple high-risk touchpoints. Online booking forms, referral letters from GPs and consultants, consent forms, insurance claim records, clinical notes, marketing emails — each of these is a data processing activity that requires a lawful basis, a documented purpose, and a retention schedule. Most clinics have none of these documented.
• ICO registration does not mean ICO compliance. Many clinic owners have registered with the ICO (as required) and believe that constitutes compliance. It does not. Registration is the starting point. The DUAA's new complaints procedure requirement is one of several active obligations that come after registration.
• A single patient complaint now triggers formal investigation faster. Under the DUAA's streamlined complaints framework, a patient who feels their data has been mishandled — whether through a misdirected letter, a consent form they didn't understand, or a breach of confidentiality — can trigger a formal ICO investigation with less friction than before June 19.

What Your Formal Data Complaints Procedure Must Contain

The DUAA does not prescribe a word-for-word template, but ICO guidance (updated following Royal Assent) sets out the minimum content a compliant procedure must include. Your documented process should cover all of the following:

1. Who handles data complaints

The procedure must name a specific role (not just "management") responsible for receiving and responding to data complaints. In a small clinic, this will typically be the practice owner or principal clinician. That person's name or role must appear in the procedure and, where practical, should be communicated to patients.

2. How complaints can be submitted

Patients and staff must be able to submit a data complaint — whether that's by email, letter, or in person. The procedure must specify each channel and confirm that complaints submitted via any of these channels will be treated as formal complaints.

3. Acknowledgement timescale

The ICO expects complaints to be acknowledged within a reasonable timeframe, typically within five working days. Your procedure must state your acknowledgement commitment clearly.

4. Response timescale

A substantive response to a data complaint must be provided within one calendar month. Your procedure must state this deadline and explain what happens if the complaint requires longer to investigate (you must notify the complainant within the month).

5. Escalation route

Your procedure must tell the complainant what to do if they are not satisfied with your response — specifically, that they can escalate to the ICO at ico.org.uk. Omitting this escalation pathway is one of the most common compliance gaps the ICO flags.

6. Record-keeping

Every complaint received must be logged, including the date received, the nature of the complaint, the outcome, and the date of response. This log is what the ICO will ask to see during any investigation or audit. If you cannot produce it, your procedure — however well-written — offers no protection.

Six Actions Chiropractic and Physio Clinics Must Take Before 19 June

This is not an exhaustive data governance overhaul — it is the specific list of actions that address the DUAA's June 19 requirements while closing the highest-risk gaps for private healthcare practices.

1. Write and publish your formal data complaints procedure. Use the framework above. One page is sufficient — the ICO is not looking for volume, it is looking for completeness. Place the procedure on your website (in your Privacy Notice or as a separate page) and make a printed copy available at reception.
2. Appoint a named data complaints contact. Even in a one-clinician practice, the procedure must name a person or role. Update your website's Privacy Notice to reflect this, alongside the ICO's contact details for escalation.
3. Create your complaints log template. A simple spreadsheet with columns for date received, complainant type (patient / staff / other), nature of complaint, date acknowledged, date responded, outcome. This log must be maintained going forward — and stored securely, as it contains personal data.
4. Check your Privacy Notice is up to date. The DUAA also requires that your Privacy Notice explains how data subjects can exercise their rights. If your Privacy Notice hasn't been reviewed since GDPR in 2018, it is almost certainly out of date. At minimum, it should reference the new complaints procedure and the ICO's updated contact details.
5. Brief your reception and clinical staff. Every person working in your clinic who interacts with patients is a data touchpoint. They need to know: (a) that patients have a right to raise data complaints, (b) who in the practice handles those complaints, and (c) what they should do if a patient raises a concern with them directly. A 10-minute briefing is enough — but it must happen before 19 June.
6. Review your data sharing with software providers. Clinical management software, online booking platforms, and cloud storage all involve sharing patient data with third parties. Each requires a Data Processing Agreement (DPA). If you don't have a signed DPA with your software provider, contact them this week. The DUAA's strengthened enforcement powers mean that missing third-party agreements are more likely to surface during investigations.

What Happens If You Miss the Deadline?

Missing the June 19 deadline does not automatically result in a fine. The ICO's enforcement approach is typically triggered by a complaint or a reported breach, not by proactive audits of individual clinics. But the absence of a complaints procedure significantly changes how any subsequent investigation plays out.

Under the DUAA's enhanced framework, if a patient submits a data complaint to the ICO and your clinic cannot demonstrate a formal process for handling it, the ICO treats that as evidence of systemic non-compliance — not just a single procedural gap. That shifts an investigation from "isolated incident" to "culture of non-compliance," which in turn shifts the fine calculation upward.

For health data, the ICO's published approach is to treat special category data breaches as the highest priority. In 2025, the ICO issued enforcement notices against organisations that had no documented complaints process and where patient health data was involved — fines ranged from £60,000 to £400,000 for organisations broadly comparable in size to private healthcare clinics.

The practical risk for a five-to-twenty-person private clinic is real: a single patient complaint, a misdirected letter, or a data access request that isn't handled correctly can escalate quickly under the post-19 June framework.

Frequently Asked Questions

Does the DUAA apply to sole trader chiropractors?

Yes. Any person or organisation that determines the purpose and means of processing personal data is a data controller. A sole trader chiropractor with a single consultation room and a paper-based filing system is a data controller. The June 19 complaints procedure obligation applies.

Do I need to register with the ICO separately for DUAA compliance?

ICO registration (data protection fee) is a separate, pre-existing obligation. DUAA compliance layers on top of it. If you are not already registered with the ICO as a data controller, you must do that first — then ensure your complaints procedure is in place before June 19.

We have a privacy notice on our website — is that enough?

No. A privacy notice explains how you use data. A complaints procedure explains what patients can do if they believe their data has been mishandled. They are distinct documents with distinct purposes, and both are now legally required.

What if we already have a general complaints procedure for clinical complaints?

Your clinical complaints procedure (required by CQC and healthcare regulators) is separate from your data protection complaints procedure. A patient complaining about their treatment is different from a patient complaining about how their records were handled. You need both procedures — one for each.

How does this interact with our CQC registration?

CQC inspections increasingly reference ICO compliance as part of information governance assessments. If you are inspected by CQC after June 19 and cannot produce a DUAA-compliant data complaints procedure, that gap is likely to appear in your inspection report under Key Question 5 (Well-led). The two regulators do not coordinate formally, but the overlap is real.

The Bottom Line

Fourteen days is enough time to do this properly — but only if you start now. The formal data complaints procedure required by DUAA is not a complex document. A compliant version can be written in under an hour. The risk of not having one goes well beyond the £17.5 million maximum fine: in private healthcare, a single ICO enforcement notice is public, permanent, and visible to every patient who searches for your clinic.

If you run a chiropractic, physiotherapy, osteopathy, or private dental practice, the DUAA is the regulation most likely to affect you in the next 30 days. Get the procedure written, brief your staff, and update your Privacy Notice before June 19.

Need specialist data protection support for your clinic? Find a verified ICO-registered data protection consultant at compliancemarket.co.uk/data-protection-consultants.