The Act regulates the processing of personal data about living individuals.
What is data?
Any information relating to an identified or identifiable natural person (“data subject”);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Information that is:
- wholly or partly processed by automated means; or
- processed other than by automated means which forms part of, or is intended to form part of, a filing system (being any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis).
What is personal data?
Personal data only includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.
It includes any expression of opinion about the individual and any indication of the intentions of the Trust or any other person in respect of the individual.
What is sensitive personal data?
Sensitive personal data is personal data consisting of information pertaining to the following:
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
What does processing personal data mean?
Any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The definition of processing is very wide and it is difficult to think of anything that RDaSH might do with data that will not be defined as processing.
The law identifies seven key principles for data processing which should lie at the heart of our approach to processing data:
- Lawfulness, fairness and transparency – data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose – data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation – data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy – shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Storage – shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
- Integrity and confidentiality (security) – shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability – the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
Rights and duties
The Trust’s duties under the Act apply throughout the period when personal data is being processed, as do the rights of individuals in respect of that personal data. All employees must comply with the Act from the moment the data is obtained until the time when it has been returned, deleted or destroyed. The Trust’s duties extend to the way personal data is disposed of when it no longer needs to be retained: refer to the Records Management Retention & Disposal Policy for further information.
Changes in the Trust’s circumstances do not reduce an individual’s rights under the Act. If an organisation is abolished, dissolved, taken over or merged with another, individuals are still entitled to expect that their personal data will be processed in accordance with the data protection principles; however, responsibility for ensuring this happens may shift, depending on the circumstances.