The Principles of Data Protection
Good information underpins good care. Patient and service user safety and preferences are supported when the confidentiality of their personal data is maintained, its integrity is protected against loss or damage and the information is accessible by those who are authorised.
Everyone who uses health and social care services should be able to trust that their personal data (confidential and sensitive data in particular) are adequately protected. People should be assured that those involved in their care, and in running and improving the services, are using such information appropriately and respecting patient choices where allowed.
By being mindful of good practice when handling information, you can help to ensure that patients remain safe and receive the best possible care.
Remember, individuals have certain legal rights with regards to their personal data and organisations have certain legal responsibilities or obligations to comply with when processing personal data. You will learn more about this as we go through the course.
When you are responsible for handling personal data yourself, you must not forget that it's people's data; it should be treated with respect, it's important their data is used only in ways they would reasonably expect and that it stays safe. In this session, you will learn more about data protection law which makes sure everyone’s data is used properly and legally.
We all have a duty to protect people's personal data in a safe and secure manner and share appropriately.
The UK General Data Protection Regulation (GDPR), which incorporates “Keeling Schedule” amendments to the European GDPR, and the Data Protection Act (DPA) 2018 set out the legal framework for data protection law in the UK. This combined data protection legislation applies to the collection, storage, processing, transfer, and destruction of personal data.
Data protection law takes a risk-based approach which puts the onus on your organisation to think about and justify how and why personal data relating to living individuals is used. It sets out the key principles for processing of personal data and individual's rights in relation to the personal data your organisation holds about them. It also details your organisation's legal obligations to protect this data.
You are responsible for adhering to the rules and principles under data protection law within your remit, and further explained within your organisation guidance, policies and procedures.
The Information Commissioner’s Office regulates and enforces data protection law in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate.
Types of Data
In health and care settings, we come into contact with various types of personal data about people. It is important to be able to identify these different types of data so that they can be appropriately protected when they are used and shared.
Personal data
Information about someone is 'personal' if it directly or indirectly identifies an individual. It may be about living or deceased people, including patients, service users and members of staff.
You may come across the term 'personal data' which is used in data protection law and means personal information about living individuals. There are special categories of personal data which need a higher level of protection. These special categories include:
· Personal data revealing - racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership
· Genetic data
· Biometric data (where used for identification purposes)
· Data concerning health; a person’s sex life; and a person’s sexual orientation
Confidential data
The general principle is that confidential information should not be shared for purposes other than direct care of the individual. Exceptions to this principle include where sharing information is required by law or there is an overriding interest, such as preventing harm to others or investigation of a crime.
Confidentiality does not just relate to patients and their health information, there may also be a duty of confidence where an employee discloses information to their employer. It is important to maintain confidentiality of staff records, particularly where this relates to health or payroll information.
Maintaining confidentiality is the responsibility of all staff working in health and care. You should refer to your contract of employment for any confidentiality requirements set out by your employer as well as any professional standards if appropriate to your profession.
There is a spectrum of identifiability.
At one end of this spectrum a person is fully identifiable, but if you remove some of the information or take other measures to limit the information then it becomes more difficult to identify who that person is. At the other end of the spectrum, it is not possible to identify who someone is - they are effectively anonymous.
Identifiability can be separated into three different categories.
Personal data
An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals. A name is perhaps the most common means of identifying someone. However, whether any potential identifier actually identifies an individual depends on the context. A combination of identifiers may be needed to identify an individual.
Personal data may include:
Name
Identification number
location data and an online identifier
Online identifiers’ includes IP addresses and cookie identifiers which may be personal data. Other factors can identify an individual e.g. address, full postcode, date of birth, NHS Number etc. Special category personal data covered earlier in this training are considered more sensitive types of personal data which need a higher level of care and security to protect them.
Personal data must be protected accordingly and the relevant laws are there to outline when we can and cannot use it, the principles we must follow when we do use it and the safeguards/controls/legitimate reasons which must be applied/in place/valid to allow us to use it. There are also sanctions under the Data Protection Act if personal identifiable data is misused.
De-personalised
This is information that does not identify an individual, because identifiers have been removed or encrypted. However, the information is still about an individual person and so needs to be handled with care. It might, in theory, be possible to re-identify the individual if the data was not adequately protected, for example if it was combined with different sources of information.
There are strict safeguards on how de-personalised information can be used, because there is the potential that it might be possible to re-identify someone. The higher the possibility of re-identification, the greater the level of control needed.
Pseudonymisation is a technique used to protect personal data. Pseudonymised data is information which has had identifiers removed or replaced by one or more artificial identifiers, or pseudonyms.
Anonymised
This is information/data which cannot identify or re-identify an individual (directly or indirectly), either on its own or when combined with other information/data. It may be presented as general trends or statistics. Information about small groups or people with rare conditions could potentially allow someone to be identified and so would not be considered anonymous.
If personal data can be truly anonymised then the anonymised data is not subject to the GDPR.
In most cases, it may be acceptable and appropriate to publish or share anonymous information/data and safeguarding of non-personal data is less risky or not necessarily required.
Anonymous Data, even though not about individuals can still be corporate confidential data to an organisation and should be subject to protection if this is the case.
The Principles of GDPR
Everyone responsible for using personal data has to follow strict rules specified under data protection law. These are known as the ‘data protection principles’, listed below and must be adhered to when you are processing personal data.
1. Lawful, fair and transparent
Know what data you are collecting about people
Know why you are collecting data about people and record the valid legal reason for using and sharing the personal information. Including when individuals have consented to the use
Processing of personal data must not breach the common law duty of confidence*
You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned
You must be clear, open and honest with people from the start about how you will use their personal data. Your organisation will do this through the transparency (privacy) notice on the organisation's website and you should ensure you do what you can within your remit in whichever way is required
* There must be a lawful condition for processing under GDPR and where personal data is processed for direct care, this will be covered by the processing condition for health care management.
2. Specified, explicit and legitimate purpose
· You must be clear from the outset about the purpose for processing the data
· You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law. However, exemptions may apply under GDPR and DPA for using personal data for other purposes. Contact your Information Governance Team for advice
3. Data minimisation
· You must ensure the personal data you are processing is:
o Adequate - sufficient to properly fulfil the stated purpose
o Relevant - has a rational link to that purpose
o Limited to what is necessary - you do not hold more than you need for that purpose. Only use or share the minimum amount of personal data necessary and document who the personal information may be shared with
4. Accurate and kept up to date
· You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact
· You may need to keep the personal data updated, although this will depend on what you are using it for
· If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible
· You must carefully consider any challenges to the accuracy of personal data
5. Kept no longer than necessary
· You must not keep personal data for longer than you need it
· You need to think about, and be able to justify, how long you keep personal data. This will depend on your purposes for holding the data
· You need to comply with your organisation's policy (usually relating to records management) setting standard retention periods wherever possible
· You should also periodically review the data you hold, and erase it when you no longer need it
· You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data
· You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes
· You should process your records and documents holding data in line with your organisation's records or information management procedures and guidance
6. Secured appropriately
· You and/or your organisation must ensure that appropriate security measures are in place to protect the personal data held by your organisation or any other third party working on behalf of your organisation
· Keep the data secure and be aware of information risk and the requirements for data protection impact assessments. See your local organisation's guidance on carrying out data protection impact assessments as it may only be certain members of staff who are allocated responsibility and expected to do this
7. Accounted for
· Under Data Protection law, accountability makes the organisation responsible for complying with the legislation and says that the organisation must be able to demonstrate compliance. You can support this by reading and understanding your local data protection and security policies and procedures
· The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles
· You and your organisation must have appropriate measures and records in place to be able to demonstrate your compliance
The Rights of Individuals
Data protection law provides individuals with certain rights.
An individual has the right to be informed if their personal data is being used, what it is being used for and who it may be shared with. An organisation must inform the individual if it is using their personal data.
An individual has the right to ask an organisation whether or not they are using or storing their personal data. They can also ask them for copies of their personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request (SAR).
An individual can challenge the accuracy of personal data held about them by an organisation, and ask for it to be corrected or deleted. This is known as the 'right to rectification'. If their data is incomplete, they can ask for the organisation to complete it by adding more details.
An individual can ask an organisation that holds data about them to delete that data and, in some circumstances, it must then do so. This is known as the right to erasure. You may sometimes hear it called the 'right to be forgotten'.
Individuals have the right to request restriction or limitation of the use of their personal data. This only applies in certain circumstances. When processing is restricted, the organisation may store the personal data, but not use it. Together, these opportunities are known as the individual's 'right to restriction'.
This right is closely linked to rights to challenge the accuracy of data and to object to its use.
Where an individual provides their personal data directly to your organisation they have the right to request their personal data from your organisation in a way that is accessible and machine-readable, for example as a comma separated values (.csv) file.
They also have the right to ask an organisation to transfer their data to another organisation. They must do this if the transfer is, as the regulation says, 'technically feasible'.
This is known as the right to data portability
An individual has the right to object to the use of their personal data in some circumstances. If an organisation agrees to their objection, it must stop using their data for that purpose unless it can give strong and legitimate reasons to continue using their data despite your objections.
An individual has an absolute right to object to an organisation using their data for direct marketing. This means it must stop using the data if the individual objects.
When decisions are made about an individual without people being involved, this is called 'automated individual decision-making and profiling' or 'automated processing', for short.
In many circumstances, an individual has a right to prevent automated processing.
An individual can tell an organisation or the Information Commissioner's Office (ICO) if they are concerned about how the organisation is using their data.
If you are approached by someone who wishes to exercise any of these rights, then help them to make their request by following corporate policies or procedures or advising them as per your organisation’s website. Your organisation will have experts who will know how to deal with these requests and when the individual's right can be upheld, as there are occasions where individual's have a right to request but the organisation has a legitimate reason or certain circumstances where they may not need to uphold the request.
Be aware of your responsibilities for protecting people's information, using it with the principles at the heart of your approach and respect individuals' rights to privacy.