Data Protection Act 1998

University Secretary’s OfficeData-Protection@bristol.ac.uk

2 The Act obliges you to:

• Collect information about people only with their permission, unless there is a legal reason to do so

• Show individuals the information it holds about them if they request it

• Be very careful when giving this information to anyone else

3 Personal Data

• any information• about living people • who can be identified by that

information • or by combining the information

with other data that you have, or are likely to have in the future

4 Examples of Personal Data

• ID number, NI number, NHS number, Postcode

• One or more factors specific to physical, physiological, mental, economic, cultural or social identity

5 The Act

Applies to all records, including:

• Paper, card indexes, microfiche• Electronic records, email • Photographs, visual images• Recordings, audiotape, videotape• CCTV, X-rays

6 Processing

Applies to anything that can be done to records including:

• obtaining/recording • holding • disclosing/publishing • typing/writing• destroying/disposing

7 Rights of Data Subjects

• Subject Access• To prevent processing likely to

cause damage or distress• To object to direct marketing • To object to automated decision

making

8 Rights

• To receive compensation for unwarranted damage or distress

• To ask the Court to order rectification, blocking, erasure, destruction of data

• Other remedies for inaccuracy

9 The Principles

The Act says personal data shall:• be collected and processed fairly

and lawfully (consent!);• be held for specific and lawful

purposes (specified in advance);• only be disclosed to those people

described in the register entry.

10 The Principles

The Act says personal data shall:• be adequate, relevant, and not

excessive;• be accurate, and where

necessary, kept up to date;• be held under secure conditions

for no longer than is necessary for the purpose.

11 What are Sensitive Data?

• Racial or ethnic origin• Political opinions• Religious, or other similar beliefs• Trade Union membership• Physical or mental health or

condition• Sexual life• Convictions or alleged criminal acts

12 Sensitive Data

You must have the specific written permission of the data subject to hold sensitive data

unless you already have a legal requirement to process those data.

13 Sensitive Data

Security must be appropriate to the degree of harm caused by the

misuse of data

14 Definitions

‘recording’ and ‘image’ include:• all types of audio and visual

recordings and images of people • originals or copies • carried out for any purpose

15 ‘Images/Recordings’

NOT included:• Pathology slides containing

human tissue (as opposed to an image of such a slide).

• CCTV recordings of public areas

16 When is consent not required?

• When images cannot, on their own, identify the patient and are suitably anonymised:– Pathology slides– X-rays– Laparoscopic images– Images of internal organs– Ultrasound images

17 Within the clinical setting

• Images made for clinical purposes form part of the medical record

• Images made for treating/ assessing a patient must only be used for the patient’s care or the audit of that care

18 Within the clinical setting

• Guidelines say:Truly anonymous recordings made for treating/assessing patients may be used within the clinical setting for education or research purposes without express consent as long as this policy is well publicised.

19 Within the clinical setting

BUT gain consent if:• images show extreme or unusual

features or injuries that could identify the subject, or

• images illustrate a condition that is so rare that individuals could be identified.

20 However…

• Informed consent must be sought for any form of publication, or for use outside the clinical setting.

21 Anonymising v consent

• Apparently insignificant features may still be capable of identifying the patient to others, such as distinguishing marks, tattoos, body piercings, posture and gait.

• Research shows it is usually impossible to be sure that a patient will not be identifiable from a recording

22 Anonymising v consent

• Therefore no recordings* should be published without patient consent

• Written consent must always be obtained in advance

• Get a signature• Give a contact name and address

23 Consent for publication

Tell the patient:• The possible uses of the images• The purpose for which they are

held• That it will not be possible to

control the use of material once it has been published, especially if it is to be published on the Internet

24 Consent for publication

• Make it clear to the patient:– that s/he can stop the recording at any time– S/he is entitled to view the image in the form in

which it will be shown before deciding whether to allow its use

– If s/he or she does not consent for the image to be used for these purposes it will be safely destroyed

25 Obtaining consent

Ask the patient:• To confirm specifically whether

images can be used for:– Teaching– Research– Publication in books– Publication on the internet

26 Consent

Consent must be meaningful:• Avoid jargon• Use plain language• Never imply consent is expected

27 Suggested Wording

This information will be held and processed for the

following purpose(s):

…………………………………………………….

I agree to the University of Bristol recording and

processing this information about me. I understand that

this information will be used only for the purpose(s) set out

in the statement above, and my consent is conditional

upon the University complying with its duties and

obligations under the Data Protection Act.

Signature……………………….. Date ……….

28 Consent

• Consent is a process, not merely obtaining a signature on a piece of paper

• Do not confuse capacity to give consent with your assessment of the reasonableness of the person’s decision

29 Consent by proxy

It is not possible to obtain consent by proxy

30

• Adults are always assumed to be competent to make decisions unless demonstrated otherwise.

• In England and Wales, no one (not even a spouse) can give consent on behalf of adults who are not capable of giving consent themselves.

Consent and Adults

31 Help people to give consent

Use:• Specialist colleagues such as speech

and language therapists or experts in the field of learning difficulty

• Pictures or communication aids • Appropriate, respectful, plain

language• Advocates

32 Consent and children

• Once children reach the age of 18 no one else can take decisions on their behalf.

• No specific age when a child becomes competent; depends on the child and the complexity of the proposed project (Gillick competence).

33 Consent and children

• If a child cannot consent, seek consent from the person with parental responsibility

• Younger children who can understand can give consent, but it is preferable also to involve their parents.

34 Consent and children

• Seek advice before proceeding if a competent child refuses but a parent agrees

35 Consent and children

• Always seek ethical approval when working with children

• Staff/students working with children should be CRB checked

36 Patients unable to consent

• NEVER research those who do not have the capacity to consent if you can achieve the same results researching those who do.

• If you wish to research those without the capacity to consent you MUST have the approval of an ethics committee.

37 Patients unable to consent

• Guidelines say:– make recording but consent must be

obtained when the person regains capacity

– recording must not be used until consent has been given

– must be destroyed if the patient does not consent to its use

38 Unlikely ever to give consent

• If the patient is unlikely ever to be able to give or withhold consent discuss the matter with those close to the individual.

• The recording should not be used in any way that might be against the best interests of the subject.

• Seek advice from data protection officer/ethics committee.

39 Existing collections

• Since 1997 GMC standards have required clinicians to obtain permission to make any recording that would not form part of the patient’s assessment or treatment, regardless of whether the patient may be identifiable.

40 Existing collections

• Recordings made after 1997 from which a patient can be identified but for which consent cannot be proved must not be used.

41 Pre-1997 collections

• Continue to use truly anonymised recordings

• Replace pre-1997 recordings with similar recordings for which consent has been obtained

• Have a documented, timetabled schedule of replacement.

42 Working with other organisations

• Ensure they have a registration • Gain consent BEFORE giving

them data• Gain consent BEFORE getting

data from them

• (exception – Secretary of State)

43 Summing up

• Plan ahead• Review patient information sheets

and consent forms• Have a confidential waste policy

for paper, tapes, audiotapes• Have a computer disposal policy

with appropriate software

44 Useful Links

Information Commissioner:http://www.dataprotection.gov.uk

The Data Protection Act 1998:http://www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm

Secretary’s Office:

http://www.bris.ac.uk/Depts/Secretary/datapro.htm

45

ANY QUESTIONS?

THANK YOU