Data protection

Data protection

What is the Data Protection Act 1998?

The Data Protection Act 1998 became law in March 2000.  It sets standards which must be satisfied when holding, obtaining, recording, using and sharing of personal data.

The Act covers both electronic and manual records.

Data protection principles

There are eighht Data Protection Principles which state that personal data must beL

1.  Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: 

a) at least one of the conditions in Schedule 2 is met, and

b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

There should be no surprises, inform data subjects why you are collecting their information, what you are going to do with it and who you may share it with.

When working in a team, ensure that the patient is aware of who the members of the team are, and that all those involved with their care may need to see their notes.  

2.  Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Only use personal information for the purpose(s) for which it was obtained.  For example:  personal information on clinical systems must only be used for healthcare purposes - not for looking up friends' addresses or birthdays.

Only share information outside your team, ward or department if you are certain that it is appropriate and necessary to do so. If in doubt - check first!

3.  Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Only collect and keep information which you need.  It is not acceptable to hold information unless you have a view as to how it will be used.  Do not collect information 'just in case it might be useful one day!  For example:  taking both daytime and evening telephone number is you know you will only call in the day.

Explain all abbreviations, use clear and legible writing and Stick to the facts - avoid personal opinions and comments.

4.  Personal data shall be accurate and, where necessary, kept up to date.

Take care when inputting information to ensure accuracy:

  • How do you know the information is up to date? 
  • What mechanisms do you have for checking the information is accurate and up to date?  For example:  each time a patient attends clinic, they should be asked to confirm that their details are correct (address, telephone number etc)

Check existing records before creating new records to avoid creating duplicates.

5.  Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. This is the fifth data protection principle. In practice, it means that you will need to:

  • Review the length of time you keep personal data;
  • Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
  • Securely delete information that is no longer needed for this purpose or these purposes; and
  • Update, archive or securely delete information if it goes out of date.

6.  Personal data shall be processed in accordance with the rights of data subjects under this Act.

The rights of individuals that it refers to are:

  • A right of access to a copy of the information comprised in their personal data;
  • A right to object to processing that is likely to cause or is causing damage or distress;
  • A right to prevent processing for direct marketing;
  • A right to object to decisions being taken by automated means;
  • A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
  • A right to claim compensation for damages caused by a breach of the Act.

7.  Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.  Operational and OrganisationalSecurity.

In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

  • Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
  • Be clear about who in your organisation is responsible for ensuring information security;
  • Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
  • Be ready to respond to any breach of security swiftly and effectively.

8.  Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For example: the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using subcontractors abroad.