PAS Introduction - Data Protection and Security Guidelines


PAS Introduction - Data Protection and Security Guidelines

The Data Protection Act 2018 (UK variant of the wider European General data Protection Regulation)

The DPA18 applies to a wide definition of personal data, in short "any information relating to" an individual (i.e. includes identifiers such as name, ID numbers, phone number, online ID, mobile device ID, or one or more factors about an individual’s physical, physiological, genetic, mental, economic, cultural or social identity). Pseudonymised data will also be classed as identifiable and should be afforded the same levels of confidentiality.

Six privacy principles for handling Personal Identifiable Data

  1. Lawfulness, fairness and transparency:
    Transparency: Tell the subject what data processing will be done. Fair: What is processed must match up with how it has been described. Lawful: Processing must meet the tests described in GDPR [article 5, clause 1(a)]. If you are unsure about the lawfulness of your processing please contact rch-tr.infogov@nhs.net for support and advice.
  2. Purpose limitations:
    Personal data can only be obtained for “specified, explicit and legitimate purposes”[article 5, clause 1(b)]. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
  3. Data minimisation:
    Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” [article 5, clause 1(c)]. In other words, no more than the minimum amount of data should be kept for specific processing.
  4. Accuracy:
    Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]. Baselining ensures good protection and protection against identity theft. Data holders should build rectification processes into data management / archiving activities for subject data.
  5. Storage limitations:
    Regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary” [article 5, clause 1(e)]. In summary, data no longer required should be removed.
  6. Integrity and confidentiality:
    Requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage” [article 5, clause 1(f)].

Your obligations

Patient Confidentiality

REMEMBER

Information Governance Contact

The Information Governance email address: rch-tr.infogov@nhs.net.



Article ID: 35
Created: April 4, 2022
Last Updated: May 24, 2023
Author: Administrator

Online URL: https://elearning.cornwall.nhs.uk/site/kb/article.php?id=35