Data ethics and GDPR

Make sure you comply with rules that govern how you should gather and use patient data


What is data ethics?

‘Data ethics’ refers to how you collect, store and use the data of your patients and customers. The Open Data Institute (ODI) offers this definition: ‘A branch of ethics that evaluates data practices with the potential to adversely impact on people and society – in data collection, sharing and use.’ 

You must always consider the impact and potential for harm of capturing, processing and storing information. When collecting data, you must make sure you are clear about why it’s being collected and what it will be used for. This mitigates the potential for ethically dubious data processing or linkage. Just because you can do something with your data doesn’t mean you should or indeed that you have the right to. 

Due consideration of ethics should also minimise the unintended consequences of generating new information or knowledge assets.  

The General Data Protection Regulation (GDPR) is an EU data protection law that applies to any business that collects, stores and uses data belonging to citizens of the European Union and European Economic Area. The GDPR was adopted into UK law through the Data Protection Act 2018, which superseded the 1998 law of the same name.

It is important that you have an in-depth understanding of the GDPR and what measures you should put in place to ensure you comply with the data protection regulations in the UK and the EU. 

At the moment data flows freely between the two, but this will change once the UK leaves the EU. All individuals and businesses processing personal data in the UK have to register with the Information Commissioner’s Office (ICO). 

Why is this important?

We all have and generate personal data, although we often give it away freely and without consideration of its value as an asset. The main aim of the GDPR in this context is to ensure that patients retain ownership of their data at all times and that it is only used for purposes for which they have given direct informed consent.

Being transparent and having robust data-protection systems in place will help you to build consumer trust and contribute to the success of your business. You can face large fines if the ICO finds that you have neglected your duties under the GDPR.

How to comply with the GDPR rules

In the field of digital physiotherapy, cybersecurity is highlighted as a key aspect of data protection. Make sure you consider all aspects of your business – for example, taking all possible precautions to ensure your website or app cannot be hacked; using a video-call service that encrypts calls end-to-end; and taking steps to ensure that you do not lose patient data, such as making regular back-ups and storing them securely.

When you provide digital physiotherapy services, you may make use of third parties to process or store patient data, such as through exercise programme software or electronic notes. It is important to check that these third parties process and store the data in their systems according to GDPR requirements. 

Under the GDPR, you are not permitted to store or process any EU citizen’s data on servers that are located outside the EU unless the company managing the servers complies with certain regulations. 

If, for instance, a US company is allowed to process or store data from EU citizens, it will state that it holds a certificate of compliance with the EU-US Privacy Shield Framework. You can usually find this information in the company’s own privacy policy.

Even managing spreadsheets of client lists in teams falls under the GDPR as the lists are information assets. Management of that information – for example, complying with the right to be forgotten, or freedom of information requests for everything an organisation holds on an individual – and the consequences of poor processing or data loss apply in exactly the same ways.

What should I do next?

  • NHSX have provided an information governance portal which should answer all your questions.
  • Audit your service to ensure that you comply with the data protection laws in the UK as well as the GDPR. You can use the data protection self-assessment tool from the ICO for this. 
  • If you are at the start of a project you can use the data ethics canvas from the ODI to help you identify and manage potential ethical issues. 


  • Maryke Louw
  • Matthew Curl

Edited by Daniel Allen

Last reviewed: