200 likes | 438 Views
What does the Data Protection Act do?. It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of personal data. Enter Organisation Logo Here. Processing. The definition of processing is very wide: Obtaining Recording Holding Using
E N D
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of personal data Enter Organisation Logo Here
Processing • The definition of processing is very wide: • Obtaining • Recording • Holding • Using • Erasure • Destruction • “Any operation” on the data Enter Organisation Logo Here
Terminology • Data Controller: a person who (alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed • Data Subject: an individual who is the subject of personal data Enter Organisation Logo Here
Personal data Personal data e.g. name, address, telephone number Sensitive personal data Racial or ethnic origin Political opinions/membership of trade union Religious beliefs Physical or Mental Health record Sexual life Alleged offences/legal proceedings Enter Organisation Logo Here
Relevant Filing System • The information must be structured to enable easy access to the information e.g. health records are normally filed alphabetically or numerically, which means that the file is easily accessible. • Examples: • Card Index • File arranged alphabetically • File with dividers Enter Organisation Logo Here
The Data Protection Principles • Processed fairly and lawfully • Processed for specified purposes • Adequate, relevant and not excessive • Accurate and kept up to date • Not kept for longer than necessary • Processed in accordance with the rights of data subjects • Protected by appropriate security (practical and organisational) • Not transferred outside the EEA without adequate protection Enter Organisation Logo Here
Principle 1 Processed fairly and lawfully • Data subject not misled or deceived into giving the information • Data subject given basic information describing • who will process the data • for what purpose(s) • Schedules of conditions are satisfied • Explicit Consent / Informed Consent • Lawful purpose and common law of confidentiality complied with
Reasons for the leaflet • Caldicott Management Audit We need to tell patient /clients about the ways in which information is collected about them and how it will be used • Data Protection Act 1998 We are required by law to inform individuals about how their information is used and shared Displaying the leaflet means you are meeting these requirements
Principle 1 - Schedule 2 • Conditions: • The data subject has consented • Processing is necessary for the performance of a contract or pre contract steps • Legal obligation of the data controller • Vital interests of the data subject • Administration of justice, by or under enactment, government department etc. • Legitimate interests of the data controller so long as the rights and freedoms or legitimate interests of the data subject are not prejudiced. Enter Organisation Logo Here
Principle 1 - Schedule 3 • Conditions: • The data subject has given explicit consent • The processing is necessary for any right or obligation in connection with employment • Necessary to protect the vital interests of the data subject or another person • Non-profit making bodies • Where the personal data has been made public by the data subject • Legal proceedings • Medical purposes Enter Organisation Logo Here
Principle 2 Processed for specified purposes • Review the purposes of your organisation • Check your Notification • Information mapping • Ensure disclosures are properly handled • Access to Health Records policy • Compliance with information sharing guidelines/legislation Enter Organisation Logo Here
Principle 3 Adequate, relevant and not excessive • Apply good data management practices – • Only collect and keep the information you require • Do not collect information “just in case it might be useful one day!” • Factual, clear and legible! • Abbreviations! Enter Organisation Logo Here
Principle 4 Accurate and kept up to date • Take care inputting information • Formal processes to ensure personal data is kept accurate and up to date Enter Organisation Logo Here
Principle5 Not kept for longer than necessary • Ensure compliance with legal requirements and established guidelines for retention periods • For the Record HSC 1999/053 • Review procedures for retention and disposal • Safeguard the confidentiality of personal data being destroyed Enter Organisation Logo Here
Principle6 Processed in accordance with the rights of data subjects • Compensation • Rectification/blocking/erasure • Request an assessment • Subject access • Prevention of processing • Processing for direct marketing • Automated decision making Enter Organisation Logo Here
Principle 7 Protected by appropriate security (practical and organisational) • Security: IT and non-technical • Controlling access to information • Staff selection and training • Ensuring business continuity • Detecting and dealing with breaches of security • Confidentiality contracts with third parties Enter Organisation Logo Here
Principle 8 Not transferred outside the EEA without adequate protection • Beware of others without equivalent protection • Contracts with third party suppliers • Internet web sites • Transfer of records Enter Organisation Logo Here
Caldicott toolkit Caldicott Manual Training Courses Security Policy HSC 999/012 DPA: An Action Plan HSC 199/217 HSC 1998/064 For The Record Thesaurus HSJ Procedure Manual ESHA Directory HSC 1999/053 Data Protection Human Rights Act Presentations HSG (96) 18 Dictionary 2001 Diary 2000 Diary FIO Act