Principle 1 Processed fairly and lawfully + only with a legitimate basis

1. Research Project Principle 1Processed fairly and lawfully + only with a legitimate basis There should be no surprises, so … inform data subjects why you are collecting their information, what you are going to do with it and who you may share it with... e.g. when formulating a research project, remember to be open and transparent about what you will be doing with the information

2. Principle 2Processed only for specified lawful purposes/no incompatible processing Only use the information for the authorised purpose(s) stated Look out for tick boxes often hidden at the bottom of forms !! Please tick if you do not wish your details to be used for internal promotions or passed to our parent companies Please tick if you do not wish to receive information about products and services from carefully selected companies

3. Principle 3Adequate, relevant and not excessive Only collect and keep the information you require … Do not keep “just in case it might be useful one day” ! e.g. taking both daytime and evening telephone number if you know you will only call in the day

4. Principle 4Accurate and kept up-to-date I wonder if anything has changed??? Are you sure your information is up to date? Take care inputting data Do you have mechanisms for checking your information is accurate? 1950 e.g. each time a patient attends a clinic, they are asked to confirm that their details are correct - address, telephone number etc.

5. 1901 1922 1910 1907 1937 1913 Principle 5Not kept for longer than is necessary Can I dispose of this now? • Follow advised Retention periods • For the Record (HSC 1999/053) • Ensure regular housekeeping/spring cleaning • Do not keep “just in case it might be useful one day” !

6. Principle 6Processed in accordance with data subjects’ rights • Subject access • Prevention of processing • Processing for direct marketing • an end to junk mail and faxes ! • Automated decision taking • Compensation • Rectification/blocking/erasure • Request an assessment Individual Rights

7. Principle 7Protected by appropriate security (Practical) E.g. • Keep your password secret • Always keep confidential papers in a locked cabinet… clear desk policy? • Ensure confidential telephone conversations cannot be overheard • Ensure secure route for confidential faxes (Safe Haven)

8. ESHA Security Policy IT Building Contracts Storage Procedures Human Resources Disposal Equipment Principle 7Protected by appropriate security (Organisational) An organisation needs ... • Good data management practices • Guidelines on IT security • Staff training • Confidentiality clause in employment contracts • Procedure for access to personal data • Confidentiality contracts with third parties e.g. archiving companies, cleaners, confidential waste

9. Principle 8Not transferred outside the European Economic Area (EEA) without adequate protection Be careful about Websites e.g. if putting personal information data on a website, gain consent from the person first Where is your support service operator based ?? … if outside the EEA is your information adequately protected??

10. For further information ... • Caldicott Guardian: Dr Ian Clark • Data Protection Co-ordinator: Helen Wells • Ext. 1061 • Information Integrity Support: Nicola Gould • Ext. 1062 • Information Commissioner’s website: http://www.dataprotection.gov.uk • Caldicott website: http://www.doh.gov.uk/confiden/index.htm