The Data Protection Act 1998 is an act of UK Parliament that ensures information collected by organisations is used fairly, stored safely and not disclosed to any other person unlawfully.
The GDPR is European Union (EU) legislation through which the European Parliament, the Council of the EU and the European Commission intend to strengthen and unify data protection for all individuals within the EU. This change in legislation intends to strengthen and unify data protection rights for all citizens residing within the EU, as well as addressing the export of data outside of the EU.
It will be implemented into UK law before the UK leaves the EU, and will almost certainly remain in place after Brexit.
The principles under the Data Protection Act
Anyone processing personal data must comply with the eight enforceable principles of good practice:
- One: The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
- Two: Personal data shall be held only for one or more specified lawful purposes.
- Three: Personal data held for any purpose or purposes shall not be used or disclosed in any matter incompatible with that purpose or those purposes. The data shall be adequate, relevant and not excessive in relation to that purpose or those purposes.
- Four: Personal data shall be accurate and, where necessary, kept up to date.
- Five: No data shall be kept for longer than is necessary for those purposes.
- Six: An individual shall be entitled, at reasonable intervals and without undue delay or expense, to be informed by any data user whether they hold personal data of which that individual is the subject; and they can have access to any such data held by a data user, which may incur an administration charge.
- Seven: An individual shall be entitled, where appropriate, to have such data corrected or erased. Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.
- Eight: Personal data held for any purpose or purposes shall not be transferred to countries without adequate protection.
In accordance with the Data Protection Act 1998, the Practice will only process data on the following basis:
If the data subject has given consent
If it is necessary in relation to the performance or formation of contracts in relation to the data subject
If it is required under a legal obligation
If it is necessary to protect the vital interests of the data subject
If it is necessary to carry out public functions
If it is necessary to pursue the legitimate interests of the data controller or third party (unless it could prejudice the data subject’s interests)
Sensitive personal data will only be processed:
- With explicit consent of the data subject, if the data subject has made the information public
- If the data is required by law and is in respect of employment purposes
- If it is necessary in order to protect the vital interests of the data subject or another in relation to the administration of justice or legal proceedings for medical purposes by health professionals in order to safeguard racial equality
Patient Consent for Electronic Communication