GDPR for Occupational Therapists: Clinical Records, Home Assessments, and Referral Data
Occupational therapists (OTs) work at the intersection of health, social care, and employment — gathering some of the most sensitive personal data imaginable. A home visit assessment captures how someone moves around their kitchen, uses the toilet, and manages daily tasks. An occupational health report for an employer could determine whether someone keeps their job. A child's developmental assessment may influence education provision for years. All of this is deeply personal, and all of it falls squarely under GDPR as special category health data.
This guide covers the key GDPR obligations for OTs — whether you are employed by the NHS, working in a private clinic, or operating as a self-employed sole practitioner.
Clinical Records Are Special Category Data
Health data is special category data under Article 9 GDPR. This means the bar for processing it lawfully is higher than for ordinary personal data. For clinical records, OTs typically rely on Article 9(2)(h) — processing necessary for the provision of health or social care — alongside Schedule 1 of the Data Protection Act 2018, which provides the UK legal gateway for health data processing.
This basis applies to the core clinical purpose: assessment, treatment, care planning, and referral. It does not automatically extend to secondary uses such as anonymised research, training materials, or marketing. Each secondary use needs its own lawful basis and, usually, a separate entry in your Records of Processing Activities (RoPA).
Home Visit Assessments: A Data Privacy Hotspot
Home assessments are a cornerstone of OT practice — and a significant data privacy consideration. When you visit a client's home, you record far more than their medical history. You document physical layout, hazards, family dynamics, carers' presence, economic circumstances, and sometimes details about other household members who have not consented to your assessment at all.
Under GDPR, you must collect only what is necessary for the clinical purpose (data minimisation). Avoid noting irrelevant personal details about household members — if a spouse or adult child is mentioned, only record what is clinically relevant. Where possible, anonymise references to third parties in your report.
Home assessment reports must be stored securely. Many OTs use laptops or tablets in the field — these should be encrypted, password-protected, and ideally managed through a device management policy. Handwritten notes should be transferred to your secure system promptly and the original paper notes disposed of securely.
Sharing Reports with GPs, Consultants, Social Services, and Employers
OTs routinely share assessment reports and clinical correspondence with a range of third parties. The lawful basis and data sharing rules differ depending on who the recipient is:
GPs and NHS consultants: Sharing within the direct care team is generally permitted under Article 9(2)(h) and does not require explicit consent — though good practice includes telling clients what will be shared and with whom.
Social services: Sharing with local authority social care teams is usually permissible under the same care provision basis. Where there are safeguarding concerns, sharing may be required by law regardless of consent.
Employers (occupational health context): This is the most complex scenario. When an OT produces a fitness for work report for an employer, the employer is typically the data controller for that report — not the OT. The OT may be acting as a data processor. This changes the contractual obligations: a Data Processing Agreement (DPA) between the employer and the OT practice is required under Article 28 GDPR.
Critically, the employee whose health is being assessed must give explicit, informed consent before their health data is shared with their employer. They should understand what will and will not be included in the report. The employer should only receive a functional assessment — not a full clinical record — unless the employee has agreed otherwise.
Consent for Sharing Fitness for Work Reports
Consent in the occupational health context is nuanced. While employees may feel pressure to consent (for fear of appearing uncooperative), GDPR requires consent to be freely given. OTs must be satisfied that the individual genuinely understands their choices and is not under duress.
Best practice is to:
- Provide a written explanation of what the report will contain before the assessment
- Give the individual the right to review the report before it is sent to the employer
- Allow them to withhold consent to specific sections or the entire report
- Document the consent process clearly in your records
If an employee refuses consent, the employer cannot compel the OT to share the report. The employer may then make their own decisions based on limited information — but that is an employment law matter, not a data protection one.
Mental Health Data in Workplace OT Assessments
Mental health conditions are health data and therefore special category data. In workplace OT assessments, mental health data requires particular care. Employers generally do not need — and should not receive — diagnostic labels or detailed mental health histories. A functional assessment focused on capacity, adjustments, and return-to-work timelines is both clinically appropriate and more compliant.
If a client discloses a mental health condition during a workplace assessment and you believe this is relevant to their safe working, discuss with them what, if anything, should be included in the employer report. Do not include diagnoses without explicit consent. Use language focused on function rather than condition wherever possible.
Custodia can help OT practices check whether their websites and intake forms are complying with GDPR requirements around collecting mental health information — including reviewing consent wording and data flows.
Children's OT and Parental Consent
When providing OT services to children, the data controller processes both the child's health data and, inevitably, information about the family as a whole. Parental consent is generally required for processing a child's data where the child lacks capacity to consent themselves — but this is age and maturity dependent.
Under UK law, Gillick competence applies: a child who is sufficiently mature to understand the nature and implications of the assessment may consent in their own right. In practice, most OT work with younger children will involve parental consent as a matter of course.
Key considerations:
- Consent forms should name both the parent/guardian and the child
- Parents have the right to access their child's records (subject to the child's own interests)
- If there are safeguarding concerns, information can be shared without parental consent
- School-based OT assessments may involve sharing reports with teachers and SENCO — ensure consent covers this
Where OT services are commissioned by a local authority (e.g., for an EHCP assessment), the legal basis shifts to a public task rather than consent.
HCPC Registration and Record-Keeping Alongside GDPR
OTs registered with the Health and Care Professions Council (HCPC) must maintain clinical records in accordance with HCPC Standards of Proficiency and Standards of Conduct. These professional obligations sit alongside — not instead of — GDPR.
HCPC standards require records to be accurate, legible, and appropriately detailed. GDPR adds requirements for:
- Accuracy (obligation to correct inaccurate data on request)
- Security (appropriate technical and organisational measures)
- Rights of access (patients can request copies of their records)
- Records of Processing Activities (a log of what you process and why)
There is no conflict between these frameworks — HCPC compliance generally supports GDPR compliance. But the reverse is not automatically true: meeting GDPR standards does not guarantee HCPC compliance, and vice versa.
Clinical Data Retention: 8 Years and 25 Years for Children
GDPR's storage limitation principle requires you to keep data only as long as necessary. For OTs, professional and legal guidance sets specific retention periods:
- Adult clinical records: A minimum of 8 years from the end of treatment
- Children's records: Until the patient's 25th birthday, or 26th if treatment ended when they were 17, or 8 years after death if they died before age 18
These retention periods reflect NHS guidance and apply to private OTs as a matter of best practice — and increasingly as a regulatory expectation. After the retention period expires, records must be securely destroyed, with destruction logged.
Do not keep records indefinitely. Doing so breaches the storage limitation principle and increases your exposure in the event of a data breach.
Practice Management Software as a Data Processor
Most OTs now use practice management software — systems like WriteUpp, TM3, Cliniko, or Jane App. Under GDPR, if you use software to store or process client data, the software provider is a data processor and you must have a written Data Processing Agreement in place with them.
Check that your software provider:
- Has a GDPR-compliant DPA available (most reputable providers do)
- Stores data within the UK or EEA, or has appropriate international transfer mechanisms in place
- Has clear breach notification procedures
- Does not use your client data for its own purposes (e.g., product development or marketing) without your consent
You remain the data controller — which means you are responsible if the software provider mishandles data. Vet your technology providers carefully.
Custodia's website scanner can identify which third-party tools and trackers are active on your practice website, giving you a clearer picture of your data processor landscape.
Self-Employed vs Employed OT: Different Controller and Processor Status
Your employment status significantly affects your GDPR responsibilities:
Employed OT (NHS or private employer): Your employer is the data controller. You process data on their behalf and under their policies. You are not individually responsible for maintaining the RoPA, appointing a DPO, or responding to data subject access requests — your employer is. You are, however, still responsible for handling data appropriately and reporting breaches internally.
Self-employed OT: You are the data controller. Every GDPR obligation falls on you: lawful basis, privacy notices, data subject rights, security measures, RoPA, breach reporting, and vendor management. If you use a billing system, referral platform, or practice management tool, you need DPAs with each. If you earn over the Companies House threshold, you may also need to register with the ICO and pay the data protection fee (currently £40-£60/year for small businesses).
Data Breach When Clinical Assessment Reports Are Compromised
A data breach involving clinical assessment reports is a serious incident. Under GDPR, you must report a breach to the ICO within 72 hours if it is likely to result in a risk to individuals' rights and freedoms. Health data breaches almost always clear this threshold.
Common OT breach scenarios include:
- Emailing an assessment report to the wrong employer or GP
- Losing a laptop or USB drive containing unencrypted client records
- A practice management system being hacked or suffering unauthorised access
- A paper report being left at a client's address and seen by an unauthorised household member
If you experience a breach, document it immediately — what happened, what data was involved, how many individuals are affected, and what steps you have taken. Notify the ICO if the threshold is met, and notify affected clients if they are at high risk of harm.
Waiting List Data
Many OTs maintain waiting lists, especially in private practice. Waiting list data contains personal information — names, contact details, referral reasons, and sometimes clinical information. This data must be:
- Held securely with the same protections as active client data
- Covered in your privacy notice (patients on your waiting list are data subjects)
- Retained only as long as necessary (if someone is referred elsewhere, their data should be removed promptly)
- Subject to data subject rights (someone on your waiting list can request erasure if they decide not to proceed)
Marketing Private OT Services: PECR Rules
If you run a private OT practice, you may wish to market your services via email or SMS. The Privacy and Electronic Communications Regulations (PECR) apply alongside GDPR. The rules:
- Email marketing to individuals: Requires prior consent (soft opt-in applies only if you have an existing client relationship and you are marketing similar services)
- Email marketing to businesses: Legitimate interest may apply, but opt-outs must be honoured
- Cold calls: Must not be made to numbers registered with the Telephone Preference Service
PECR compliance is separate from GDPR and is enforced by the ICO. Fines for PECR breaches can reach £500,000.
Telehealth OT Sessions
Remote OT assessments and therapy sessions via video have grown significantly. Telehealth introduces additional data protection considerations:
- Platform choice: Use a platform that is GDPR-compliant and has a DPA in place (avoid using consumer video tools like Zoom's free tier for clinical sessions without appropriate configuration)
- Session recordings: Only record sessions with explicit consent. Store recordings securely and delete them once they are no longer clinically necessary
- Network security: Conduct sessions on a secure, private network — not public Wi-Fi
- Patient environment: Be mindful that you may observe the patient's home or family members during video sessions — treat incidental observations with appropriate discretion
Getting Your Practice Website Compliant
Your website is also subject to GDPR and PECR. If you have a contact form, booking system, or newsletter signup, you are collecting personal data and must have an appropriate privacy notice, cookie consent mechanism, and secure data handling in place.
Custodia offers a free website privacy scan at https://app.custodia-privacy.com/scan — run it against your practice website to identify trackers, cookies, and compliance gaps in under 60 seconds. It is a practical first step for any OT practice building a GDPR compliance programme.
Summary: GDPR Priorities for Occupational Therapists
GDPR compliance for OTs is not optional — it is a professional and legal requirement that sits alongside HCPC obligations. The key priorities are:
- Treat all clinical data as special category data requiring appropriate lawful bases
- Handle home assessment reports with strict data minimisation and security controls
- Use clear, freely-given consent before sharing anything with employers
- Apply the correct retention periods (8 years for adults, 25 years for children)
- Sign DPAs with practice management software and other technology vendors
- Know whether you are a controller or processor based on your employment status
- Report breaches to the ICO within 72 hours if the risk threshold is met
- Comply with PECR before sending marketing emails
- Ensure your telehealth platform and practice website are also compliant
Building good data protection habits protects your clients, your HCPC registration, and your practice reputation.
Top comments (0)