How to write a patient-facing privacy notice that builds trust

Most general practices publish a privacy notice because they have to. It’s a requirement under UK GDPR and part of the DSPT. But too often, these notices are legalistic, hard to read, or buried at the bottom of a website - full of passive phrases and technical terms that patients skim past, or never find at all. But your privacy notice is more than a compliance box. It’s your chance to explain, in plain English, how and why you collect and use patient data - and to build trust through transparency. This guide shows you how to write a clear, meaningful privacy notice that informs patients, reassures them, and reflects your practice values. 

What a privacy notice should do 

At its core, your privacy notice should: 

• Tell patients what personal data you collect. 

• Explain why and how you use it. 

• Set out your legal basis for processing. 

• Describe how data is stored, shared and protected. 

• Explain patients’ rights. 

• Say who to contact if they have concerns. 

But beyond that, a good privacy notice should sound like your practice - human, clear and approachable.

The problem with many privacy notices

Too many notices: 

• Use overly formal or technical language. 

• Copy templates without adapting them. 

• Focus on compliance rather than patient understanding. 

• Hide key details in dense paragraphs. 

• Fail to explain how digital tools, like online consultations or apps, fit in. 

The result? Patients don’t read them. Or if they do, they feel confused or even suspicious. 

How to make your privacy notice clearer and more patient-friendly 

1. Start with a plain-English summary 

Open with a short paragraph that says: 

• Who you are. 

• Why you need to collect and use patient information. 

• What your promise is around confidentiality and respect. 

• Where patients can get more information. 

For example: “At Riverside Surgery, we collect and use information about you to provide safe, personalised care. We always keep your data secure and use it responsibly. This notice explains what information we collect, why we collect it, and your rights as a patient.” This sets a helpful tone and invites the patient to keep reading. 

2. Use headings and questions that reflect what patients actually ask

Structure your notice using questions like: 

• What information do we collect about you? 

• Why do we need your information? 

• Who can see your information? 

• How do we keep your records safe? 

• What are your rights? 

• How can you contact us about your data? 

This approach is more engaging than formal subheadings like “Categories of data processed”.

 3. Explain the legal bits simply 

Instead of listing legal bases with no explanation, try something like: “The law allows us to collect and use your information for your direct care. This is called our ‘legal basis for processing’. Most of the time, we don’t need your consent - for example, when we refer you to a hospital or prescribe medication. But if we want to use your data for anything else, we’ll ask for your permission.” Include links for those who want the full legal wording - but keep the main text accessible.

4. Describe data sharing clearly 

Be upfront about how and why you share data, especially with: 

• Hospitals and community services. 

• Local health networks (for example, your PCN). 

• NHS systems and suppliers. 

• Research or public health bodies, if applicable. 

Example: “Sometimes, we need to share your information with other healthcare professionals involved in your care - like a hospital consultant or district nurse. We’ll only share what’s necessary and relevant.” Include a list of key partners if possible, or a link to one. 

5. Address digital services

If you use tools like: 

• Online consultation platforms (for example, AccuRx, eConsult). 

• SMS or email reminders. 

• Patient apps. 

• Cloud-based clinical systems. 

Explain briefly how data flows through them and reassure patients that these tools meet NHS standards for security and confidentiality. Example: “We use AccuRx to send text messages and collect information before your appointment. This service is secure and approved for NHS use.” 

6. Make it easy to contact you 

Include: 

• A named role, such as the practice manager or data protection officer. 

• An email and phone number. 

• The address of your practice. 

• A link to the ICO for complaints or escalation. 

Reassure patients that questions are welcome - and that raising concerns won’t affect their care. 

Where and how to publish your notice 

• On your website - ideally with a link from the homepage. 

• As a paper copy available at reception. 

• On your waiting room screen or noticeboard. 

• In accessible formats if requested, such as large print or other languages. 

Keep it updated annually - or whenever you change your systems or providers.

Final word: transparency is trust

A privacy notice isn’t just a policy. It’s a conversation. Done well, it shows patients that you respect their information, understand your responsibilities and take data protection seriously. By using clear language, practical examples and a welcoming tone, you can turn your privacy notice from a legal hurdle into a trust-building tool - one that supports safer care and stronger relationships.