UK GDPR compliance in telehealth is not optional and not generic. Telehealth defaults to processing special-category data under Article 9, which raises the compliance bar materially above standard ecommerce. This piece is a plain-English guide to choosing your Article 6 lawful basis, your Article 9 condition, your retention periods, and operationalising patient rights.
Why telehealth defaults to special-category data under Article 9
UK GDPR Article 9 categorises health data as special-category data with higher protection. Any telehealth flow that captures symptoms, conditions, prescriptions, or treatment outcomes is processing special-category data by definition. This triggers the Article 9 condition requirement on top of the standard Article 6 lawful basis. There is no realistic telehealth model that avoids this.
Choosing your Article 6 lawful basis
The three viable Article 6 lawful bases for telehealth are: (1) contract — for the service you provide to the patient, (2) legitimate interests — for fraud prevention and security logging, (3) consent — for non-essential cookies and marketing. Consent for the clinical interaction itself is rarely the right basis because withdrawal would break the service mid-cycle.
Choosing your Article 9 condition
Article 9(2)(h) — provision of health or social care — is the standard condition for the clinical processing itself. Article 9(2)(a) — explicit consent — is sometimes used for ancillary processing like research participation or marketing involving health data. Vital interests (9(2)(c)) and substantial public interest (9(2)(g)) are narrow and rarely the right primary basis.
Retention periods — clinical, payment, marketing
Records relating to clinical care must typically be retained for at least 10 years for adults (per Information Governance Toolkit guidance). Payment and financial records: 7 years per HMRC. Marketing data: until opt-out. Security and access logs: typically 90 days. DSAR-relevant correspondence: at least until the request lifecycle concludes plus reasonable evidentiary tail.
DPIA requirements and when one is mandatory
A Data Protection Impact Assessment is mandatory for large-scale special-category data processing — which telehealth almost always is. The DPIA should document the lawful bases, the data flows, the subprocessors, the risks, and the mitigations. ICO can request the DPIA during an investigation; not having one is itself a finding.
Patient rights — operationalising access, rectification, erasure, portability
UK GDPR gives patients eight rights including access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and lodging a complaint with the ICO. Operationalising them requires: a DSAR intake process, a one-month response window (with possible extension to three months), automated data export tooling for portability, and clear erasure procedures that account for clinical retention overrides.
What special category data means for staff training and access control
Access to special-category data must be on a need-to-know basis with documented audit trail. Staff training on UK GDPR is required and should be refreshed annually. Role-based access control is not optional — it is a Schedule 1 Part 1 condition for processing in some flows.
ICO can impose fines up to £17.5m or 4% of global turnover for serious UK GDPR breaches. Health data breaches attract the strictest enforcement.
There is no realistic telehealth model that avoids Article 9. Compliance is structural — not optional.
UK GDPR done well becomes invisible operational hygiene. Done badly, it is the most expensive failure mode in UK telehealth. The work is not glamorous — but the cost of skipping it dwarfs the cost of doing it.