SJT Textbook: Data Protection (UK GDPR) in Healthcare
Data Protection Healthcare MSRA
This guide simplifies Data Protection Healthcare MSRA scenarios. The SJT tests your ability to apply the UK GDPR and Data Protection Act 2018 not as a lawyer, but as a clinician managing sensitive patient data safely.
🎥 Video Lesson (YouTube)
🎧 Podcast Lesson (Spotify / Apple / Amazon)
FREQUENCY: High
PRIORITY: Must-Know
🎯 THE CORE PRINCIPLE
Data protection in healthcare is governed by UK GDPR and the Data Protection Act 2018. Health information is special category data, meaning you need both an Article 6 lawful basis and an Article 9 condition before processing. For direct care, the common pairing is Article 6(1)(e) public task (or sometimes 6(1)(c) legal obligation) with Article 9(2)(h) health or social care purposes, supported by Schedule 1.
The MSRA SJT expects you to recognise when information can be shared for direct care, when it requires additional safeguards (e.g. planning, research, audit, teaching), and when the national data opt-out applies. High-scoring answers prioritise minimum necessary disclosure, secure systems, and proper governance such as DPIAs, retention schedules, and the 72-hour breach notification rule.
Your job in the exam: state the basis, limit access, secure it, and document.
This guide simplifies Data Protection Healthcare MSRA scenarios. The SJT tests your ability to apply the UK GDPR and Data Protection Act 2018 not as a lawyer, but as a clinician managing sensitive patient data safely.
⚡ HIGH-YIELD ACTIONS (What Scores Points)
1. Identify the Article 6 lawful basis before processing.
2. Add the correct Article 9 condition for special category health data.
3. Share the minimum necessary information on a need-to-know basis.
4. Use only approved secure systems (NHS mail, EPR, secure transfer tools).
5. Apply the national data opt-out for uses beyond direct care.
6. Complete a DPIA for high-risk or novel processing.
7. Record the purpose, lawful bases, sharing decisions, and retention period.
8. Follow the NHS Records Management Code for retention/disposal.
9. Act promptly on breaches: contain, assess, notify if required.
10. Escalate concerns to Information Governance when unsure.
• Oversharing entire records when a summary would suffice.
• Processing identifiable data for research without approvals or opt-out checks.
• Ignoring signs of a data breach or delaying risk assessment.
• Missing the 72-hour ICO notification window.
• Sharing before confirming the lawful basis and Article 9 condition.
• Storing data outside organisational systems (e.g. personal devices).
Trap themes: assuming consent is required, using insecure channels, skipping governance, or applying blanket refusals.
💬 MODEL PHRASES (Use These in SJT Logic)
* “Because this is for planning or research, we need to confirm the lawful bases, apply the national data opt-out where relevant, and de-identify as far as possible.”
* “This appears to be high-risk processing, so we should complete a DPIA and document our controls.”
* “Let’s check approvals, minimise identifiable data, and ensure sharing happens through the correct organisational routes.”
* “We must document the decision, legal bases, and retention schedule before sharing.”
Basis (Art 6) • Article-9 condition • Secure systems • Inform (transparency/opt-out) • Cut-down (minimum necessary) • Store (retention)
Identify the purpose of processing.
Select Article 6 lawful basis.
Add Article 9 condition for health data.
Minimise to the lowest necessary amount.
Use secure, approved systems only.
Apply opt-out if beyond direct care.
Document purpose, sharing, and retention.
📋 QUICK FAQ
Do I need consent for direct care?
No. Use Article 6(1)(e) plus Article 9(2)(h); still apply minimum necessary and secure systems.
When does the national data opt-out apply?
When using confidential patient information for research or planning beyond individual care.
What is the usual basis for direct care?
Article 6(1)(e) public task (sometimes 6(1)(c) for specific programmes) plus Article 9(2)(h) health or social care.
How fast must I report a breach?
Notify the ICO without undue delay and within 72 hours if it is notifiable.
When is a DPIA needed?
For high-risk or new processing, large-scale data use, or novel technology.
How long do we keep records?
Follow the NHS Records Management Code of Practice.
📚 GMC ANCHOR POINTS
• Protect patient information and use secure systems (GMC Good Medical Practice 2024).
• Share information appropriately with the right lawful basis and minimum necessary (GMC Confidentiality).
• Maintain clear, accurate, and contemporaneous records.
• Act promptly if safety, confidentiality, or governance concerns arise.
• Escalate risks and follow organisational policies on IG and data breaches.
💡 MINI PRACTICE SCENARIO
A non-clinical manager asks you to send a spreadsheet of inpatients with names, NHS numbers, diagnoses, and phone numbers to their personal Gmail to complete a dashboard, and mentions later using it for a research poster.
Best action: Confirm the purpose(s), identify Article 6 + Article 9, apply the national data opt-out if relevant, de-identify/minimise, and use only approved secure systems.
Why: Personal email is insecure and unlawful; you must verify purpose, legal bases, governance requirements, and minimise data.
🎯 KEY TAKEAWAYS
✓ Always pair Article 6 + Article 9 before processing health data.
✓ Share only the minimum necessary via secure approved systems.
✓ Apply the national data opt-out beyond direct care.
✓ Use DPIAs, retention schedules, and IG policies for governance.
✓ Document all decisions, purposes, and sharing routes.
🔗 RELATED TOPICS
* → Confidentiality & Information Governance
* → Sharing Information with Consent
* → Social Media & Digital Professionalism
* → Duty of Candour and Honesty
* → Patient Confidentiality Principles
📖 FULL PRACTICE QUESTIONS
Example SJT — Best of 3 (8 options; choose three)
A researcher not involved in direct care asks for a spreadsheet of identifiable ward data for a service evaluation poster due tomorrow.
Options:
A. Send the full file immediately because it is for improvement.
B. Ask for the purpose and legal bases.
C. Confirm whether it is direct care or another purpose.
D. Apply the national data opt-out if relevant.
E. Share only minimum necessary, de-identified where possible.
F. Use approved secure systems only.
G. Refuse all research-related requests automatically.
H. Share the full dataset then complete paperwork later.
Correct three: B, D, F
• B: Establishes lawful basis and Article 9 condition first.
• D: Required for uses beyond individual care.
• F: Ensures secure, lawful handling.
Why others are weaker/wrong:
• A/H overshare without lawful basis.
• C incomplete without safeguards.
• E helpful but secondary to establishing purpose/basis.
• G disproportionate blanket refusal.
Example SJT — Rank 5 (best → worst)
The on-call team wants to email a night-handover list (names, DOBs, diagnoses). Someone suggests sending via personal Gmail. A Subject Access Request also arrives.
Options:
A. Use the approved NHS system to share the minimum necessary; check lawful basis; ensure retention compliance.
B. Send via personal Gmail once, then delete.
C. Decline the SAR because staff are busy.
D. Acknowledge the SAR, plan to respond within one month, verify identity, and respond securely.
E. Put the full record in a ward WhatsApp group to handle the SAR quickly.
Ideal order: A (1) > D (2) > B (3) > C (4) > E (5)
• A: Secure, lawful, minimum, governed.
• D: Fulfils SAR duty and timelines.
• B: Unsafe but less harmful than C/E.
• C: Wrongly denies legal rights.
• E: Highly unsafe; serious breach.
Identify Article 6 basis
Add Article 9 condition
Share minimum necessary
Use approved secure systems
Record purpose and retention
Personal email use
Oversharing full records
Research without approvals
No 72h breach plan
- GMC — Good medical practice (Confidentiality and information handling)
https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/good-medical-practice - GMC — Confidentiality: good practice in handling patient information
https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality - ICO — Special category data (Art 6 & 9 basics)
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-uk-gdpr/special-category-data/ - Data Protection Act 2018 — Schedule 1 (health or social care purposes)
https://www.legislation.gov.uk/ukpga/2018/12/schedule/1 - NHS England — Records Management Code of Practice (2023)
https://transform.england.nhs.uk/information-governance/guidance/records-management-code/ - ICO — Personal data breaches: a guide (72-hour rule)
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-data-breaches/guidance/personal-data-breaches/