General Data Protection Regulations (GDPR)


Maintaining the privacy and security of patient data is important.

Receiving and processing personal health data is Cemplicity’s core business so we have sought extensive legal advice on our role and data security practices so that you can be confident that our system is set up to handle this information securely.

Recently, with the introduction of the General Data Protection Regulations (GDPR) in Europe there is a renewed focus on ensuring there is appropriate consent for the collection and use of patient data. In some situations, opt in consent is not required and in other situations it is required. The purpose of this page is to provide clarification on these different situations. This information is a guide only and organisations must seek their own independent advice.

Do providers need to get consent to contact patients to ask for their feedback on a service experience or is it sufficient to just allow patients the opportunity to opt-out?

For both the United Kingdom and the Republic of Ireland, the answer depends on why the feedback is being collected. There are a many instances where qualifying healthcare providers do not need to seek the explicit consent of the patient to collect their feedback. However, an insurance company, Government agency or other type of organisation not directly involved in delivering patient care may need explicit consent.

What level of consent is needed for multi-point in time feedback collection?

Multi-point in time feedback is often used for Patient Reported Outcome Measures (PROMs) programmes. This process involves contacting the patient and requesting feedback multiple times throughout their healthcare journey.

As with our single point in time Patient Reported Experience Measures (PREMs), there are many instances where a healthcare provider does not have to seek the explicit consent of the patient to collect their feedback over time.

What legislation has Cemplicity relied on to reach these conclusions?

For both public and private providers there are a number of pieces of legislation that govern the use of patient feedback for each country in the Great British Isles.

Healthcare providers in the United Kingdom:

Within each country in the United Kingdom there are three main regulations that apply to the collection of patient feedback. When all three are taken together it becomes clear that providers in the UK are legally required to collect and use patient feedback and do not require explicit consent to do so. They are:

  • General Data Protection Rules (GDPR) – This sets out the level of consent required, and whether a healthcare provider is allowed to collect feedback from patients.
  • United Kingdom Confidential Information Guidelines – This sets out the what patient data may be used for in the United Kingdom.
  • Country specific legislation – places a legal requirement on healthcare providers to collect patient data.
    1. Health and Social Care Acts (England and Wales);
    2. Health and Social Care standards (Scotland);
    3. Quality Standards for Health and Social Care (Northern Ireland).

Importantly, while both private and public health services providers are mandated to seek feedback from patients in order to improve service quality, other health organisations are not mandated and therefore they may need to seek explicit consent.

Healthcare providers in the Republic of Ireland

The position in Ireland is currently similar to the United Kingdom, with the noticeable exception that there is no domestic legislation restricting the use of patient feedback, as such the primary source of law is the GDPR.

Additionally, for Health Service Executive funded providers (public providers), there is an explicit legal obligation from the Health Information Quality Authority (HIQA) to collect patient feedback. While this doesn’t apply to private providers, there is a clear policy that the private sector is expected to utilise the national standards as a guidance as to what they should be doing.


Nothing in the following information constitutes legal advice. It should not be relied on by any organisation nor take the place of seeking your own independent advice from your legal advisor.

This information reflects the advice Cemplicity has received from our UK legal advisors and further details can be provided to our clients on request.