Data Protection Act 2018

The Act regulates the processing of personal data about living individuals.

What is data?

Any information relating to an identified or identifiable natural person (“data subject”);

an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Information that is:

  • wholly or partly processed by automated means; or
  • processed other than by automated means which forms part of, or is intended to form part of, a filing system (being any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis).

What is personal data?

Personal data only includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.

It includes any expression of opinion about the individual and any indication of the intentions of the Trust or any other person in respect of the individual.

What is sensitive personal data?

Sensitive personal data is personal data consisting of information pertaining to the following:

  • race;
  • ethnic origin;
  • politics;
  • religion;
  • trade union membership;
  • genetics;
  • biometrics (where used for ID purposes);
  • health;
  • sex life; or
  • sexual orientation.

What does processing personal data mean?

Any operation or set of operations which is performed on personal data or on sets of

personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,  alignment or combination, restriction, erasure or destruction.

The definition of processing is very wide and it is difficult to think of anything that RDaSH might do with data that will not be defined as processing.

The law identifies seven key principles for data processing which should lie at the heart of our approach to processing data:

  • Lawfulness, fairness and transparency – data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose – data shall be collected for specified, explicit and  legitimate purposes and not further processed in a manner that is incompatible with
  • those purposes.
  • Data minimisation – data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy – shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Storage – shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
  • Integrity and confidentiality (security) – shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
  • unlawful processing and against accidental loss, destruction or damage, using  appropriate technical or organisational measures.
  • Accountability – the controller shall be responsible for, and be able to demonstrate, compliance with the principles.

Rights and obligations

Data subject – the individual who is the subject of the personal data, i.e.: a person who particular data is about. N.B. The Act does not count a person who has a died or an individual who cannot be distinguished from others as a data subject.

Data controller – determines the purposes and means of processing personal data.  They are not relieved of their obligations where a processor is involved –further obligations are placed on them to ensure their contracts with processors comply with the law

Data processor – is responsible for processing personal data on behalf of a controller.  They are required to maintain records of personal data and processing activities. They will have legal liability if they are responsible for a breach.

Rights and duties

The Trust’s duties under the Act apply throughout the period when personal data is being processed, as do the rights of individuals in respect of that personal data. All employees must comply with the Act from the moment the data is obtained until the time when it has been returned, deleted or destroyed. The Trust’s duties extend to the way personal data is disposed of when it no longer needs to be retained: refer to the Records Management Retention & Disposal Policy for further information.

Changes in the Trust’s circumstances do not reduce an individual’s rights under the Act. If an organisation is abolished, dissolved, taken over or merged with another, individuals are still entitled to expect that their personal data will be processed in accordance with the data protection principles; however, responsibility for ensuring this happens may shift, depending on the circumstances.

Other key definitions

Inaccurate data – The Act defines ‘inaccurate’ as “incorrect or misleading as to any matter of fact”. It will usually be obvious whether personal data is accurate.

It should be noted that personal data may not be inaccurate if it faithfully represents someone’s opinion about an individual, even if the data subject disagrees with it, for example, a doctor’s medical opinion about an individual’s condition. In these circumstances the data would not need to be “corrected” but the data controller may have to add a note stating that the data subject disagrees with the opinion.

You must always be clear about what you intend the record of the personal data to show. What you use it for may affect whether it is accurate or not. For example, just because personal data has changed doesn’t mean that a historical record is inaccurate – but you must be clear that it is a historical record.

Third party – any “person” as recognised in law other than:

(a) the data subject,

(b) the data controller, or

(c) any data processor or other person authorised to process data for the data controller or processor.