Data Protection
Summary
The Data Protection Act is about human rights, and specifically the right to privacy. The Data Protection Act 1998, Human Rights Act 1998 and the Freedom of Information Act 2000 are interlinked. They are intended to help maintain a fair balance between the rights and interests of individuals, in particular between the freedom to process information on the one hand and rights of privacy on the other.
Your responsibility
All NHS England employees (and staff working for us although employed via Agencies ) have a responsibility to pay attention to data protection as most manage, or will manage, information about people at some time. All staff also need be aware of their rights in relation to personal data held about them, how it is managed and how to request access to it.
Data protection – key principles
This short checklist will help you comply with the Data Protection Act. Being able to answer 'yes' to every question does not guarantee compliance, and you may need more advice in particular areas, but it should mean that you are heading in the right direction.
- Do I really need this information about an individual? Do I know what I'm going to use it for?
- Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for?
- If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this?
- Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure?
- Is access to personal information limited to those with a strict need to know?
- Am I sure the personal information is accurate and up to date?
- Do I delete or destroy personal information as soon as I have no more need for it?
- Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
- Do I need to notify the Information Commissioner and if so is my notification up to date?
Annex G: data protection principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
•At least one of the conditions for processing is met, and
•In the case of sensitive personal data, at least on of the conditions for processing sensitive data is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate, and where necessary, kept up-to-date.
5. Personal data processed for any purposes(s) shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Correspondence
All correspondence progressed through our customer contact centre is logged on a bespoke contact management system. We have a responsibility to ensure accuracy and reviewof information before issuing responses. Currently, we hold a number of knowledge articles and responses containing information which may be relevant to other enquiries. Where this is the case, we are able to extract that information and formulate a response.
However, there will be occasions as we build our team and knowledge base where we do not have the information to hand in order for us to respond. Equally, we may some information which answers some queries but not all.
As a result, often we will need to request information from staff within the organisation. When information is extracted from previous knowledge articles/responses, it is essential any personal data remains just that. We should only access any details held for legitimate work purposes.
Any individual has a right to contact NHS England to ask for any details/correspondence held about them. These are Subject Access Requests (SAR) and covers, any information logged on our systems regarding that individual.
Please also remember that we should only discuss the details of a piece of correspondence with the person it has been addressed to. Additionally, copies of FOIs and general correspondence can only be sent to the correspondent (they can pass them to whoever they like). Correspondence received from an official (i.e. an MP) can only be sent to the MPs office (this is despite the fact the letter may be about someone's case - the letter is from an MP and therefore it is their case not the constituent's). We can discuss official correspondence progress with representatives from the MPs office. If someone wishes to discuss their FOI or general correspondence case, please ask them for the reference number and confirm their name and address. If the correspondence has not yet, been logged, please verify their details and then you can provide a reference number.
NHS Care Records
A Summary Care Record is an electronic record, which contains information about the medicines a patient has, their allergies and any bad reactions to medicines they may have.Having this information stored in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed. Further information is found here:
Opting out –
- Patients can call the information line on 0300 123 3020 to get an opt-out form posted to them, or
- They can print off a copy via the web link above and hand in at their GP practice
These are the only two ways to opt-out of the care record.