December 2018: This chapter was updated to reflect the commencement of the Data Protection Act 2018.
Each organisation must collect, use, store and retain (for a specified time period) information about people with whom it works. This includes:
- adults and their families who use the service, including their children, and those who no longer in receipt of services;
- current, past and prospective staff; and
- current, past and prospective staff; and
In addition, it may be required to collect and use information in order to comply with the requirements of central government, such as in the case of a Safeguarding Adult Review or Care Quality Commission inspection.
The organisation must comply with the requirements of the Data Protection Act 2018 (DPA) and the European Union’s General Data Protection Regulation (GDPR) which came into force on 25 May 2018.
The organisation must ensure through its procedures and working practices that all employees, contractors, consultants, suppliers and partners who have access to any personal data held by or on behalf of the organisation, are fully aware of and abide by their duties and responsibilities under the DPA.
Personal information must be handled and dealt with in accordance with legislation however it is collected, recorded, stored and used, and whether it be on paper, on computer or digital records or recorded in any other way.
2.1 Data Protection Act 2018
The Data Protection Act 2018 replaces the Data Protection Act 1998. It aims to ensure that UK data protection legislation keeps pace with technological change, and the impact that has on the collection and use of personal data. It also ensures that the standards set out in the GDPR are implemented in the UK; these are stricter than previous DPA legislation.
In addition to governing general data covered by GDPR, the DPA covers other general data, law enforcement data and national security data and exercises a number of agreed changes to the GDPR to make it work for the benefit of the UK in areas such as child protection, academic research and financial services.
The Bill introduces four different data protection regimes into UK data protection law. Each focus on the regulation of personal data processing for a specific type or category of data processing:
- within the scope of the GDPR;
- outside the scope of the GDPR;
- by competent authorities for law enforcement purposes;
- by the intelligence services.
It also provides additional functions and clarification of the role of the Information Commissioner and the Information Commissioner’s Office.
2.2 General Data Protection Regulation
The GDPR is a European regulation which intends to strengthen and unify data protection for all individuals (the data subjects) within the European Union (EU). It also includes the export of personal data outside the EU. It aims to give back control of their personal data to citizens and simplify the regulatory environment for international business. It came into force on 25th May 2018.
The regulatory detail will not change once Britain leaves the European Union (EU) in 2019; it is incorporated in the DPA.
The main reasons for introducing the GDPR include:
- outdated legislation which is out of step with technological advances;
- an inconsistent approach in different EU countries to data protection;
- limited control for individuals, as data subjects;
- limited rights for data subjects;
- a lack of security and privacy in product development (for example, website design).
In order to tackle these concerns therefore, the GDPR:
- stipulates that each EU member must abide by the regulation and by any business that trades within the EU or with EU data;
- aims to create a consistent environment throughout Europe and beyond to enable the secure flow of data;
- gives individuals greater control of their data by improving consent processes;
- introduces the ‘right to be forgotten’ which enables the data subject to have their data ‘forgotten’ once it is no longer being used for the purpose which it was collected. The ‘right to data portability’ allows individuals to acquire and reuse their personal data across different services.
3. Principles of Data Protection
Anyone processing personal data must comply with the principles laid down in the DPA. These are legally enforceable and require that personal information:
- processing must be lawful and fair;
- purposes of processing must be specified, explicit and legitimate;
- personal data must be adequate, relevant and not excessive;
- personal data must be accurate and kept up to date;
- personal data must be kept for no longer than is necessary; and
- personal data must be processed in a secure manner.
3.1 Handling personal or sensitive information
The DPA outlines conditions for the processing of personal data, and makes a distinction between personal data and sensitive personal data.
Personal data is defined as, data relating to a living individual who can be identified from that data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.
Sensitive personal data is defined as personal data consisting of information as to:
- racial or ethnic origin;
- political opinion;
- religious or other beliefs;
- trade union membership;
- physical or mental health or condition;
- sexual life;
- criminal proceedings or convictions.
4. Data Protection Practice
The organisation must:
- observe fully conditions regarding the fair collection and use of personal information;
- meet its legal obligations to specify the purpose for which information is used;
- collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
- ensure the quality of information used;
- apply strict checks to determine the length of time information is held;
- take appropriate technical and organisational security measures to safeguard personal information;
- ensure that personal information is not transferred abroad without suitable safeguards;
- ensure that the rights of people about whom the information is held can be fully exercised under data protection legislation. These include:
- the right to be informed that processing is being undertaken;
- the right of access to one’s personal information within the statutory timescale;
- the right to prevent processing in certain circumstances;
- the right to correct, rectify, block or erase information regarded as wrong information.
In addition, the organisation should ensure that:
- there is someone with specific responsibility for data protection in the organisation;
- everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
- everyone managing and handling personal information is appropriately trained to do so;
- everyone managing and handling personal information is appropriately supervised;
- anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do;
- queries about handling personal information are promptly and courteously dealt with;
- methods of handling personal information are regularly assessed and evaluated;
- performance with handling personal information is regularly assessed and evaluated;
- data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.
All employees should be aware of this policy and of their duties and responsibilities under the DPA.
All managers and staff will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
- paper files and other records or documents containing personal / sensitive data are kept in a secure environment;
- personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
- individual passwords should be such that they are not easily compromised.
All contractors, consultants, suppliers and partners must:
- ensure that they and all of their staff who have access to personal data held or processed for or on behalf of the organisation, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under data protection legislation. Any breach of any provision of the legislation will be deemed as being a breach of any contract between the organisation and that individual, partner or firm (see Report a Breach, Information Commissioner’s Office);
- allow data protection audits by the organisation of data held on its behalf (if requested);
- indemnify the organisation against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
All contractors and suppliers who use personal information supplied by the organisation will be required to confirm that they abide by the requirements of data protection legislation in relation to such information supplied by the organisation.
The organisation must also:
- ensure data subjects are given greater control of their data by improving consent processes. Consent must be freely given, specific, informed and a clear indication of their wishes. This must be provided by a statement or clear affirmative action, signifying the individual’s agreement to the processing of their personal data;
- must ensure that data subjects have the ‘right to be forgotten’ which enables them to have their data ‘forgotten’ once it is no longer being used for the purpose which it was collected. The ‘right to data portability’ also allows individuals to acquire and reuse their personal data across different services;
- keep a record of data operations (mapping data flow within the organisation) and activities and assess if it has the necessary data processing agreements in place, and take action to remedy if not;
- carry out privacy impact assessments (PIAs) on its products and systems;
- designate a data protection officer (DPO) if applicable to the organisation;
- review processes for the collection of personal data;
- be aware of the duty to notify the Information Commissioner’s Office of a data breach (the relevant supervisory authority);
- ensure ‘privacy by design’ and ‘privacy by default’ in new products (such as a new case recording system) and assess whether existing products used by the organisation meets the new data protection standards and take action accordingly to ensure compliance.
Please note: Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start for example when:
- building new IT systems for storing or accessing personal data;
- developing legislation, policy or strategies that have privacy implications;
- embarking on a data sharing initiative; or
- using data for new purposes.
Such systems should automatically provide privacy by default, rather than requiring activation by the user.