DATA PROTECTION ACT 1998 – IMPLEMENTATION PROJECT
Project Initiation Document
The main provision of the Data Protection Act 1998 came into force on 23 October 2001
although certain provisions relating to manual records are deferred until 23 October 2007.
The Act replaces the existing Data Protection Act 1984 and most of the Access to Health
Records Act 1990.
To identify the Trust’s responsibilities under the Data Protection Act 1998, to review the
existing policies and procedures for data protection established by the Trust and to revise
and consolidate these policies and procedures as appropriate to meet the requirements of
the Act. Appropriate links, and decisions about lead responsibility, will need to be made with
projects focusing on information security and on Caldicott/confidentiality as many of the Data
Protection requirements also apply to these work areas.
The project will ensure that the Trust complies with its legal obligations and with good
practice on data protection and confidentiality issues. The risks of legal or other action
against the Trust and/or adverse publicity will be minimised.
1. To revise the Trust policy statement on Data Protection, and to identify the
individuals responsible for ensuring the Trust’s compliance. Product = policy
statement; management arrangements statement
2. To review the procedures for ensuring the right of subject access for patients and
other members of the public. Product = product document
3. To review the procedures for ensuring the right of subject access for members of
the Trust’s staff. Product = procedure document
4. To establish means to ensure that patients (and other members of the public) are
adequately informed about the Trust’s uses of personal data and their rights of
subject access. This to be delivered as a joint product with work to satisfy
confidentiality/consent requirements. Product = publicity material
5. To establish means to ensure that staff are adequately informed about the Trust’s
uses of personal data and their rights of subject access. Product = publicity
6. To review all existing holdings of personal data within the Trust. Products =
inventory of personal data held; DP Act notification amendment if necessary
7. To establish procedures to identify changes and additions to holdings of personal
data within the Trust. Product = procedure document
8. To promote and maintain awareness of data protection, confidentiality and
information security issues throughout the Trust. This to be delivered as a joint
product with work to satisfy confidentiality and information security requirements.
Products = briefing notes; training presentations
Roles and Responsibilities
The project will report to the Information Governance Steering Group
The project team will form working groups with appropriate membership to address specific
Support to the project will be provided by the Senior Information Officer and the support staff
of the Confidentiality & Security Manager (all posts already funded)
The project team will ensure that all policies and procedures are in place by [date]. The
project team will draw up a timetable which may include earlier deadlines for certain
The Trust Board are corporately and personally liable for offences under the Data Protection
Act. Non-compliance with the Act may also result in adverse publicity for the Trust.
The quality assurance role will be undertaken by the Information Governance Group
The project will additionally be monitored by the IM&T Programme Board
The project must address all of the requirements for Data Protection compliance outlined in
the NHSIA Information Governance toolkit, and progress must be recorded appropriately
within the toolkit performance assessment facility by [date] .
The project will take account of:
Data Protection policies and procedures in other organisations within the local health
And parallel work to address information governance requirements relating to:
Information Quality Assurance