Data Protection Act
This page refers to the Data Protection Act 1998. This is sometimes abbreviated to DPA.
Legislation governing how individuals and organisations are expected to store and use personal data on individuals, with the aim of maintaining the individual's right to privacy and confidentiality.
It applies to records kept in any form, not just electronic data. There are eight principles regarding data:
- Processed "fairly and lawfully".
- Used for "specified and lawful" purposes and no further.
- "Adequate, relevant and not excessive" for the purposes described.
- "Accurate and, where necessary, kept up to date"
- "Not be kept for longer than is necessary"
- Processed in accordance with the individuals rights (as set out in the rest of the Act)
- Protected from "unauthorised or unlawful" and from "accidental loss or destruction of, or damage"
- Not be transferred to places outside the European Economic Area unless adequate safeguards are in place.
Patients have a right to see any personal information held on them within 40 days of receipt of the request. If payment is required, the 40 day period starts when payment is received (maximum fee 50 pounds).
Relevance to Medical Practitioners
Need to register as a Data controller if dealing with personal data.
If suitably anonymised, e.g. if hospital numbers need a further secure computer system to identify patient, then registration as a data controller may not be necessary.
It is unclear who is the data controller when data is stored electronically (i.e. the person entering the data, on the person maintaining the computer system).
Registering as Data Controller
Register via Information Commissioner's Office Registration is relatively straight-forward. A £35 annual fee is payable.
Beware of bogus companies and agencies offering to assist with data protection.
- transporting notes
- encryption if patient details on computers, etc.
This article is a stub. Please feel free to expand it and make it more encyclopaedic.
- Information Commissioner's Office
- Frequently asked questions on Department of Constitutional Affairs web-site
- ↑ 1984 Act (in full) on Office of Public Sector Information web-site
- ↑ 1988 Act (in full) on Office of Public Sector Information web-site
- ↑ Specific excerpt from the 1998 Act (on Office of Public Sector Information). Crown copyright
- ↑ BMA guidance on anonymised logbooks (log-in may be required)
- ↑ http://www.ico.gov.uk/what_we_cover/data_protection/notification/bogus_agencies.aspx