2 Days Left: GPs, Dentists and Care Homes — Your Formal Data Complaints Procedure Is Mandatory from Thursday

On Thursday 19 June 2026, Section 164A of the Data Use and Access Act 2025 comes into force. From that date, every organisation that processes personal data — including every NHS-connected GP surgery, dental practice, pharmacy, optician and care home in the UK — must have a formal written procedure for handling data protection complaints. The ICO begins enforcement from Friday 20 June.

If you don't have one in place by Thursday morning, you're exposed. Healthcare is the ICO's highest-enforcement sector, and patient data is special category data — the highest tier of risk under UK GDPR.

This is not a box-ticking exercise. This is a compliance deadline with real financial consequences. Here's what you need to know and what you need to do before Thursday.

What Is DUAA Section 164A?

The Data Use and Access Act 2025 (DUAA) received Royal Assent earlier this year. Section 164A introduces a mandatory requirement for all data controllers to operate a formal complaints procedure for data protection complaints from individuals.

This is distinct from your existing GDPR obligations around subject access requests. Section 164A specifically requires:

• A written procedure that is accessible to patients and staff
• Acknowledgement of a complaint within 30 days
• A designated named individual or role responsible for handling data complaints
• A documented internal review process before referring the complainant to the ICO
• Records of all complaints received and how they were resolved

There are no exemptions for small practices. A single-GP surgery with 3,000 patients is subject to exactly the same requirements as an NHS Trust.

Why Healthcare Faces the Highest Risk

The ICO has been increasingly aggressive in healthcare enforcement. In 2025, healthcare sector fines ran 7x higher than 2024. The average penalty in healthcare reached £2.8 million — up from £150,000 the year before. The maximum fine under PECR is £17.5 million.

The reason is patient data. Health information is classified as "special category data" under Article 9 of UK GDPR. Mishandling it — including failing to properly respond to complaints about how it is handled — attracts the highest tier of ICO enforcement action.

Healthcare organisations that process patient data also fall under multiple overlapping frameworks: NHS Data Security and Protection Toolkit (DSPT), Clinical Assurance Framework, UK GDPR, and now DUAA. Non-compliance in one area tends to surface non-compliance in others during an ICO audit.

The ICO has also made clear that DUAA enforcement will be proactive, not just reactive. Inspectors can audit your data complaints procedure without waiting for a formal complaint to be made against you.

What "Formal Written Procedure" Actually Means

This is where many healthcare practices will fall short. A complaints procedure buried in your privacy policy is not enough. DUAA requires a procedure that is:

• Standalone and accessible — not embedded in a 12-page privacy notice
• Named-individual assigned — someone with authority to investigate and respond
• Time-bound — acknowledgement within 30 days, resolution within a reasonable further period
• Documented — you must be able to show the ICO a log of complaints and outcomes
• Referral-ready — clearly telling complainants their right to escalate to the ICO

Your DPO (if you have one) or practice manager typically takes ownership of this. If you have a Data Protection Officer under UK GDPR (which most care homes and any NHS-linked practice should), their contact details must appear in the procedure.

The Specific Risks for GP Surgeries

GP practices handle some of the most sensitive personal data in the UK — medication history, mental health records, reproductive health, HIV status. The risk of a data complaint is higher than almost any other sector, because patients are often acutely aware of how sensitive their records are.

Common triggers for data complaints in GP surgeries include:

• Subject access requests handled late or incompletely
• Records shared with third parties (including insurance companies) without explicit consent
• Staff accessing records without clinical need
• Data breaches involving patient correspondence
• Systems left open on unattended screens in public-facing areas

Under DUAA, a patient who believes their data has been mishandled can now trigger your formal complaints procedure before going to the ICO. If you don't have a procedure, the ICO treats that as a standalone compliance failure — independent of whether the underlying complaint has merit.

Dental Practices, Pharmacies and Opticians

Dental practices, pharmacies and opticians are often overlooked in GDPR guidance aimed at NHS primary care. But they are full data controllers in their own right. A dental practice holds X-rays, medical histories and financial records. A pharmacy holds medication dispensing records and GP correspondence. An optician holds clinical notes alongside identity documents.

The same DUAA requirements apply. If a patient complains that their prescription history was accessed by someone without authorisation, and you have no formal procedure for handling that complaint, the ICO can issue a fine for the procedural failure alone.

What Care Homes Must Do

Care homes face a compounded risk: they hold data under CQC registration obligations, DSPT (if NHS-connected), and UK GDPR simultaneously. The CQC already scrutinises data handling during inspections. From 20 June, the ICO adds DUAA to the compliance picture.

Many care homes — particularly smaller, family-run ones — have no designated DPO and no formal data procedure beyond a basic privacy policy. That is no longer sufficient. The DUAA requirement to acknowledge a complaint within 30 days means you need a named person and a documented process in place before a complaint arrives, not after.

Your 6-Step DUAA Compliance Action Plan — Do This Before Thursday

If you are reading this on Wednesday 17 or 18 June, you still have time to put a compliant procedure in place. Here is what to do:

1. Draft your Data Complaints Procedure — one to two pages, covering: who handles it, how to submit a complaint, the 30-day acknowledgement commitment, the investigation process, and the ICO escalation route.
2. Assign a named owner — DPO, practice manager, or senior administrator. Name and role, not just a generic email address.
3. Create a complaints log template — date received, nature of complaint, status, outcome, date resolved.
4. Publish it accessibly — reception desk, patient portal, your website. Not buried in your privacy policy.
5. Brief your team — every member of staff who interacts with patients should know who handles data complaints and what the first step is.
6. Save evidence of compliance — dated document, version history, publication record. You need to be able to show the ICO you had this in place before 19 June, not after.

ComplianceAlert's Action Centre has the DUAA Compliance Procedure template pre-built for healthcare. Activate it, complete the checklist, and save your evidence to the Evidence Vault — all timestamped and audit-ready. If the ICO asks, you can show exactly when and how you became compliant.

What Happens After 19 June If You're Not Compliant

The ICO has confirmed that from 20 June, failure to operate a formal data complaints procedure is an enforceable breach. In healthcare, enforcement can include:

• Formal reprimand (published on the ICO register — visible to patients and CQC inspectors)
• Enforcement notice requiring immediate compliance
• Financial penalty — up to £17.5 million, though typically scaled to organisation size
• Audit trigger — non-compliance in one area often triggers a broader ICO audit

For a GP surgery or dental practice, a public reprimand on the ICO register is a reputational risk with CQC, NHS commissioners, and patients. For a care home, it could affect CQC registration.

The Bigger Picture: DSPT Deadline Is Also June 30

Healthcare providers also have a second data compliance deadline on 30 June 2026: the NHS Data Security and Protection Toolkit (DSPT) submission deadline. Miss it and you lose access to NHS Mail, e-Referral and Summary Care Record. That means GP practices cannot process referrals digitally, pharmacies cannot dispense NHS prescriptions through the system, and care homes lose NHS-connected communications.

ComplianceAlert monitors both deadlines. Set up your DSPT checklist in the Action Centre now alongside your DUAA procedure and you can evidence progress on both frameworks simultaneously.

Frequently Asked Questions

Does DUAA Section 164A apply to small practices with fewer than 10 staff?

Yes. There is no SME exemption. Any organisation that processes personal data — including the smallest single-GP practice — must comply with DUAA Section 164A from 19 June 2026.

Is our current GDPR privacy notice enough?

No. A privacy notice tells individuals how you use their data. DUAA Section 164A requires a standalone procedure that tells them how to complain about your use of their data. These are different documents.

Do we need a DPO to comply with DUAA?

DUAA does not require a DPO specifically — but UK GDPR likely already requires healthcare practices to have one (you process special category data at scale). If you do not have a DPO, your practice manager or a senior administrator can own the data complaints procedure.

What if we receive a complaint before we have the procedure in place?

Handle it as best you can and document everything. But the procedural failure itself becomes a separate ICO issue. Get the procedure in place immediately — before Thursday if at all possible.

How does ComplianceAlert help with DUAA compliance?

ComplianceAlert's Action Centre includes a DUAA Compliance Procedure template for healthcare. You complete a guided checklist, save your procedure to the Evidence Vault, and download a timestamped Inspection Pack that documents your compliance date. If the ICO audits you, you have evidence ready.

Don't Wait — Thursday 19 June Is Two Days Away

Healthcare is the ICO's highest-enforcement sector. Patient data is the highest-risk category. DUAA enforcement begins on 20 June. If you are a GP practice manager, dental practice owner, pharmacy superintendent, optician, or care home manager reading this, you have one clear task before Thursday: get your formal data complaints procedure in place and documented.

ComplianceAlert makes this straightforward. The DUAA action template is pre-built. The checklist guides you through each step. The Evidence Vault stores your completed procedure with a timestamp. Start now — it takes less than 30 minutes to get compliant.

Start free at compliancealert.co.uk/healthcare — no card required, free forever plan.

For authoritative guidance, see the ICO's official DUAA guidance and GOV.UK Data Use and Access Act 2025.

Need a data protection consultant to review your procedure before Thursday? Find a verified specialist at compliancemarket.co.uk/cqc-consultants.