Data Protection Act
The Data Protection Act 2018 (DPA) regulates the processing of personal data, held manually and on computer. It applies to personal information generally, not just to health records.
Personal data is defined as data relating to a living individual that enables him/her to be identified either from that data alone, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
Processing includes everything done with that information, i.e. holding, obtaining, recording, using, disclosure and sharing. ‘Using’ includes disposal, i.e. closure of the record, transfer to an archive or destruction of the record.
The key areas for compliance for organisations are;
- notification by a data controller to the information Commissioner
- compliance with the eight data protection principles
The eight principles are listed below;
1. Personal data shall be processed fairly and lawfully and must be processed in accordance with at least one of the conditions in schedule 2 of the Act. Where the data being processed is sensitive personal information (such as data relating to the physical or mental health of an individual), it must also be processed in accordance with at least one of the conditions in schedule 3 of the Act.
2. Personal data shall be obtained only for one or more specified and lawful purpose.
3. Personal data shall be adequate, relevant and not excessive for its purpose(s).
4. Personal data shall be accurate and where necessary kept up to date.
5. Personal data shall not be kept for longer than is necessary for its purpose(s).
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Dr Mark Daniels is the Caldicott Guardian at Imperial College Health Centre.