Text messaging has become one of the most widely used communication channels between healthcare providers and their patients. From appointment reminders sent by NHS GP surgeries to promotional offers from private clinics, text messages now carry a significant volume of patient-facing communication every day. Yet many clinic owners and practice managers remain uncertain about the exact legal requirements governing GDPR compliance for text messages, particularly the overlap between GDPR, PECR, and ICO guidance.
The UK General Data Protection Regulation sets out broad rules for processing personal data, but it does not operate in isolation when it comes to electronic communications. The Privacy and Electronic Communications Regulations (PECR) add a separate and specific layer of rules that apply directly to SMS marketing and other forms of electronic marketing. Getting the distinction wrong can expose a clinic to regulatory action from the Information Commissioner's Office.
This guide is written for clinic owners, practice managers, and healthcare administrators who want a clear, practical understanding of what the law requires. It covers:
- the difference between GDPR and PECR
- the lawful basis for sending different types of text messages
- how to obtain and record valid consent
- data security obligations
- and the specific considerations that apply to NHS and private providers.
By the end, you will have a working framework for achieving GDPR compliance for text messages sent to patients.
GDPR and PECR SMS Marketing
GDPR and PECR are separate pieces of legislation, and both apply when a UK healthcare provider sends text messages to patients or contacts.
- The UK GDPR, retained from the EU GDPR and incorporated into domestic law via the Data Protection Act 2018, governs how organisations collect, store, and use personal data. Any time a clinic stores a patient's phone number or uses it to send a message, they are processing personal data and must comply with the UK GDPR.
It is worth noting that the Data Use and Access Act, which is progressing through UK legislation, may introduce further adjustments to how organisations document data flows, though the core obligations around consent and lawful basis remain unchanged for healthcare providers.
- PECR, the Privacy and Electronic Communications Regulations 2003, sits alongside GDPR and implements the EU ePrivacy Directive into UK law. PECR sets out specific rules for electronic communications used for direct marketing purposes.
Crucially, PECR applies in addition to GDPR, not instead of it. This means that sending a direct marketing text message requires compliance with both frameworks simultaneously.
The practical consequence for healthcare providers is straightforward. You need a lawful basis under GDPR to process the patient's phone number at all. Then, if that message is for direct marketing, you also need to meet PECR's separate consent requirement.
The ICO is clear that you cannot rely on a GDPR lawful basis alone to send unsolicited marketing via SMS. Electronic marketing by text requires its own specific consent under PECR, regardless of the basis used to process the personal data.
| Regulation | Scope | Key Requirement for SMS |
|---|---|---|
| UK GDPR | Processing of personal data | Lawful basis for storing and using phone numbers |
| PECR | Electronic marketing communications | Specific prior consent for direct marketing texts |
| ePrivacy Directive | Origin of PECR in EU law | Implemented via PECR in the UK |
It is also worth noting that Section 32 of the Communications Act 2003 provides the broader legislative context within which electronic messaging services operate in the UK, intersecting with PECR's definitions of what constitutes a communications service.
Lawful Basis for Sending Text Messages Under GDPR Compliance Rules
Under UK GDPR, every instance of processing personal data must have a lawful basis. For healthcare providers, the relevant bases most commonly considered for SMS communication are consent, contract, legal obligation, and legitimate interests.
The type of text message you are sending determines which lawful basis applies. Healthcare providers typically send two distinct categories of text message:
- administrative service messages
- and promotional or direct marketing messages.
Administrative texts, such as appointment reminders, prescription collection notices, test result alerts, and follow-up care instructions, can generally be sent under the lawful basis of contract or legitimate interests. Where a patient has booked an appointment, sending a reminder is a reasonable expectation of the service and serves both the patient and the clinic. The ICO's guidance on legitimate interests requires a three-part test:
- the interest must be legitimate
- the processing must be necessary
- the patient's rights and interests must not override it.
Promotional SMS marketing is a different matter entirely. If you are texting a patient about a new service, a seasonal health check offer, or a discounted treatment, that is direct marketing under PECR. In that case, you must have specific, prior, opt-in consent from the patient before sending.
Legitimate interests cannot be used as a GDPR lawful basis to bypass PECR's consent requirement for electronic marketing. This is a nuance that many general GDPR guides overlook: *When can you only rely on legitimate interests as a lawful basis? *
For ICO service messages tied to an existing patient relationship, legitimate interests can apply but never for unsolicited marketing texts.
Medesk supports clinics in managing this distinction by providing secure appointment reminders that are delivered through a compliant communication workflow, helping practices send service messages without inadvertently crossing into promotional territory.
![[en] sms connunication](/i/1aEPlH4J0KXGT4JJWVzCfj/9e709bfda37a2084efabc1b1e0b0ad2c/sms_communication.png?w=700)
Key points to remember about lawful basis:
- Service messages tied to an existing patient relationship can rely on contract or legitimate interests
- Direct marketing texts always require consent under PECR
- You must document your chosen lawful basis for each category of message
- Consent obtained for treatment purposes does not automatically extend to promotional texts
- Legitimate interests requires a documented balancing test that weighs clinic interests against patient rights
How to Obtain Valid Consent for SMS Marketing
When PECR requires consent for SMS marketing, that consent must meet the UK GDPR standard for validity. The ICO defines valid consent as freely given, specific, informed, and indicated by a clear affirmative action. This has several practical implications for how clinics collect consent.
Pre-ticked boxes do not constitute valid consent. The patient must take a positive step, such as ticking an unticked box, to indicate their agreement. Silence, inactivity, or a pre-ticked option does not satisfy the requirement for affirmative action.
Clinics that have historically relied on opt-out mechanisms for SMS marketing are likely operating outside compliance for direct marketing texts. The absence of an opt-out is not the same as an opt-in.
A compliant opt-in statement on a registration form or booking page might read:
"I would like to receive promotional health information and offers from [Clinic Name] by text message. You can withdraw your consent at any time by replying STOP to any message or contacting us directly."
That wording covers the key requirements:
- it is specific to text messages
- it identifies the sender
- it explains what the messages will contain
- and it provides a clear opt-out mechanism.
Patients must also be told they can withdraw consent without detriment to their care.
Explicit consent of this kind is distinct from the softer forms of agreement that might suffice for other data processing activities. For SMS marketing in healthcare, the bar is high because patients should never feel that consent to promotional texts is bundled with consent to treatment. The two must be presented and recorded separately.
Consent must also be recorded. You need to know when a patient consented, what they consented to, and how that consent was obtained. This record is what you would rely on if the ICO ever investigated a complaint about your SMS marketing. PECR rules require you to be able to demonstrate compliance, not merely assert it.
For SMS marketing strategies tailored to healthcare providers, see our guide on SMS marketing in the healthcare sector.
Medesk includes SMS consent management functionality that enables clinics to log patient communication preferences directly within the patient record, reducing the risk of sending promotional messages to patients who have not opted in.
Best practice checklist for SMS opt-in consent:
- Use an unticked checkbox or equivalent affirmative mechanism
- State clearly that the consent is for text messages specifically
- Name the organisation sending the messages
- Explain what types of messages will be sent
- Provide a simple method to withdraw consent at any time
- Record the consent with a timestamp and the mechanism used
- Keep marketing consent separate from clinical consent
- Never use pre-ticked boxes or implied consent
Patient Data and NHS Text Messaging Compliance
Both NHS bodies and private clinics in the UK handle patient data under the same overarching legal framework, but the operational context differs in important ways. NHS providers are subject to additional guidance from NHS England and NHS Digital on data governance, while private clinics operate primarily under UK GDPR, the Data Protection Act 2018, and PECR.
For NHS providers, text messaging used for service messages is generally treated as a necessary part of providing care. These texts carry low regulatory risk provided they do not include promotional content, do not contain unnecessary clinical detail, and are sent only to the patient to whom the message relates. ICO service messages guidance confirms that transactional and service communications of this kind do not require marketing consent, provided they remain strictly non-promotional.
The principle of data minimisation is important here. A compliant appointment reminder does not need to include the patient's diagnosis, medication information, or any detail beyond what is necessary to remind them of the appointment.
Sending more patient data than is needed in a text message creates both a data protection risk and a potential confidentiality issue. This principle applies equally across NHS and private settings.
Private clinics must be particularly careful about the boundary between service messages and promotional content.
- A text saying "Your appointment with Dr Smith is confirmed for Tuesday at 10am" is a service message.
- A text saying "Don't forget your appointment and ask about our new aesthetics range" is partially promotional and therefore subject to PECR's consent rules for the promotional element.
Healthcare providers of all types should also consider their obligations under the principle of secure messaging. Patient phone numbers and message content constitute sensitive personal data in a healthcare context. Any platform used to send patient text messages must apply appropriate security controls, and a data processing agreement must be in place with any third-party SMS provider.
For a detailed overview of patient data protection governance obligations in UK healthcare, the ICO's sector-specific guidance is the primary reference point.
Key obligations for NHS and private providers:
- Send service messages without including unnecessary personal or clinical detail
- Keep promotional and clinical communications clearly separated
- Apply data minimisation to all patient-facing text communications
- Maintain records of what messages were sent, when, and on what basis
- Ensure any third-party SMS platform is covered by a data processing agreement
Data Security, Retention, and Patient Rights for SMS
Storing and transmitting patient phone numbers and message content creates obligations under UK GDPR that go beyond consent. Clinics must implement appropriate technical and organisational measures to ensure the data security of that information.
- Encryption is one of the most important safeguards. Patient phone numbers stored in your practice management system should be encrypted at rest. Where SMS messages are sent through a third party provider, you should confirm that the provider applies appropriate security measures during transmission. A data processing agreement must be in place with any third party that handles patient data on your behalf.
In the event of a data breach involving patient phone numbers or message content, the UK GDPR requires clinics to notify the ICO within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms.
Where the breach carries a high risk to patients, the affected individuals must also be notified directly. Many clinics underestimate how a breach involving SMS data can erode consumer trust and patient confidence, particularly given the sensitive nature of healthcare information.
- Data retention rules require that phone numbers and message logs are not kept longer than necessary. If a patient has not engaged with the clinic for several years and there is no ongoing clinical need to retain their contact details, those records should be reviewed and, where appropriate, deleted. A documented retention schedule covering phone numbers and SMS logs demonstrates accountability to the ICO.
- Patients also have the right to erasure, meaning they can ask you to delete their personal data in certain circumstances. This right is particularly relevant where a patient's only connection to the clinic was via a marketing opt-in that they have since withdrawn. In those cases, there may be no legitimate reason to retain their contact details at all.
- A clear and accessible privacy policy should explain to patients how their data is used for text messaging, what their rights are, and how to exercise them. Transparency in this area directly supports patient confidence in how your clinic handles their information.
For further guidance on upholding confidentiality in health and social care, including how data governance principles apply across different care settings, see our dedicated resource.
| Patient Right | What It Means for SMS Compliance |
|---|---|
| Right to erasure | Patients can request deletion of phone number and message history |
| Right to withdraw consent | Patients can stop promotional texts at any time without affecting their care |
| Right of access | Patients can request copies of data held about them, including message records |
| Right to be informed | Privacy policy must explain how phone numbers are used |
Medesk includes patient data encryption as part of its architecture, helping clinics meet their technical security obligations without requiring separate configuration.
How Medesk Ensures PECR and GDPR Compliance in Patient Texting
Managing GDPR compliance for text messages in a busy clinical environment requires more than a policy document. It requires systems that make compliance straightforward at the point of communication.
Medesk is built specifically for healthcare providers and addresses the practical compliance challenges this article has outlined. The platform's SMS consent management tools allow practice staff to record and update patient communication preferences within the patient record, so there is always an auditable trail of who has consented to receive SMS marketing and when. This removes reliance on paper forms or separate spreadsheets that can become outdated.
Medesk's secure messaging workflow keeps clinical service messages separate from promotional communications, reducing the risk of inadvertently sending unsolicited marketing to patients who have not opted in. Patient data encryption is applied to personal data stored within the system, supporting clinics in meeting their technical security obligations under UK GDPR.
The platform also includes PECR compliance tools that help clinic managers monitor and control how text messages are used across the practice, providing the visibility needed to demonstrate compliance if the ICO were to conduct an audit or investigate a complaint.
For a full overview of how Medesk supports compliant patient communication, visit the GDPR-compliant patient communication feature page.
Medesk provides the SMS consent management, secure appointment reminders, patient data encryption, and PECR compliance tools that clinic managers need to stay compliant with confidence. Ensuring GDPR compliance for text messages is simpler when your practice management system is designed with healthcare data protection at its core.
Start for free today to see how Medesk can support your practice's patient communication compliance.
Frequently Asked Questions
- Does GDPR apply to text messages?
Yes. GDPR applies because text messages sent by a clinic typically involve processing personal data. In addition to GDPR, PECR applies specifically to text messages used for direct marketing, requiring separate prior consent from the recipient.
- Do you have to gain consent to communicate with your customers after GDPR?
It depends on the type of message. Service messages such as appointment reminders can be sent on the basis of contract or legitimate interests without explicit marketing consent. However, any text that constitutes direct marketing requires prior opt-in consent under PECR, regardless of the GDPR lawful basis used to process the patient's contact details.
- What counts as consent under GDPR?
Valid consent must be freely given, specific, informed, and indicated through a clear affirmative action. Pre-ticked boxes, silence, or assumed agreement do not qualify. The patient must take a deliberate positive step, and they must be able to withdraw consent at any time without any negative consequence to their care.
- Will a text message hold up in court?
Text messages can be used as evidence in legal proceedings. However, clinics that send unsolicited marketing texts without valid consent may find themselves facing enforcement action from the ICO rather than relying on those messages in court. Regulatory fines and enforcement notices are a more immediate concern for non-compliant SMS marketing in a healthcare context.
- What is meant by processing personal data?
In a healthcare context, processing personal data includes storing a patient's phone number in your practice management system, using that number to send a message, and retaining any record of that communication. All of these activities are subject to UK GDPR, even if the messages themselves contain no clinical information.
