NHS breaks GDPR rules – are you compliant?

No primary category set

I recently received a text message from the NHS, begging me to download and install a mobile app to book and cancel GP appointments and set up medication reminders which totally breaks the GDPR rules.

Firstly, I haven’t seen my doctor for at least four years and don’t take regular medication. More importantly, having had no contact with my GP since well before GDPR rules came into force they have no right or prior consent to be spamming me with text messages. I haven’t agreed to receive them.

Sending messages without consent is bad enough although they could technically argue that as a ‘customer’ and being registered with Thatcham Medical Practice they have the right to spam me. However what they don’t have the right to do is send text messages that don’t contain a simple way to opt out of receiving future spam. There’s no opt out link, no information as to how to prevent future text messages and the message is sent from NHS-NoReply so there’s no contact details and consumers can’t even reply to the spam.

Perhaps as a government department the NHS believes themselves to be above GDPR and that it doesn’t apply to them but it does. They don’t have the right to send messages without opt outs any more than any other organisation or business.

The 7 GDPR rules

As a reminder, there are seven main GDPR requirements and rights that you need to be aware of. The first three clearly apply to retailers and the others are generally aimed at larger businesses.

  1. Active Consent

    You may no longer add people to your mailing list and give them the choice to opt out. You also can’t auto tick a sign up form and rely on customers to untick them, equally you can’t auto-subscribe customers unless they find a tiny box which they need to tick to opt out.

    From Friday, customers need to make a very clear choice to opt into your marketing and they have the right to withdraw this consent so you need to offer clear unsubscribe options.

    The biggest change for many online retailer is that you can’t simply add every customer to your mailing list – they have to actively choose to do so. Without an active opt in then the customer should only receive emails related to their purchase.

    It goes without saying that if you sell on marketplaces their terms and conditions generally prohibit you from adding customers to your own mailing lists. Just because they made a purchase from you on a marketplace doesn’t mean that you own the customer data. Not only will you be breaking the marketplace user agreement but from Friday this will be a clear breach of GDPR.

  2. Use of data

    Users have the right to know how their data was acquired and who it was shared with. If someone asks how they’ve ended up on your mailing list be prepared to tell them when they signed up or which company gave you their data. You also have to disclose which companies you have (or may have) shared it with.

  3. Right to be forgotten

    Customers have the right to have their data erased which is slightly problematic for retailers and tax purchases, but not so for marketing lists. You’ll need to discuss with your accountant just what data you need to save in case you have a tax inspection. Do you really need to save every bit of data you acquire – customer name, email address, phone number, mailing address, banking information etc in your accounts program or would the order number/invoice number products purchased and sale price be sufficient?

    Of course for marketing it’s nice to be able to see prior purchases from a customer for future marketing but customers can now decide they don’t wish you to be able to do this and request you erase their data.

  4. Privacy Options set to high

    Online services will have to set your privacy options to the max as a default in future and you will then have the choice to relax them if you so desire. For instance on social network sites just because you can share your phone number, email address and date of birth with the world doesn’t mean you would want to. There should be an option for you to choose who gets to see your data and that includes third party apps and services that may have access to your data even if it’s not publicly displayed.

  5. Algorithmic Outcomes

    Companies should offer an explanation of algorithmic outcomes from machine learning and artificial intelligence to enable customers to opt out should they wish to do so. An example of this would be examining a customers past purchases in order to provide relevant product suggestions in future marketing. In many cases a customers option to opt out might simply be to offer to close their account as AI and machine learning are so deeply embedded into today’s online services. However, you’ll have noticed many online services offering an option to opt out of tailored advertising which they promote on the grounds of relevancy – if you opt out you’ll still see adverts but your personal data and preferences won’t have been used to choose them.

  6. Easy data portability

    I have to give Google a shout out here that whenever you choose to leave a Google service they make it very easy for you to download your data and take it with you. Not all companies are the same however but they’ll need to be so in the future.

    This is actually important for consumers and small businesses as well as large corporates. In the very near future for example, we’ll all be doing our tax and VAT online and will likely use various third party services to do so. Should you decide to switch the service you use for your online accounting, they have to offer you a very easy way to move your data to your chosen new partner.

  7. Data Breaches

    Some companies have in the past sat on news of a data breach for considerable periods of time. Should a company discover that their data has been accessed then in the future they have just 72 hours to report it. They can no longer try to fix the problem or cover it up or delay making the breach public knowledge.

11 Responses

  1. B&Q refuse to remove me from their email database, unless I scan and send in proof of identity ie passport or driving licence – why the heck would I send that when I just want them to stop sending newsletters . its getting on my nerves

  2. Thank you for posting this. it reminds me I have to write and complain to NHS DATA.

    The NHS are apparently are alsototally diregarding / breaking GDPR by accessing and using personal data if you have made it clear to your GP’s surgery you do not want it to be used except by them… as confirmed with the ICO’s office – see below.

    FYI, there are apparently now THREE different codes you need to have on your GP medical files to stop this, The problem is the NHS don’t publicise it and my very IT/Data Protection Act literate GP s office manager was shocked when she realsied they (NHS SPINE) had moved the goal posts again AND NOT TOLD ANYONE.

    Prior to GDPR I attempted to “Confirm” the NHS Spine wasn’t bleeding my personal data. I had been opted out (as my surgery manager later confirmed they had acted on my requests dating back to 2006) for NONE of my personal data being sent to “the spine” under ANY circumstances, AND in any case outside the surgery UNLESS it was as a driect consequence of seeking medical assistance. I even spoke at the time to my PCT to ensure they were aware of my explicit wish.

    Early in 2018 I’d an article about a form you could request from NHS DATA to confirm IF they had opted your data out of the spine. I called them directly (I record all calls…) and requested the correct firm to confirm I was opted. It arrived in the post, I duly completed it , enclosed copies of ID as required and just for good measure stated I ALSO wanted to make a SAR (subject Access Request under the then DPA 98).

    That was back in April 2018, and after four phone calls I call the Data Commisioners office in Cheadle and have been advised to put a complaint to the NHS in writing detailing the following:

    The address given on the form to send the package of my personal data tgo was wrong! Delayed it being processed because it had been “round the houses” and had to be forwarded to NHS DATA! Data Breach # 1 .

    They have STILL not replied to my request for an SAR except they claim that I need to send proof of ID, depite their helpdesk agreeing that they already had my ID, and still haven’t replied to my calls to ask why they need me to sedn them again.

    Under “what authority” are NHS DATA NOW processing my personal data (post GDPR / DPA 2018) (this specifically was of expecial interest to the adviser when I spoke to the commisioners office)

    Also and this is a corker. When I tried to confirm IF I had been opted out over the phone they were able to locate both a current mobile number and an old email I haven’t had for nearly ten years, WITHIN the NHS DATA SYSTEM! Apparently they have a way of verifying callers by sending a text / email to the details they have on thier system for you. They were able to verify me by sending a text to my (Personal) mobile, and was then told that there was no personal records for me on their system.

    Which beggars the question, what then what do they think my personal mobile number and my email starting firstname.surbname@… is if not processing my personal data!! Also as the surgery agreed to not ( and claim they haven’t) sent my data out of their surgery, how did the NHS DATA get hold of my personal mobile and old email address!

  3. @Tim – your basic details including contact information are automatically uploaded by your surgery to the Patient Demographic Service which sits on the Spine. Opt outs prevent clinical information being uploaded/ shared but not biographic.

  4. GDPR is already a distant memory.

    I have just booked a Premier Inn stay (yes, I’m a high flyer 😉 ) and the message on checkout still read, “To opt out of receiving marketing emails please untick this box”.

    Nobody cares it seems.

  5. @Tim – “Under “what authority” are NHS DATA NOW processing my personal data (post GDPR / DPA 2018) (this specifically was of expecial interest to the adviser when I spoke to the commisioners office)”

    NHS bodies – like many public sector organisations – are performing a ‘public task’ and that is their lawful basis for processing: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/public-task/

  6. Remember the good old days, when you could browse the internet without every webpage you looked at having a popup about cookies or GDPR that you need to click on to make it sod off so you can look at the actual page?

    Now it’s been redesigned for the snowflakes.


    Thanks EU!



PPE Portal ships 1 billionth item of PPE as DHSC thanks partners


1/2 billion PPE items delivered via eBay NHS PPE Portal


Royal Mail: Delivering millions of items of PPE


eBay PPE Portal shipments accelerate this Autumn


eBay PPE Portal scaled up – 200 million items of PPE per week capability

ChannelX Guide...

Featured in this article from the ChannelX Guide – companies that can help you grow and manage your business.


Take a look through a selection of the latest articles on ChannelX

Register for Newsletter

Receive 5 newsletters per week

Gain access to all research

Be notified of upcoming events and webinars