FAQ - Can you give me some more information about data protection and personal records?

Answer

The Data Protection Act 1998 has far reaching implications for how personal data is managed and how it is able to be used.  This includes 'sensitive' personal data (such as health records), which needs to be registered, kept accurate, secured, and disposed of when no longer required.  Legislation can be found on-line, and further information found at the Data Protection website.

Morgan Grenfell Asset Management were prosecuted when they failed to erase financial records on old computers which were sold on.

Personal data covers both facts and opinions about an individual, such as:

• all data stored about you, e.g. your employer's or bank's personal record;
• CVs and references, word processed and email documents (and any archived versions);
• all health records including personal data arising from research activity (this is classed as 'sensitive' personal data).

It also includes information regarding the intentions of the 'data controller' towards the individual. Anyone processing (which incorporates the concepts of 'obtaining', holding', 'retrieving' and 'disclosing') personal data must comply with the eight enforceable principles of good practice which says that data must be:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the data subject's rights;
• secure;
• not transferred to countries without adequate protection.

The Patient's Charter identifies "the right to have access to your health records" therefore patients may make a request to you to see exactly what personal data is 'processed' about them and who it is disclosed to (subject to minor exemptions, see the Access to Health Records Act 1990).  In order to help with this process you are required to 'notify' your use of personal data (see www.dpr.gov.uk/search.html). In the spirit of trust and transparency you may also need to obtain patient's consent which can be implicit (informed transactional agreement) or explicit (they have signed their agreement to processing for that purpose).  Click here to see a great 'patient leaflet'.

Disclaimer: This FAQ was written by Megan Quentin-Baxter and does not reflect an official endorsement by the HEA or any other organisation.  Any questions or queries should be send to megan@medev.ac.uk

Last updated: 04 July 2011