Data Protection Act guide for website

Report as inappropriate Your report has been received

Shared by: HC121001192845

Tags

Stats

views:: 1
posted:: 10/1/2012
language:: Unknown
pages:: 4

Public Domain

Document Sample

							                                      The Data Protection
                                             Act
                                      A Quick Reference Guide




                                                            www.buckspct.nhs.uk
Version 1.2 - updated February 2009
What is the Data Protection Act 1998?

The Data Protection Act became law in March 2000. It sets standards which must be
satisfied when obtaining, recording, holding, using or disposing of personal data.

These are summarised by eight Data Protection Principles, which state that personal
data must be:

1.    Processed fairly and lawfully
2.    Processed for specified purposes
3.    Adequate, relevant and not excessive
4.    Accurate and kept up to date
5.    Not kept for longer than necessary
6.    Processed in accordance with the rights of the data subjects
7.    Protected by appropriate security (practical and organisational)
8.    Not transferred outside the EEA without adequate protection

As well as information held on computers, the Data Protection Act 1998 also covers
most manual records, such as health, personnel, finance, contractors, volunteers,
card indices, etc.


Principle 1 – Processed fairly and lawfully
There should be no surprises – therefore data subjects should be informed why their
information is being collected and who you may share it with.

For example, when formulating a research project remember to be open and
transparent about what you will be doing with the information.

Be open, honest and clear


Principle 2 – Processed only for specified purposes
Only use personal information for the purpose(s) for which it was obtained.

For example, personal information on a patient administration system must only be
used for healthcare purposes and not looking up friends’ birthdays or postcodes.

Only share information outside your service/team if you are certain it is appropriate to
do so – if in doubt, check first.


Principle 3 – Adequate, relevant and not excessive
Only collect the information you require; it is not acceptable to hold information
unless you have a view as to how it will be used. Do not collect information “just in
case it might come in handy”.

For example, taking both daytime and evening telephone numbers, when you will
only ever phone during the day.

Explain all abbreviations, use clear legible writing and stick to the facts, avoid
personal opinions and comments.



Version 1.2 - updated February 2009
Principle 4 – Accurate and kept up to date
Take care inputting information to ensure accuracy. How do you know the
information is up to date? What mechanisms do you have for checking accuracy and
whether information is up to date?

For example, each time a patient attends a clinic, they should be asked to confirm
that their details are correct – address, telephone number, etc

Check existing records thoroughly before creating new records to ensure there is no
duplication.


Principle 5 – Not kept for longer than necessary
Personal information cannot be kept “in case it comes in handy one day” – retention
guidelines should be followed and can be found in “Records Management – NHS
Code of Service/team”. Regular housekeeping can save space and prevent it
becoming a big job.


Principle 6 - Processed in accordance with the rights of the data subject
This principle governs access to information, prevention of processing, junk mail and
faxes, rectification, requesting an assessment, etc

For example, a patient asks for a copy of his/her medical record – the Act gives you
40 days to comply with the request.


Principle 7 – Protected by Appropriate Security
This principle is split into two – Practical and Organisational.

Practical: covers the things you can do to ensure the service/team meets the
requirements of the Act, such as not sharing passwords, ensuring information is
transported safely, ensuring confidential conversations cannot be heard, keeping
records and papers secured away, etc

Organisational: is what the service/team should provide, such as training,
confidentiality clauses in contracts, procedure for accessing personal data, etc


Principle 8 – Not transferred outside the EEA without adequate protection
This principle governs sending information outside the European Economic Area. Be
careful about entering information into web-sites without consent, check where the
information is going, etc.


Caldicott Principles
The Chief Medical Officer commissioned a review into how the NHS used patient
information and came up with the following principles:

1.    Justify the purpose(s) of using confidential information
2.    Only use it when absolutely necessary
3.    Use the minimum that is required
4.    Access should be on a strict need to know basis



Version 1.2 - updated February 2009
5.    Everyone must understand his or her responsibilities
6.    Under and comply with the law

Your Service/team should have a nominated “Information Governance Lead” who is
responsible for patient information.


For further information please contact:
                      The Information Governance Manager
                                  Rapid House
                                40 Oxford Road
                                High Wycombe
                                     Bucks
                                   HP11 2EE
                   01494 555523 simon.lacey@buckspct.nhs.uk




Version 1.2 - updated February 2009