Data Protection Act

The legislation came into force on 1st March 2000. The purpose of the Act is to protect the rights of the individual with regard to the collection and processing of personal information or data.

The original 1984 Act covered computer held personal data but under the 1998 Act manual records have been included. However, there are transitional arrangements that mean the requirements concerning manual records are exempt until 24/10/01.

All members of staff should be very aware that all information or data must be treated in strictest confidence. Data must never be disclosed inappropriately. The Trust treats any breach of confidentiality as a serious disciplinary issue.

Also under the Data Protection Act 1998, the unlawful processing, or disclosure of personal data to a third party, is a criminal act. Not only is the Trust potentially liable to prosecution, but so can the member of staff who made the disclosure.

For the purposes of the Act, personal data can be described as information that can identify a living individual. It should therefore be obvious to all concerned that, in the Trust, this includes any documentation or computer held data which contains names, addresses, and associated data such as the nature of illness, treatment undertaken, staff records or payroll information etc.

Computer Systems are not notified individually under the Act, but the purposes to be made of the data are.

Under the Act, the Trust must notify the Commissioner and specify what data we are going to collect, what we will use it for, where the data will be collected from, and to whom the data will be disclosed.

The Data Protection Act is set around 8 principles and gives the individual 7 rights.

The principles are: –

Personal data shall be processed fairly and lawfully.

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Personal data shall be accurate and where necessary kept up to date.

Personal data processed for the purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Personal data shall be processed in accordance with the rights of the data subjects under this act.

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing or personal data and against accidental loss or destruction of, or damage to, personal data.

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Individual rights are: –

Right of access.

Right to prevent processing likely to cause distress.

Right to prevent processing for purposes of direct marketing.

Rights in relation to automated decision taking. The individual can insist in writing

That no automatic decision making process can be implemented without some form of manual vetting of the process.

Right to compensation.

The rights to rectify, block, erase and destroy incorrect data.

Request the Commissioner to adjudicate if necessary.

Under the act, holding inaccurate data is an offence. Data quality is important in a number of ways. Errors could result in a letter being sent to the wrong address or a patient receiving inappropriate treatment. Subsequent litigation against the Trust could be very costly.

Under the Access to Healthcare Records Act and the Data Protection Act 1998, patients generally have access to all their healthcare records. The exception is where the disclosure could have a detrimental effect on the patient’s well being. Each application for disclosure is approved by the clinicians involved in the patient’s treatment.

Clearly it should be borne in mind that since the patient may see what has been written, it must therefore be accurate and objective. Inappropriate comments in letters could have a devastating effect on the patient.

A copy of the Trust’s Data Protection Notification and the Trust’s policy and guidance concerning confidentiality will be kept in the Information Management & Technology Security Manual.

This will ensure that the Trust’s Data Register is accurate and up to date and that Data Protection guidance can be given where appropriate.

Further information concerning the Data Protection Act 1998 is available from Information Governance, 12 Boutport Street, Barnstaple.

Data Protection Register – Entry Details (pdf)

ICO Registration Certificate for 2018 (pdf)

Last updated: March 20, 2018