Legal requirements for patient data management in the aesthetic business


Personal data needs to be protected and everyone has the right to be aware of how and why their data is being collected, used, and stored.

As the aesthetic industry is unregulated, you as a practice still have an obligation to treat patient data professionally. MERIDIQ has summarised a few points of patient data handling below, which can be useful for your practice to incorporate in your routines.

There are two legal frameworks in place in the UK to ensure this. One is the Data Protection Act (DPA), which brought the EU General Data Protection Regulation (GDPR) into law, and the Common Law Duty of Confidentiality (CLDC).

According to GDPR you also have the right to control your own data, as in remove or move it by choice. Both laws apply to an aesthetic business, and it’s important to comply and handle personal data in a legal and safe way.

Collecting data legally

Let’s start from the beginning: collecting personal data (GDPR). To be allowed to collect personal data you need to have a valid lawful basis for the collection and processing of that data. The law defines this under the data protection legislation, and out of the options for businesses the two that can be applied to your business as a lawful basis are:

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Since an aesthetic business might be collecting data surrounding health that might reveal racial or ethnic origin, or might be processing genetic or biometric data for the purpose of uniquely identifying a natural person, it has a higher level of security.

Patient consent

The patient needs to consent to the collecting and keeping of personal data records. The consent under the DPA must meet certain criteria to be valid. Consent must be:

  • freely given without any unfair pressure
  • specific – for a limited and clearly defined purpose
  • informed
  • unambiguous
  • withdrawable – as easy to withdraw as it was to give it

If using consent as a lawful basis for processing personal data, the patient must also be given certain rights, including the right to move the data (perhaps to a different business) or remove the data completely.

This is not an uncomplicated way to handle the lawful basis, since health care providers might be in a position of power, and the criteria of the consent being “freely given without any unfair pressure” is hard to accommodate when one side is in a position of power.

Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Common Law Duty of Confidentiality

To meet the requirements of this legislation, one of the following conditions must be met:

  • a mandatory legal requirement or power that enables the CLDC to be set aside, such as the Children Act 1989 which requires information to be shared in safeguarding cases, powers for Care Quality Commission inspections, reporting of food poisoning, reporting of infectious diseases such as measles, and the powers given to NHS Digital under section 259 of the Health and Social Care Act 2012
  • a court order, where a judge has ordered that specific and relevant information must be provided, and to whom
  • an overriding public interest, where it is judged that the benefit of providing the information outweighs the rights to privacy for the patient concerned and the public good of maintaining trust in the confidentiality of the service
  • explicit or implied consent
  • legal support for the use of confidential patient information without consent under the Health Services (Control of Patient Information) Regulations 2002, under section 251 of the NHS Act 2006

For an aesthetic business the last two are the only conditions that can be used. The consent for this law falls under two categories:

  • implied consent – this will normally apply where data is being used to support individual care and treatment and the patient would reasonably expect data about them to be used in this way, for example when they are referred to another clinician.
  • explicit consent – this applies where a patient has agreed to the use of data for a specific purpose, after they have been fully informed, for example for their data to be included in a research project.

Keeping records

As well as being lawful about collecting data, you also need to be transparent. This is an important part of the data protection laws, where you must make sure your patients know how their data is used and for what purpose it is shared. You need to make a few things clear to the patient:

  • who the data controller is and how to contact them
  • purpose of the data processing
  • the lawful basis for the data processing
  • information about the data subjects’ rights and how to exercise them
  • any third parties with whom the data is shared, including
  • any transfers to a country outside the European Economic Area (a ‘third country’) and the safeguards.

This information needs to be concise, easy to understand and easily accessible.

Sharing data

As well as these specific legal requirements, patient data is protected in other ways. If the data is being shared between companies, there needs to be a contract in place to ensure the protection and responsibility of the data. This agreement should set terms and conditions including (for example):

  • the purpose for which the data is being provided, which must support the provision of health and care services or the promotion of health
  • the security requirements for the organisation receiving the data
  • the retention period for the data

Employees who handle data

All employees should be regularly trained in information governance responsibilities and the terms and conditions for employment should include strict guidelines on how staff handle and protect patient data. In the contract you should also outline disciplinary procedures, including dismissal, for any member of staff who does not comply with those guidelines.

There is an online self-assessment tool that lets you measure your performance, and all businesses that has access to NHS patient data and systems must use this toolkit to provide assurance that they are practicing good data security and that personal data is handled correctly.


As small as you aesthetic business might be, you still are legally responsible for the way you handle patient data. These few simple steps are a good start with data protection:

  • Make sure every tools you use to acquire patient data (website form, forms filled at your practice, etc.) contain a way to consent
  • Verify that your patient record and tools are hosted in Europe and GDPR compliant
  • Give access to your users to their personal data, either to transfer or delete it
  • Make sure that data shared with 3rd parties are covered by a specific contract (data controller)

Even if the aesthetic industry is unregulated for now you can still use good practice in handling patient data, as suggested in the above article. For more information about how MERIDIQ can help you, please read more about our functions here.