healthcare

Healthcare Businesses Have 74 Days to Comply with New Data Law — Here's What the ICO Will Check

CA
ComplianceAlert Editorial·UK Regulatory Specialists
6 April 2026·9 min read

In this article

  1. What Changed — And When
  2. Why Healthcare Is the Highest-Risk Sector
  3. What the ICO Actually Checks
  4. The Six Things to Check Before June 19
  5. What the ICO Has Already Done in Healthcare in 2025–26
  6. Frequently Asked Questions
  7. Key Takeaways

Healthcare businesses now face the highest data protection risk of any UK sector. The Data Use and Access Act (DUAA) strengthens the ICO's enforcement powers from June 19, 2026 — and your care home, GP practice, dental surgery, or domiciliary care company holds the most sensitive data in the country.

Special category health data carries the maximum fine exposure under UK law: up to £17.5 million or 4% of global annual turnover, whichever is higher. Add the ICO's new power to compel witnesses and demand technical reports, and a data breach that your business could once manage quietly becomes a full investigation.

Here's exactly what the ICO checks, which healthcare businesses are highest risk, and the six things you need to review before June 19.

What Changed — And When

The Data Use and Access Act received Royal Assent in February 2026. It doesn't replace UK GDPR — it builds on top of it. The headline changes that matter for healthcare:

  • June 19, 2026: Formal data complaints procedure becomes mandatory. Every data controller must have a documented process for handling data subject complaints. If a patient, resident, or employee submits a complaint to you and you can't demonstrate a proper process, the ICO can use that as an entry point for a broader investigation.
  • Strengthened investigation powers: ICO inspectors can now compel witnesses to give evidence and demand technical reports — not just request them. This matters when a breach involves your IT systems or third-party software providers.
  • Higher evidential bar: The ICO can now require you to demonstrate active compliance, not just claim it. "We intend to update our policies" no longer satisfies an investigation.

These changes layer on top of the existing UK GDPR obligations that healthcare has always carried — they don't replace them. If you were already under-compliant on the basics, the DUAA makes the consequences of getting caught significantly worse.

Why Healthcare Is the Highest-Risk Sector

Article 9 of UK GDPR designates health data as "special category" — the most protected class of personal data. Processing it carries stricter requirements than processing ordinary personal data. Breaches involving health data are also typically reported in ICO enforcement notices and on the ICO's public register, which means reputational damage goes alongside financial penalties.

Healthcare businesses also sit at the intersection of multiple regulatory bodies:

  • ICO — data protection enforcement, now with DUAA powers
  • CQC — inspection remit includes information governance
  • HSE — staff health data, occupational health records
  • Fair Work Agency — launches tomorrow (April 7); worker records including sick pay and leave are now in scope

A single CQC inspection can surface an ICO referral. A single staff complaint to the FWA about unpaid SSP can expose your HR data practices. The regulators don't coordinate — but the records they examine overlap.

Healthcare data protection compliance documents and ICO enforcement checklist for UK care homes

What the ICO Actually Checks

ICO audits of healthcare businesses follow a consistent pattern. These are the areas where most enforcement notices originate:

1. Lawful basis for processing

You need a documented lawful basis for every category of data you process. For health data, the lawful basis under Article 9 is usually "provision of healthcare or treatment" — but it must be explicitly documented. "We assumed it was fine" is not a defence. The ICO expects a data processing register that maps each data category to its lawful basis.

2. Data sharing agreements

Do you share patient or resident data with NHS commissioners, local authorities, social services, or any software provider? Every third-party data transfer requires a written data sharing agreement or data processing agreement. In ICO audit findings, missing or outdated data sharing agreements are the most common single failure in healthcare.

3. Data retention schedules

Healthcare records must be kept for defined minimum periods — and then securely deleted. GP records: 10 years minimum. Dental records: 11 years. Care home resident records: 8 years after discharge. Staff health records: 40 years for hazardous substance exposure. If you don't have a written retention schedule, you are almost certainly keeping data longer than required — which is a breach in itself.

4. Data breach procedures

You have 72 hours from becoming aware of a breach to report it to the ICO (if it's likely to result in a risk to individuals). The 72-hour clock starts when any staff member becomes aware — not when it reaches management. Most healthcare breaches are reported late because staff didn't know what counted as a breach. Misdirected patient correspondence, shared login credentials, and accessing records without a care need are all reportable breaches — and all common in care settings.

5. Data subject rights procedures

Under DUAA from June 19, you need a documented complaint-handling process. But even before then, you need procedures for Subject Access Requests (30-day deadline), Right to Erasure requests, and Right to Rectification. ICO fines have been issued to healthcare providers specifically for missing SAR deadlines — these requests are common from patients and care home residents.

6. Staff training

The ICO expects annual data protection training for all staff who handle personal data. In healthcare, that's virtually everyone. CQC also asks about training records during inspections. If you can't produce training logs, you've failed two regulators with one gap.

Is your healthcare business ICO-ready?

ComplianceAlert monitors ICO enforcement activity, DUAA updates, and CQC data governance requirements. Get alerted before deadlines arrive — not after. Try it free for 7 days →

The Six Things to Check Before June 19

You have 74 days. This is a realistic action list, not a legal treatise:

  1. Audit your data processing register. Does it exist? Does it list every data category, lawful basis, retention period, and third-party recipient? If you haven't updated it since GDPR came in, it's almost certainly wrong.
  2. Check every third-party data agreement. List every supplier, NHS body, software provider, and referral partner you share data with. For each one, confirm you have a signed DPA or DSA in place. Missing ones need to be created before June 19.
  3. Write a data complaints procedure. This is the specific DUAA requirement active from June 19. It needs to explain: who handles complaints, how they're logged, what the timescales are, and how responses are documented. One page is enough.
  4. Test your breach notification process. When did you last walk through what happens if a breach is discovered? Who does staff call? Where is the ICO notification form? The 72-hour deadline waits for no one — most healthcare providers find out how unprepared they are in the middle of a real breach.
  5. Check your SAR backlog. Have any Subject Access Requests been received in the last 30 days that haven't been fully responded to? Late responses are the fastest route to an ICO complaint under DUAA's new complaints mechanism.
  6. Update staff training records. If annual data protection training hasn't happened in the last 12 months, schedule it now. Both ICO and CQC can ask for these records with no advance notice.

What the ICO Has Already Done in Healthcare in 2025–26

The ICO doesn't only act on catastrophic breaches. Recent enforcement notices in healthcare include:

  • A care home group fined for sharing resident records with a third-party marketing company without consent
  • A dental chain reprimanded for responding to Subject Access Requests outside the 30-day window
  • An NHS commissioning body issued an enforcement notice for missing data sharing agreements with GP practices

None of these involved a data breach where records were stolen or published. All of them were procedural failures — the kind DUAA's new powers are specifically designed to catch.

Frequently Asked Questions

Does DUAA replace UK GDPR?

No. DUAA builds on UK GDPR — it doesn't replace it. Your existing GDPR obligations remain. DUAA adds new ICO powers and creates specific new requirements, including the mandatory complaints procedure from June 19.

Are small care homes affected, or just large NHS providers?

All data controllers are affected, regardless of size. However, the ICO typically prioritises investigations where a data subject complaint has been filed — which is exactly the process DUAA makes easier from June 19 onwards.

What's the maximum fine for a healthcare data breach?

£17.5 million or 4% of global annual turnover, whichever is higher. For most independent care homes, dental practices, and GP partnerships, a fine of even £100,000–£500,000 would be business-ending. The ICO graduated its fines by sector — healthcare receives no leniency for scale.

Do I need a Data Protection Officer?

If you process special category health data at scale (most care homes, GP practices, and dental groups do), you are legally required to appoint a DPO. This can be internal or an external contracted role. The DPO's contact details must be registered with the ICO and included in your privacy notice.

Key Takeaways

  • DUAA strengthens ICO powers from June 19 — healthcare faces the highest exposure due to special category health data
  • Six areas to check: data processing register, third-party agreements, complaints procedure, breach notification, SAR backlog, staff training
  • The mandatory complaints procedure (June 19) is the immediate DUAA deadline — document your process now
  • CQC, FWA, HSE, and ICO all have overlapping remit in healthcare — a gap visible to one regulator is often visible to all four
  • 72-day window is enough time to fix procedural gaps — but not enough time to start from scratch

Not sure where your healthcare business stands on data protection compliance? Take our free 3-minute Compliance Score quiz — instant results, no sign-up required. compliancealert.co.uk/compliance-score

ComplianceAlert monitors ICO enforcement updates, DUAA implementation guidance, and CQC inspection criteria in real time. When requirements change, you get a plain-English alert — before the deadline, not after.

Start your free 7-day trial at compliancealert.co.uk/healthcare → No credit card required.

Stay ahead of UK regulations

ComplianceAlert monitors HSE, HMRC, ICO, CQC and more — and alerts you in plain English before changes cost you.

Try ComplianceAlert free for 7 days →

7-day free trial · No card needed · Free for 7 days · Cancel anytime

Have a question?

Talk to us about how ComplianceAlert can help your business. We reply within one business day.

Or call Alice free: 📞 Free call — +44 23 9433 0468 · hello@compliancealert.co.uk

Related articles

Section 21 Ends in 8 Days — The Last Thing Landlords Must Do Nowproperty

Section 21 Ends in 8 Days — The Last Thing Landlords Must Do Now

750,000 Retail Workers on Zero-Hours: The October 2026 Shift Notice Rights Employers Don't Know Aboutretail

750,000 Retail Workers on Zero-Hours: The October 2026 Shift Notice Rights Employers Don't Know About

Renters Rights Act May 2026: What Every Letting Agent Must Do Nowproperty

Renters Rights Act May 2026: What Every Letting Agent Must Do Now

← Back to all posts