·
Klinisk dokumentasjon
Helsevesen
Praksisledar / Admin
GDPR record corrections: what clinicians must do
Learn what GDPR requires when patients request corrections or deletions to clinical records, including audit trails and legal exemptions

Healthcare records sit at the intersection of two legal obligations that can pull in opposite directions. The General Data Protection Regulation (GDPR) grants patients meaningful rights over their personal data, including the right to have inaccurate information corrected and, in some circumstances, deleted. At the same time, professional and regulatory frameworks require clinicians to maintain complete, accurate, and unaltered clinical documentation of care. For clinical admins responsible for handling these requests day to day, understanding exactly where these obligations begin, end, and overlap is not optional — it is a core GDPR compliance in healthcare requirement.
The two GDPR rights that matter here: rectification and erasure
Two articles of GDPR are directly relevant when a patient challenges the content of their clinical record.
Article 16, the right to rectification, gives individuals the right to have inaccurate personal data corrected without undue delay, and to have incomplete personal data completed. As the Irish Data Protection Commission confirms, this right applies to factual personal data, such as a wrong date of birth, an incorrect address, or a misspelled name, relatively straightforwardly. It becomes considerably more complex when the data in question is a clinical opinion, a diagnosis, or a treatment note.
Article 17, the right to erasure (also called the right to be forgotten), gives individuals the right to request deletion of their personal data in specific circumstances: where the data is no longer necessary for the purpose for which it was collected, where consent has been withdrawn, or where the data was unlawfully processed. As the Information Commissioner's Office (ICO) guidance on the right to erasure makes clear, this right is not absolute. The right applies only to personal data currently held by the controller at the time the request is received.
Both rights can be invoked by any identified data subject, in this context the patient whose record is held. Both carry a one calendar month response deadline. Neither, as the sections below explain, operates without significant qualification in a healthcare setting.
When a patient requests a correction: what GDPR actually obligates you to do
When a patient submits a rectification request, Article 16 requires the data controller, typically the healthcare organisation, to assess whether the data in question is genuinely inaccurate or incomplete, and to act accordingly within one month.
For straightforward factual errors such as a wrong NHS number or an incorrect date of birth, this is relatively uncomplicated. The entry is corrected, the change is logged, and the patient is notified. The complexity arises with clinical entries, including diagnoses, observations, risk assessments, and medication decisions, where the concept of inaccuracy is not self-evident.
The ICO addresses this directly. Its guidance on rectification states that if a patient receives a diagnosis that is later proved not to be the case, their medical records should record both the initial diagnosis and the final findings. The original entry is not erased. It is contextualised. This reflects a core principle of clinical documentation: the record exists to show what was known and decided at a given point in time, not only what is currently understood to be true.
Critically, correction in a clinical record context almost always means an addendum or annotation, not overwriting. The GDPR-Hub commentary on Article 16 confirms that rectification can be achieved by changing data, by partial or complete deletion, or by completion, and that in some situations the data subject can choose between requesting rectification or erasure. In practice, for clinical records, completion via a supplementary statement is the most common and legally defensible approach.
When a patient requests deletion: the limits of Article 17 in healthcare
The right to erasure is the request clinical admins are most likely to mishandle, either by treating it as automatically valid or by refusing it without proper assessment. Neither approach is compliant.
The full text of Article 17(3) sets out several exemptions that are directly relevant to healthcare records. Erasure does not apply where retention is necessary:
For compliance with a legal obligation under Union or Member State law
For reasons of public interest in the area of public health under Article 9(2)(h) and (i)
For archiving purposes in the public interest, or for scientific or historical research
For the establishment, exercise, or defence of legal claims
In practice, most clinical records fall under at least one of these exemptions. National legislation across European Union member states and the UK imposes statutory minimum retention periods for medical records, typically between eight and thirty years depending on record type and jurisdiction, which constitute a legal obligation under Article 17(3)(a). Secure Privacy's Data Protection Officer guidance for healthcare confirms that where a statutory retention obligation applies, erasure requests can be lawfully refused.
However, the 2025 European Data Protection Board (EDPB) coordinated enforcement action analysed responses from 764 controllers across Europe, found that controllers frequently misapplied Article 17(3) exemptions by treating them as automatically applicable without conducting case-by-case assessments. Nine Data Protection Authorities launched formal enforcement investigations as a result. The lesson for clinical admins is clear: declining an erasure request requires documented reasoning, not a blanket policy.
Even when a deletion request is lawfully refused, the organisation must still respond to the patient within one month, explain the grounds for refusal, and inform them of their right to complain to the relevant supervisory authority.
The audit trail requirement: what must be recorded when a record is amended
Whenever a clinical record entry is corrected, annotated, or flagged as disputed, the organisation must maintain a complete audit trail. This is both a GDPR accountability requirement and a medico-legal necessity.
A compliant audit trail for a record amendment must capture:
The identity of the person who made the change
The date and time of the change
The reason for the change
The content of the original entry, preserved in full
The nature of the amendment (addendum, correction, or dispute flag)
The GP practice records access policy aligned with NHS guidance states explicitly: "Information can be removed from display, but the audit trail will always keep the record complete. Amendments to records can be made provided the amendments are made in a way that indicates why the alteration was made, so that it is clear that records have not been tampered with."
Overwriting or deleting original entries without a trace is one of the most serious compliance failures a clinical admin can make. It creates simultaneous GDPR risk (failure of accountability under Article 5(2)) and medico-legal risk (potential evidence of record tampering in a clinical negligence or regulatory investigation). Audit trails must be tamper-proof and should capture granular details for every interaction, including user identity, timestamp, IP address, device identifier, data classification, and action performed, as required by GDPR accountability principles and NHS guidance on healthcare records management.
How professional standards and regulatory bodies interact with GDPR obligations
GDPR sets a floor, not a ceiling. National medical councils, professional regulators, and health system bodies layer additional obligations on top, and in most cases these reinforce rather than contradict the GDPR approach to record integrity.
In the UK, the General Medical Council (GMC) and the Nursing and Midwifery Council (NMC) both require clinicians to keep clear, accurate, and contemporaneous records. NHS guidance on records management specifies retention schedules that determine the minimum period for which different record types must be kept. These obligations interact directly with Article 17(3)(a): where a statutory or regulatory retention requirement exists, it provides the legal basis to refuse an erasure request.
Across EU member states, the picture is similar but variable. National legislative frameworks in Sweden, the UK, and Germany largely mirror GDPR while offering different additional mechanisms for managing errors in medical record systems. The forthcoming European Health Data Space (EHDS) is expected to position the rectification process within digital health services, potentially enabling in-system patient input, though this remains prospective at the time of writing.
Clinical admins operating across borders, or in organisations subject to both UK GDPR and EU GDPR, should be aware that member state rules may be stricter than the GDPR baseline and should seek jurisdiction-specific legal advice where the applicable framework is unclear.
The correct process for handling a rectification request step by step
The following workflow reflects the requirements of Articles 16 and 19 GDPR, the one-month response deadline, and best practice for clinical record management.
Step 1: Receive and log the request. Record the date of receipt. The one-month clock starts immediately, regardless of how the request was submitted (letter, email, online form, or verbal request followed by written confirmation).
Step 2: Verify the patient's identity. Do not process the request until identity is confirmed. This protects against unauthorised amendments to third-party records.
Step 3: Identify the specific data in question. Ask the patient to specify precisely which entry or entries they consider inaccurate or incomplete, and what correction they are seeking.
Step 4: Consult the responsible clinician. The NHS-aligned records policy is clear: "Where the dispute concerns a medical entry, the clinician who made the entry should be consulted and consideration given as to whether it is appropriate to change it." This step is not optional.
Step 5: Determine the appropriate action. Based on the clinician's assessment and the nature of the data:
If the entry contains a clear factual error (wrong date, wrong name): correct it and preserve the original in the audit trail
If the entry is a clinical opinion the clinician stands by: add a supplementary note recording the patient's dispute without altering the original
If the entry is genuinely incomplete: add a completion statement
Step 6: Update the record compliantly. Preserve the original entry, date and attribute the amendment clearly, and document the reason for the change.
Step 7: Notify the patient of the outcome. Respond within one calendar month of the original request. If the request is refused in full or in part, explain the grounds and inform the patient of their right to complain to the supervisory authority.
Step 8: Document the decision-making process. Record what was considered, who was consulted, what decision was reached, and why. This documentation is the organisation's evidence of compliance if the decision is later challenged.
What to do when you disagree with the patient's version of events
A patient may assert that a clinical entry is inaccurate when the clinician who made the entry stands by its accuracy. This is one of the most common and most misunderstood scenarios in clinical records management.
GDPR does not require healthcare providers to accept a patient's preferred version of events as fact. The Irish Data Protection Commission's guidance is explicit that neither the right to rectification nor the right to erasure applies readily to medical opinions, diagnoses, and clinical treatment notes, precisely because these represent professional judgements rather than objective facts.
The GDPR-compliant response in a disputed clinical entry scenario is to add a note to the record indicating that the patient disputes the entry, while leaving the clinician's original documentation intact. This approach:
Preserves the integrity of the original clinical record
Acknowledges the patient's right to have their view recorded
Creates a transparent audit trail showing the dispute was handled
Does not require the organisation to adjudicate between competing accounts
The one-month response deadline still applies. The patient must be informed of the outcome, including the fact that the original entry has been retained, and of their right to escalate to the supervisory authority if they remain dissatisfied.
Third-party notifications: do you have to tell anyone else about the change?
Article 19 of GDPR requires data controllers to notify any third party to whom the data was disclosed of a rectification or erasure, unless doing so is impossible or involves disproportionate effort. Where third-party notification has taken place, the controller must also inform the data subject of those recipients if asked.
In a clinical context, this obligation has direct operational implications. If a patient's record has been amended and that record was previously shared with a secondary care provider following a referral, a specialist who received a referral letter, an insurer or employer (where the patient consented to disclosure), or a social care team, then each of those recipients should in principle be notified of the amendment. In practice, this requires clinical admins to maintain clear records of who received what information and when.
The disproportionate effort exception provides some relief where notification is genuinely impractical, for example where data was shared many years ago with multiple parties and contact details are no longer available. However, this exception requires documented justification. It cannot be invoked as a default.
Common mistakes clinical admins make when handling these requests
The 2025 EDPB enforcement findings identified systematic failures across controllers in how erasure rights are handled. In a clinical records context, the most frequent compliance failures include:
Missing the one-month deadline. The clock starts on the date of receipt, not the date the request is formally logged or assigned. Delays in internal routing are not a valid reason for a late response.
Overwriting original entries. Replacing an original entry without preserving it in an audit trail is both a GDPR accountability failure and a potential medico-legal liability.
Failing to document the decision-making process. Deciding not to amend a record, or deciding to add an addendum rather than a correction, requires documented reasoning. An undocumented decision is an indefensible decision.
Treating all deletion requests as automatically valid. Accepting erasure requests without assessing whether an exemption applies, particularly the statutory retention exemption, exposes the organisation to the risk of destroying records it is legally required to keep.
Treating all deletion requests as automatically invalid. The EDPB identified reflexively refusing all erasure requests without case-by-case assessment as a common and sanctionable failure.
Not escalating to the Data Protection Officer (DPO). Complex requests, disputes involving sensitive data, or cases where the lawful basis for retention is genuinely unclear should go to the DPO rather than be resolved at admin level.
When to escalate: your DPO, your legal team, and your regulator
Not every rectification or erasure request can or should be resolved at clinical admin level. The following scenarios warrant escalation to the DPO, legal team, or in some cases the supervisory authority:
Requests involving minors. The interplay between parental rights, Gillick competence (in UK jurisdictions), and the child's own data rights requires legal input.
Records shared across national borders. Where data has been transferred to processors or recipients in other jurisdictions, the applicable retention and deletion rules may differ.
Genuine uncertainty about the lawful basis for retention. If it is not clear whether a statutory retention obligation applies, or whether a public interest exemption is engaged, this is a legal question, not an administrative one.
Requests that appear to relate to a potential legal claim. Where there is any indication that the patient is considering or has initiated legal proceedings, the record has potential evidential value and any amendment requires legal advice.
Repeated or escalating disputes. If a patient has already complained to the supervisory authority, or has indicated they intend to, the DPO must be involved.
Under Article 37 GDPR, most EU healthcare organisations processing health data at scale are required to designate a Data Protection Officer. Secure Privacy's healthcare guidance confirms that processes must be in place for patients to exercise all data subject rights, and that the DPO's role includes advising on requests that conflict with statutory obligations. Clinical admins should know who their DPO is, how to contact them, and what threshold triggers a referral, before a complex request arrives, not after.
Frequently asked questions
▶ Do patients have the right to correct their clinical records under GDPR?
Yes, but with important limits. Article 16 of the General Data Protection Regulation gives patients the right to have inaccurate personal data corrected. For straightforward factual errors — a wrong date of birth or a misspelled name — correction is relatively uncomplicated. For clinical entries such as diagnoses, risk assessments, or treatment notes, the concept of inaccuracy is more complex. A clinician's professional judgement isn't the same as an objective fact, and the Irish Data Protection Commission confirms that the right to rectification doesn't apply readily to medical opinions and clinical treatment notes.
▶ Can a patient request deletion of their medical records under GDPR?
Patients can submit a deletion request under Article 17 of GDPR, but this right isn't absolute in a healthcare setting. Most clinical records fall under at least one of the Article 17(3) exemptions, including compliance with a legal obligation, public interest in public health, or the establishment or defence of legal claims. National legislation across EU member states and the UK sets statutory minimum retention periods for medical records, typically between eight and thirty years, which constitute a legal obligation that allows organisations to lawfully refuse erasure requests. However, refusal requires documented case-by-case reasoning, not a blanket policy.
▶ What's the correct way to amend a clinical record when a patient disputes an entry?
The correct approach is to add an addendum or annotation to the record, not to overwrite or delete the original entry. If a patient disputes a clinical opinion that the responsible clinician stands by, a supplementary note should be added recording the patient's dispute, while leaving the original documentation intact. If the entry contains a genuine factual error, it should be corrected with the original preserved in the audit trail. The Information Commissioner's Office confirms that where a diagnosis is later found to be incorrect, the record should show both the initial diagnosis and the final findings.
▶ What must an audit trail include when a clinical record is amended?
A compliant audit trail must capture the identity of the person who made the change, the date and time of the change, the reason for the change, the full content of the original entry, and the nature of the amendment. NHS guidance is explicit that information can be removed from display, but the audit trail must always keep the record complete. Overwriting original entries without a trace creates both a GDPR accountability failure under Article 5(2) and a medico-legal risk, including potential evidence of record tampering in a clinical negligence investigation.
▶ How long does a healthcare organisation have to respond to a rectification or erasure request?
Both the right to rectification under Article 16 and the right to erasure under Article 17 carry a one calendar month response deadline. The clock starts on the date the request is received, not the date it's formally logged or assigned internally. If the request is refused in full or in part, the organisation must still respond within that month, explain the grounds for refusal, and inform the patient of their right to complain to the relevant supervisory authority.
▶ Does GDPR require healthcare providers to accept a patient's version of events as fact?
No. GDPR doesn't require healthcare providers to accept a patient's preferred version of events as fact. The Irish Data Protection Commission is explicit that the right to rectification doesn't apply readily to medical opinions, diagnoses, and clinical treatment notes, because these represent professional judgements rather than objective facts. Where a clinician stands by their original entry, the GDPR-compliant response is to add a note recording that the patient disputes the entry, while leaving the original documentation intact. The patient must then be informed of the outcome and of their right to escalate to the supervisory authority.
▶ Does amending a clinical record trigger a duty to notify third parties?
Yes. Article 19 of GDPR requires data controllers to notify any third party to whom the data was disclosed of a rectification or erasure, unless doing so is impossible or involves disproportionate effort. In a clinical context, this can include secondary care providers who received a referral, specialists who received a referral letter, or social care teams. Clinical admins need to maintain clear records of who received what information and when. The disproportionate effort exception can apply where notification is genuinely impractical, but it requires documented justification and can't be used as a default.
▶ What are the most common mistakes when handling patient rectification and erasure requests?
The 2025 European Data Protection Board coordinated enforcement findings identified several recurring failures. These include missing the one-month response deadline, overwriting original entries without preserving them in an audit trail, failing to document the reasoning behind decisions, treating all deletion requests as automatically valid, and treating all deletion requests as automatically invalid without case-by-case assessment. The EDPB found that nine Data Protection Authorities launched formal enforcement investigations as a result of controllers misapplying Article 17(3) exemptions without proper individual assessment.
▶ When should a clinical admin escalate a rectification or erasure request to the Data Protection Officer?
Several scenarios warrant escalation rather than resolution at admin level. These include requests involving minors, where parental rights and the child's own data rights intersect. Records shared across national borders, where different retention rules may apply. Cases where there's genuine uncertainty about the lawful basis for retention. Requests that may relate to a potential legal claim, where the record has evidential value. And situations where the patient has already complained to the supervisory authority or indicated they intend to. Under Article 37 of GDPR, most EU healthcare organisations processing health data at scale are required to designate a Data Protection Officer, and clinical admins should know who theirs is before a complex request arrives.