What does the Data Protection Act do?

What does the Data Protection Act do?

It sets standards which must be satisfied when

obtaining, recording, holding, using, disclosing

or disposing of personal data

Enter Organisation

Logo Here

Processing

The definition of processing is very wide:

Obtaining Recording Holding Using Erasure Destruction “Any operation” on the data

Enter Organisation

Logo Here

Terminology

Data Controller: a person who (alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed

Data Subject:an individual who is the subject of personal data

Enter Organisation

Logo Here

Personal data

Personal data e.g. name, address, telephone number

Sensitive personal data

Racial or ethnic origin

Political opinions/membership of trade union

Religious beliefs

Physical or Mental Health record

Sexual life

Alleged offences/legal proceedings

Enter Organisation

Logo Here

Relevant Filing System

The information must be structured to enable easy access to the information e.g. health records are normally filed alphabetically or numerically, which means that the file is easily accessible.

Examples: Card Index File arranged alphabetically File with dividers

Enter Organisation

Logo Here

The Data Protection Principles

1 Processed fairly and lawfully

2 Processed for specified purposes

3 Adequate, relevant and not excessive

4 Accurate and kept up to date

5 Not kept for longer than necessary

6 Processed in accordance with the rights of data subjects

7 Protected by appropriate security (practical and organisational)

8 Not transferred outside the EEA without

adequate protection Enter Organisation

Logo Here

Processed fairly and lawfully

Data subject not misled or deceived into giving the information

Data subject given basic information describing who will process the data for what purpose(s)

Schedules of conditions are satisfied

Explicit Consent / Informed Consent

Lawful purpose and common law of confidentiality complied with

Principle 1

Reasons for the leaflet

Caldicott Management Audit We need to tell patient /clients about the ways in which information is collected about them and how it will be used

Data Protection Act 1998 We are required by law to inform individuals about how their information is used and shared

Displaying the leaflet means you are meeting these requirements

Principle 1 - Schedule 2

Conditions: The data subject has consented Processing is necessary for the performance of a

contract or pre contract steps Legal obligation of the data controller Vital interests of the data subject Administration of justice, by or under enactment,

government department etc. Legitimate interests of the data controller so long as

the rights and freedoms or legitimate interests of the data subject are not prejudiced.

Enter Organisation

Logo Here

Conditions: The data subject has given explicit consent

The processing is necessary for any right or obligation in

connection with employment

Necessary to protect the vital interests of the data

subject or another person

Non-profit making bodies

Where the personal data has been made public by the

data subject

Legal proceedings

Medical purposesEnter Organisation

Logo Here

Principle 1 - Schedule 3

Principle 2

Processed for specified purposes

Review the purposes of your organisation Check your Notification Information mapping

Ensure disclosures are properly handled Access to Health Records policy Compliance with information sharing

guidelines/legislation

Enter Organisation

Logo Here

Principle 3

Adequate, relevant and not excessive

Apply good data management practices –

Only collect and keep the information you require

Do not collect information “just in case it might be useful one day!”

Factual, clear and legible! Abbreviations!

Enter Organisation

Logo Here

Principle 4

Accurate and kept up to date

Take care inputting information

Formal processes to ensure personal data is kept accurate and up to date

Enter Organisation

Logo Here

Principle 5

Not kept for longer than necessary

Ensure compliance with legal requirements and established guidelines for retention periods For the Record HSC 1999/053

Review procedures for retention and disposal

Safeguard the confidentiality of personal data being destroyed

Enter Organisation

Logo Here

Principle 6

Compensation

Rectification/blocking/erasure

Request an assessment

Processing for direct marketing

Automated decision making

Subject access

Prevention of processing

Enter Organisation

Logo Here

Processed in accordance with the rights of data subjects

Principle 7

Protected by appropriate security (practical and organisational)

Security: IT and non-technical Controlling access to information Staff selection and training Ensuring business continuity Detecting and dealing with breaches

of security Confidentiality contracts with third parties

Enter Organisation

Logo Here

Principle 8

Not transferred outside the EEA without adequate protection

Beware of others without equivalent protection

Contracts with third party suppliers Internet web sites Transfer of records

Enter Organisation

Logo Here

Cald

icott

Manual

Secu

rity

Polic

yHHSJ

SJ

Pre

sen

tatio

ns

20

01

2

00

1

Dia

ryD

iary

Pro

ced

ure

M

an

ual

Hu

man

R

igh

ts A

ct

FIO

A

ct

HSC 1999/053

HS

C

19

98

/06

4

HS

C

19

9/2

17

Cald

icott

toolk

it

HS

G (96)

18

HS

C

99

9/0

12

2000 2000 D

iaryD

iary

ES

HA

D

irecto

ry

Dictio

na

ry

Th

esauru

s

Data

Pro

tectio

nT

rain

ing

C

ou

rses

DPA

: An

Actio

n P

lan

For T

he R

ecord