Many organisations including Wrightington, Wigan and Leigh NHS Foundation Trust process and hold details about people. They are known as the 'Data Controller'.
The growth in the use of personal data has many benefits, like better medical care or to help fighting crime but there are also possible problems. It could cause problems if information about an individual is recorded incorrectly, for example, regarding a diagnosis of treatment, is out of date or is confused with information about someone else.
The Data Protection Act 1998 requires the Trust, as a data controller, to comply with the rules of good information handling practice, known as the Data Protection principles. The principles require, amongst other things, that personal data are processed fairly and lawfully, are accurate and relevant and subject to appropriate security.
There are 8 principles of the Data Protection Act 1998, which are:
- Principle 1 - Processed fairly and lawfully
There should be no surprises about how we use patient and staff information and therefore we need to inform all patients and staff why we collect information, what we are going to do with it and who it may be shared with. Find out more about how we collect and use your information.
- Principle 2 - Processed only for specified purposes
Personal information should only be used for the purpose for which it was obtained. For example, patient information on a Patient Administration System (PAS) must only be used for healthcare purposes.
- Principle 3 - Adequate, relevant and not excessive
The Trust should only collect and keep the information that is required to care and treat patients. It is not acceptable to hold information unless there is a view as to how it will be used. The Trust must not collect information "just in case it might be useful one day!"
- Principle 4 - Accurate and kept up-to-date
The Trust must take care inputting information to ensure accuracy. How do we know the information we have on our systems about you is up to date? This is why each time a patient attends a clinic, they are asked to confirm their details are correct. This is undertaken by asking their name, their address and their postcode. If a patient provides this information rather than answering a quesiotn with a 'yes' or 'no' reply, it ensures we can check the demographic details correctly and any unusual spellings or changes to details. This avoids duplicate records being created on the system.
- Principle 5 - Not kept for longer than necessary
The Trust follows the records retention periods for health records and non-health records as stated in the Records Management: NHS Code of Practice. Everyone must ensure regular housekeeping / spring cleaning of information held takes place. Information is disposed of using confidential waste processes.
- Principle 6 - Processed in accordance with the rights of the public
Subject Access - people do have the right to request access to their records. More information can be found in this section of the intranet.
Prevention of processing
Prevent processing for direct marketing - an end to junk mail and faxes!
Automated decision taking
Rectification / blocking / erasure
- Principle 7 - Protected by appropriate security
Ensuring security of confidential faxes by using safe haven / secure faxes
Keeping confidential papers locked away
Ensuring confidential conversations cannot be overheard
Keeping your passwords secret
Ensuring information is transported securely
Ensuring Information Governance training is completed for everyone
Ensuring all staff have a confidentiality clause in the employment contract
Confidentiality contracts with third parties - e.g. archiving, cleaners, temporary staff, outside contractors
- Principle 8 - Not transferred outside the European Economic Area (EEA) without adequate protection
If sending personal information outside the EEA ensure consent is obtained and is
Checking where your information is going e.g. where are our suppliers based?
To sum up remember information that the Trust holds must be:
Held securely and confidentially
Obtained fairly and efficiently
Recorded accurately and reliably
Used effectively and ethically
Shared appropriately and lawfully
Enforcement of the Data Protection Act 1998 is the responsibility of the Information Commissioner. They are also responsible for providing advice and assistance to both data controllers and the public.