The Data Protection Act (DPA) 1998

The Act regulates the processing of personal data, held manually and on computer.

The Act

The Act applies to personal information generally, not just to health records, therefore the same principles apply to records of employees held by employers, for example in finance, personnel and occupational health departments.

Personal data is defined as data relating to a living individual that enables him/her to be identified either from that data alone or from that data in conjunction with other information in the data controller’s possession.

It therefore includes such items of information as an individual’s name, address, age, race, religion, gender, and physical, mental or sexual health.

Processing includes everything done with that information, i.e. holding, obtaining, recording, using, disclosure and sharing it.

Using includes disposal, i.e. closure of the record, transfer to an archive or destruction of the record.

The Act contains three key strands.

These deal with:

  • notification by a data controller to the Information Commissioner
  • compliance with the eight data protection principles
  • observing the rights of data subjects

The Data Protection Act (DPA) 1998

Notification by a data controller

The data controller is the person who determines how and why personal information is processed.

The action of notification can be delegated to the most appropriate person within the organisation, for example the information management, or information governance lead.

Notification is the process of informing the Information Commissioner of the fact that processing of personal data is being carried out within a particular organisation.

Its purpose is to achieve openness and transparency – notification entries are placed in a register so that members of the public can check the type of processing being carried out by a particular organisation.

The notification process involves completion of a form stating the name of the data controller and detailing the types of processing being carried out.

You can telephone the notification helpline on 030 3123 1113 between the hours of 9.00am and 5.00pm

Compliance with the eight data protection principles

The eight principles advocate fairness and openness in the processing of personal information.

The principles are:

  • personal data shall be processed fairly and lawfully and must be processed in accordance with at least one of the conditions in schedule 2 of the Act. Where the data being processed is sensitive personal information (such as data relating to the physical or mental health of an individual), it must also be processed in accordance with at least one of the conditions in schedule 3 of the Act
  • personal data shall be obtained only for one or more specified and lawful purpose
  • personal data shall be adequate, relevant and not excessive for its purpose(s)
  • personal data shall be accurate and where necessary kept up to date
  • personal data shall not be kept for longer than is necessary for its purpose(s)
  • personal data shall be processed in accordance with the rights of data subjects under this Act
  • appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  • personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection 

Records management considerations

Principle 1

The aim of this principle is to ensure that personal data are processed fairly and lawfully and in accordance with a relevant condition from the schedules to the Act.

To meet the fair processing requirement, individuals must be informed of the fact of processing, including what information will be collected, and how it will be held, recorded, used and shared.

The Information Commissioner has issued guidance about the meaning of fair processing which indicates that the processing of personal data for purposes other than those for which the data has been provided may be unfair.

To meet the lawful processing requirement, personal data must be processed in accordance with all relevant laws, that is, other statutes such as Article 8 of the European Convention on Human Rights or the common law, such as the duty of confidence.

Health and social care records contain both personal and sensitive data within the terms of the Act, therefore processing can only be carried out if a condition from both schedules 2 and 3 is met.

The relevant condition to be satisfied for schedule 2 is likely to be one of the following:

  • where the processing is necessary for the exercise of any functions conferred on any person by or under any enactment
  • where the processing is necessary for the exercise of any other functions of a public nature exercised in the public by any person
  • where the processing is necessary to protect the vital interests of the patient/client, i.e. a ‘life or death’ situation
  • with the consent of the patient

The relevant condition to be satisfied for schedule 3 is likely to be one of the following:

  • for medical purposes by a health professional or by a person who owes the same duty of confidentiality as a health professional
  • where the processing is necessary to protect the vital interests of the patient/client or another person, that is, a ‘life or death’ situation, where consent cannot be obtained or the data controller cannot reasonably be expected to obtain consent
  • where the processing is necessary to protect another person, where consent of the patient/client has been unreasonably withheld
  • with the explicit consent of the patient

Although the Act does not state that explicit consent is required for the processing of health and social care information, compliance with the ‘lawful’ requirement means that the common law duty of confidence must be taken into account.

This duty requires that information given in confidence may not be disclosed without the consent of the giver of that information.

Therefore, where health and social care information will be disclosed to someone outside the care team, consent to the processing is necessary – see Common Law Duty of Confidentiality.

Principle 2

This principle requires that personal data is not processed in a way that is incompatible with the purpose for which it was obtained.

Organisations need to specify how they process information in their notification to the Information Commissioner.

They are then required to ensure that all processing carried out is in accordance with those stated purposes.

Patients/clients should be fully informed about the reason that their information is required, i.e. they are not misled into providing information for purposes of which they have no knowledge.

If information is obtained for a specific purpose, it must not be used for anything else unless consent is obtained for further uses of the information.

For example, identifiable patient information gathered to provide health or social care cannot be used for research unless patient consent is obtained or the information is anonymised.

Similarly, employee information collected to enable salary payment should not be used for purposes unrelated to this, for example, marketing of products and services, unless consent is obtained.

This principle reinforces the first principle in that it enables patients/clients and the public to find out how a particular organisation states it will use their information.

Principle 3

The aim of this principle is to ensure that organisational records management policies and procedures are in place to support the gathering of relevant, adequate information that is not excessive for its purpose.

Organisations should therefore ensure that the information collection procedures in place enable relevant questions to be asked and that training on information collection is made available to all relevant employees.

Systems and processes should be designed to ensure only relevant information is captured and processed.

The organisation should have procedures in place setting out ‘need to know’ access controls alongside processes that enable conformance to those controls for each member of staff.

Principle 4

Organisations may wish to follow the procedures and processes described in the Information Quality Assurance requirements of the Information Governance Toolkit which applies in England.

The procedures and processes should ensure that information is accurate and kept up to date.

Principle 5

The organisation should have procedures and processes in place for records appraisal so that records are kept for no longer than necessary for the purpose for which they are processed.

However, organisations should ensure that records are retained for the minimum periods specified in this Code.

The organisation should put in place disposal arrangements for the destruction, archiving and closure of records, and procedures to prevent unnecessary copying of information.

Archival bodies such as the Public Record Office of Northern Ireland are exempt from the 5th principle and are permitted to hold transferred public records indefinitely.

Principle 6

See Rights of data subjects.

Principle 7

Records storage conditions must provide environmentally safe protection for current and archived records.

Records must be protected by effective information security management and records management staff members should be aware of and comply with measures put in place.

Principle 8

This principle is not infringed if the explicit informed consent of the individual is obtained for the transfer.

Organisations must ensure that their contract includes terms to cover the protection of the data by the agency to the equivalent of the protection provided by the Data Protection Act 1998. 

Rights of the data subject

The Data Protection Act gives an individual several rights in relation to the information held about them.

Of particular relevance in a health and social care setting, is the right of individuals to seek access to their records held by the health or social care provider.

Access covers the right to obtain a copy of the record in permanent form, unless the supply of a copy would involve disproportionate effort or the individual agrees that his/her access rights can be met some other way, for example, by viewing the record.

Access must be given promptly and in any event within 40 days of receipt of the fee and request.

If the application does not include sufficient details to identify the person making the request or to locate the information, those details should be sought promptly and the 40-day period begins when the details have been supplied.

If access has been given, there is no obligation to give access again until a reasonable period has elapsed. What is reasonable depends on the nature of the data, the purposes for which it is processed and the frequency with which it has been altered.

The right of access is exercisable by the individual:

  • making a written application to the organisation holding the records
  • providing such further information as the organisation may require to sufficiently identify the individual
  • paying the relevant fee

The fee for providing the individual with a copy of a computerised record is £10.

For healthcare records held partially or entirely on paper, the maximum amount that can be charged is £50.

If no permanent record is requested, no fee for access may be made to records that are accessible and contain at least some entries made in the 40-day time period preceding the request, and not, nor intended to be, automatically processed.

A fee of £10 may be charged for viewing records that have not been added to in the 40 days prior to the access request.

There are two main exemptions from the requirement to provide access to personal data in response to a subject access request.

These are:

  • if the record contains third-party information (for example not about the patient or the treating clinician) where that third party is not a healthcare professional and has not consented to their information being disclosed. If possible, the individual should be provided with access to the part of the record that does not contain the third-party identifier
  • if access to all or part of the record will seriously harm the physical or mental well-being of the individual or any other person. If possible, the individual should be provided with access to that part of the record that does not pose the risk of serious harm

Records management considerations

Records management staff members have a key role in ensuring that health and social care records can be located, retrieved and supplied in a timely manner.

It is important that document management structures are set up in such a way as to enable them to carry out this role. 

Related articles

Back to top