Post on 18-Dec-2015
What does the Data Protection Act do?
It sets standards which must be satisfied when
obtaining, recording, holding, using, disclosing
or disposing of personal data
Enter Organisation
Logo Here
Processing
The definition of processing is very wide:
Obtaining Recording Holding Using Erasure Destruction “Any operation” on the data
Enter Organisation
Logo Here
Terminology
Data Controller: a person who (alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed
Data Subject:an individual who is the subject of personal data
Enter Organisation
Logo Here
Personal data
Personal data e.g. name, address, telephone number
Sensitive personal data
Racial or ethnic origin
Political opinions/membership of trade union
Religious beliefs
Physical or Mental Health record
Sexual life
Alleged offences/legal proceedings
Enter Organisation
Logo Here
Relevant Filing System
The information must be structured to enable easy access to the information e.g. health records are normally filed alphabetically or numerically, which means that the file is easily accessible.
Examples: Card Index File arranged alphabetically File with dividers
Enter Organisation
Logo Here
The Data Protection Principles
1 Processed fairly and lawfully
2 Processed for specified purposes
3 Adequate, relevant and not excessive
4 Accurate and kept up to date
5 Not kept for longer than necessary
6 Processed in accordance with the rights of data subjects
7 Protected by appropriate security (practical and organisational)
8 Not transferred outside the EEA without
adequate protection Enter Organisation
Logo Here
Processed fairly and lawfully
Data subject not misled or deceived into giving the information
Data subject given basic information describing who will process the data for what purpose(s)
Schedules of conditions are satisfied
Explicit Consent / Informed Consent
Lawful purpose and common law of confidentiality complied with
Principle 1
Reasons for the leaflet
Caldicott Management Audit We need to tell patient /clients about the ways in which information is collected about them and how it will be used
Data Protection Act 1998 We are required by law to inform individuals about how their information is used and shared
Displaying the leaflet means you are meeting these requirements
Principle 1 - Schedule 2
Conditions: The data subject has consented Processing is necessary for the performance of a
contract or pre contract steps Legal obligation of the data controller Vital interests of the data subject Administration of justice, by or under enactment,
government department etc. Legitimate interests of the data controller so long as
the rights and freedoms or legitimate interests of the data subject are not prejudiced.
Enter Organisation
Logo Here
Conditions: The data subject has given explicit consent
The processing is necessary for any right or obligation in
connection with employment
Necessary to protect the vital interests of the data
subject or another person
Non-profit making bodies
Where the personal data has been made public by the
data subject
Legal proceedings
Medical purposesEnter Organisation
Logo Here
Principle 1 - Schedule 3
Principle 2
Processed for specified purposes
Review the purposes of your organisation Check your Notification Information mapping
Ensure disclosures are properly handled Access to Health Records policy Compliance with information sharing
guidelines/legislation
Enter Organisation
Logo Here
Principle 3
Adequate, relevant and not excessive
Apply good data management practices –
Only collect and keep the information you require
Do not collect information “just in case it might be useful one day!”
Factual, clear and legible! Abbreviations!
Enter Organisation
Logo Here
Principle 4
Accurate and kept up to date
Take care inputting information
Formal processes to ensure personal data is kept accurate and up to date
Enter Organisation
Logo Here
Principle 5
Not kept for longer than necessary
Ensure compliance with legal requirements and established guidelines for retention periods For the Record HSC 1999/053
Review procedures for retention and disposal
Safeguard the confidentiality of personal data being destroyed
Enter Organisation
Logo Here
Principle 6
Compensation
Rectification/blocking/erasure
Request an assessment
Processing for direct marketing
Automated decision making
Subject access
Prevention of processing
Enter Organisation
Logo Here
Processed in accordance with the rights of data subjects
Principle 7
Protected by appropriate security (practical and organisational)
Security: IT and non-technical Controlling access to information Staff selection and training Ensuring business continuity Detecting and dealing with breaches
of security Confidentiality contracts with third parties
Enter Organisation
Logo Here
Principle 8
Not transferred outside the EEA without adequate protection
Beware of others without equivalent protection
Contracts with third party suppliers Internet web sites Transfer of records
Enter Organisation
Logo Here
Cald
icott
Manual
Secu
rity
Polic
yHHSJ
SJ
Pre
sen
tatio
ns
20
01
2
00
1
Dia
ryD
iary
Pro
ced
ure
M
an
ual
Hu
man
R
igh
ts A
ct
FIO
A
ct
HSC 1999/053
HS
C
19
98
/06
4
HS
C
19
9/2
17
Cald
icott
toolk
it
HS
G (96)
18
HS
C
99
9/0
12
2000 2000 D
iaryD
iary
ES
HA
D
irecto
ry
Dictio
na
ry
Th
esauru
s
Data
Pro
tectio
nT
rain
ing
C
ou
rses
DPA
: An
Actio
n P
lan
For T
he R
ecord