Data Protection Act 1998

Last reviewed 01/2018

Data Protection Act 1998(DPA 98) - The Eight Principles of the Act

  • 1. First Principle
    • "Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
    • at least one of the conditions in Schedule 2 is met; and
    • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met"
  • 2. Second Principle
    • "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes"
  • 3. Third Principle
    • "Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed"
  • 4. Fourth Principle
    • "Personal data shall be accurate and, where necessary, kept up to date"
  • 5. Fifth Principle
    • "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes"
  • 6. Sixth Principle
    • "Personal data shall be processed in accordance with the rights of data subjects under this Act"
  • 7. Seventh Principle
    • "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data"
  • 8. Eighth Principle
    • "Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data"

  • Quick Checklist for Guidance for Access to Health Records Requests under the Data Protection Act 1998
    • This Act gives every living person, or their authorised representative, the right to apply for access to their health records to obtain copies
    • Are you satisfied that you have consent from the patient and have enough information to identify them and locate the information they require, along with the relevant access fee?

      • if no then:
        • write back to the applicant, using a consent form, to obtain the appropriate information

      • if yes then:
        • log applicant request and comply promptly, within 21 days* of request

        • in exceptional cases it may take longer. If it appears likely that compliance will take longer than 40 days, the applicant should be informed and an explanation of the delay provided

        • ensure that the health professional has checked the patient's health records, as under the DPA 1998, they may limit or deny access to an individual's health record request under the following two reasons:
          • where the information released may cause serious harm to the physical or mental health or condition of the patient, or any other person
          • Or where access would disclose information relating to or provided by a third person who had not consented to that disclosure

        • deny access or provide the patient or their representative copies of the relevant parts of the health records or alternatively, if in agreement with the data controller, set a date for them to view the relevant records once the relevant fee has been paid

        • if a patient is unhappy with any aspects of the access request, try and resolve locally with the data controller. If this is not an option explain the NHS Complaints procedure or alternatively direct them to the Information Commissioner Office

* This 21 day requirement is part of a commitment that ministers made to parliament in order to maintain obligations under the superseded Access to Health Records Act 1990

Notes:

  • the Data Protection Act 1998 became effective from 1st March 2000, and superseded the Data Protection Act 1984 and the Access to Health Records Act 1990. The exception to this is the records of the deceased persons, which are still governed by the Access to Health Records Act 1990
  • the Data Protection Act 1998, gives every living person or their authorised representative, the right to apply for access to their health records irrespective of when they were compiled
  • within the Data Protection Act 1998 a health record is defined as a record consisting of information about the physical or mental health or condition of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual
  • a health record can be recorded in a computerised form or in a manual form or even a mixture of both. They may include such things as, hand-written clinical notes, letters to and from other health professionals, laboratory reports, radiographs and other imaging records e.g. X-rays and not just X-ray reports, printouts from monitoring equipment, photographs, videos and tape-recordings of telephone conversations
  • the Data Protection Act 1998 is not confined to health records held for the purposes of the National Health Service. It applies equally to the private health sector and to health professionals' private practice records. It also applies to the records, for example, of employers who hold information relating to the physical or mental health of their employees if the record has been made by or on behalf of a health professional in connection with the care of the employee
  • responsibility for dealing with an access to health record request lies with the "data controller". A health professional i.e. the patient GP, is known as a data controller. A data controller is defined as a person who either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data about an individual are, or are to be, processed. A data subject would refer to the GP's patient
  • the Data Protection Act 1998, also gives patients who now reside outside the UK, the right to apply for access to their former UK health records
  • as a general rule a person with parental responsibility will have the right to apply for access to their child's health record
  • the Information Commissioners Office is the statutory body which has been established to perform various functions under the Data Protection Act 1998. They have a Website with useful guidance around the Act www.dataprotection.gov.uk or E-mail [email protected]. Alternatively to view the Act please visit the HMSO website www.legislation.hmso.gov.uk

For further information then click here