The Data Protection Act 1998
The eight principles of the Data Protection Act 1998 apply to all staff handling personal information (on computer and manually held), and underpin all related policies and procedures. The eight principles are:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless certain conditions (set out in Schedules of the Act) are met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures (ie, security measures) shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Caldicott Report of 1997, HSC 1999/012, relating to patient-identifiable data recommended six Caldicott principles, to apply to the handling of patient-identifiable information, namely:
- Justify the purpose(s) of every proposed use or transfer
- Don’t use it unless it is absolutely necessary
- Use the minimum necessary
- Access to it should be on a strict need-to-know basis
- Everyone with access to it should be aware
- Understand and comply with the law.
Further information can be found at Calidcott Guardians.
Sources of information:
- All processing of personal data must comply with the terms and principles of the Data Protection Act 1998 and researchers must be aware of the University’s Data Protection Guidelines.
The first data protection principle requires, among other things, that you must be able to satisfy one or more “conditions for processing” in relation to your processing of personal data. Many (but not all) of these conditions relate to the purpose or purposes for which you intend to use the information.
The conditions for processing take account of the nature of the personal data in question. The conditions that need to be met are more exacting when the information being processed is sensitive personal data, such as information about an individual’s health or criminal record.
The conditions for processing are set out in Schedules 2 and 3 to the DPA. Unless a relevant exemption applies, at least one of the following conditions must be met whenever you process personal data:
The individual who the personal data is about has consented to the processing.
The processing is necessary:
in relation to a contract which the individual has entered into; or
because the individual has asked for something to be done so they can enter into a contract.
The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
The processing is in accordance with the “legitimate interests” condition.
The “legitimate interests” condition is intended to permit such processing, provided you meet certain requirements.
The first requirement is that you must need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it.
The second requirement, once the first has been established, is that these interests must be balanced against the interests of the individual(s) concerned. The “legitimate interests” condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Your legitimate interests do not need to be in harmony with those of the individual for the condition to be met. However, where there is a serious mismatch between competing interests, the individual’s legitimate interests will come first.
At least one of the conditions must be met whenever you process personal data. However, if the information is sensitive personal data, at least one of several other conditions must also be met before the processing can comply with the first data protection principle.
These other conditions are as follows:
The individual who the sensitive personal data is about has given explicit consent to the processing.
The processing is necessary so that you can comply with employment law.
The processing is necessary to protect the vital interests of:
the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or
another person (in a case where the individual’s consent has been unreasonably withheld).
The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
The individual has deliberately made the information public.
The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
The processing is necessary for administering justice, or for exercising statutory or governmental functions.
The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.
In addition to the above conditions – which are all set out in the Data Protection Act itself – regulations set out several other conditions for processing sensitive personal data. Their effect is to permit the processing of sensitive personal data for a range of other purposes – typically those that are in the substantial public interest, and which must necessarily be carried out without the explicit consent of the individual. Examples of such purposes include preventing or detecting crime and protecting the public against malpractice or maladministration.
A full list of the additional conditions for processing is set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000 and subsequent orders
Many of the conditions for processing depend on the processing being “necessary” for the particular purpose to which the condition relates. This imposes a strict requirement, because the condition will not be met if the organisation can achieve the purpose by some other reasonable means or if the processing is necessary only because the organisation has decided to operate its business in a particular way
International Ethical guidelines for Biomedical Research involving Human Subjects (Prepared by the Council for International Organizations of Medical Sciences (CIOMS) in collaboration with the World Health Organization (WHO), 2002)