Data Protection Act 1998 and Patient Confidentiality

Barnsley Hospital NHS Foundation Trust processes data about individuals in order to provide a healthcare service. Processing includes collecting, storing, accessing, amending and destroying data.

The Data Protection Act provides a framework to ensure that this data is handled safely and securely and in accordance with the eight Data Protection Principles which states that all personal data should be:

  • Principle 1 – Fairly and Lawfully Processed
    Personal data can only be processed fairly and lawfully if the individual concerned (data subject) gives their permission, or the processing is necessary for legal or contractual reasons.
  • Principle 2 – Processed for limited purposes
    Personal data should not be used except for the purpose in which it was given. Data should not be disclosed to a third party, without the prior consent of the data subject, unless legally or contractually obliged to do so.
  • Principle 3 – Adequate, relevant and not excessive
    Only data relevant to the purpose should be collected.
  • Principle 4 – Accurate and up to date
    All reasonable steps should be taken to ensure that data held is accurate and up to date. For example a change of address or telephone number etc.
  • Principle 5 – Not kept for longer than is necessary
    All out of date or redundant data should be destroyed in a secure and confidential manner.
  • Principle 6 – Processed in accordance with the rights of the data subject.
    Data subjects can access personal information held about them through the Subject Access Request procedure under the Data Protection Act. Data Subjects also have the right to request changes to their data and to prevent processing which is likely to cause damage or distress to themselves or anyone else. There are exceptions to these rights such as in the prevention and detection of a crime.
  • Principle 7 – Be protected
    Security and confidentiality measures should be in place to protect personal data.
  • Principle 8 – Not be transferred outside the European Economic Area (EEA).
    Data should not be transferred outside of the EEA unless the data subject has consented or adequate protection is in place.

Requesting Personal Information

Secondly the Act allows individuals the right to know what information Barnsley Hospital hold about them by making a written request. This is known as a Subject Access Request.

  • For further details on the Data Protection Act 1998, exemptions, Subject Access Requests and more please visit the Information Commissioner’s website: www.ico.gov.uk

This page was updated: by Katie Claydon.
Found a problem? Report it and help us improve our website.