The General Chiropractic Council writes about Confidentiality and Data Protection in its latest “Learning from Fitness to Practise” cases.


In a recent GCC investigation, a patient complained that they had been able to see another patient’s confidential information on a computer screen. 

Although the information was found to be an appointments calendar and did not contain any health or personal details, the GCC urged registrants to guard against information about patients being visible to others. Having simple measures in place, such as screen guards, positioning monitors away from patient access areas, and keeping all written information covered, can prevent information about patients being accidentally breached.

As stated in the GCC Code, Principle H: “It is your (the registrants) responsibility to maintain and protect the information you obtain directly or indirectly in the course of your work. Confidentiality is central to the relationship between chiropractor and patient.”

In addition, Standard H1 stipulates that you must: “keep information about patients confidential and avoid improper disclosure of their personal information.”

Although confidentiality was only one part of the complaint, and ultimately the complaint was not upheld, it does send a timely reminder that registrants can put in place simple steps and procedures to avoid such a Fitness to Practise complaint.

Read guidance on confidentiality: Registrant Resource Centre.

Data Protection

Recently, a patient complained to the GCC that upon a Subject Access Request for their records, a registrant did not provide the requested documents in a complete and timely manner and failed to communicate information accurately to the patient when issues arose. This failure resulted in a complaint by the patient to the Information Commissioner’s Office (ICO).

As written in Standard H7 of the GCC Code, registrants must: “give patients access to their personal records as required by law.” Furthermore, a registrant must ensure that they abide by all ICO GDPR requirements when handling and dispatching patient records. 

Any document containing personal information sent by email should be via an encrypted email service, where a password is required. If using post, records should be sent using a traceable and signed-upon delivery service. Although patients have the right to access their records, you are permitted under GDPR rules to charge a reasonable administration fee for this service.

Insight Works Training