Data Protection Act

The Data Protection Act 2018 is the law which protects the rights of individuals when it comes to the processing of their personal data.

This law (now in its third generation) has been modernised to expand the definition of personal data to include biometric data and online and location identifiers, whilst also revising special category data (previously referred to as sensitive personal data). It has been implemented alongside the General Data Protection Regulation (GDPR).

There are six core principles which, if broken, can lead to prosecution not only of the Trust but the individual employee. These state that processing of personal data shall be:

  • Lawful, fair and transparent
  • For specific legitimate purposes
  • Adequate and limited to that purpose
  • Accurate and up to date
  • Storage limited
  • Secure (ensuring integrity and confidentiality)

An accountability principle has been added, designed to ensure that all Data Controllers (the Trust) have further accountability when it comes to ensuring that the data subject’s information is processed in accordance with these principles.

The Incident reporting requirement has also been updated with all organisations now having a 72-hour reporting deadline. The fee for a monetary penalty has risen from £500,000 to 20 million Euros or 4% of the gross annual turnover of the organisation. There will be a tiered approach depending on the size of the business and the level of data that has been breached.

It also changes the rules on consent and extends individuals rights to include the right:

  • to be informed
  • to erasure
  • to rectification

All staff should be aware that all personal information or data must be treated in the strictest confidence. The Trust treats any breach of confidentiality as a serious disciplinary issue.

Data must never be disclosed inappropriately. If you become aware of a data incident or un-intentional data disclosure please report this to your manager and ensure a Datix incident form is completed. Remember this must be as soon as possible, given the 72-hour deadline.

Further information about Data Protection is available from the Information Governance Team, 23 Castle Street, Barnstaple.

ICO Registration Certificate for 2019 (pdf)

Last updated: February 11, 2019