Data Protection

Many organisations including Wrightington, Wigan and Leigh NHS Foundation Trust process and hold details about people.  They are known as the 'Data Controller'.  

The growth in the use of personal data has many benefits, like better medical care or to help fighting crime but there are also possible problems.  It could cause problems if information about an individual is recorded incorrectly, for example, regarding a diagnosis of treatment, is out of date or is confused with information about someone else.

The Data Protection Act 1998 requires the Trust, as a data controller, to comply with the rules of good information handling practice, known as the Data Protection principles.  The principles require, amongst other things, that personal data are processed fairly and lawfully, are accurate and relevant and subject to appropriate security.

There are 8 principles of the Data Protection Act 1998, which are:

  • Principle 1 - Processed fairly and lawfully

    There should be no surprises about how we use patient and staff information and therefore we need to inform all patients and staff why we collect information, what we are going to do with it and who it may be shared with.  Find out more about how we collect and use your information.

  • Principle 2 - Processed only for specified purposes

    Personal information should only be used for the purpose for which it was obtained.  For example, patient information on a Patient Administration System (PAS) must only be used for healthcare purposes.

  • Principle 3 - Adequate, relevant and not excessive

    The Trust should only collect and keep the information that is required to care and treat patients.  It is not acceptable to hold information unless there is a view as to how it will be used.  The Trust must not collect information "just in case it might be useful one day!" 

  • Principle 4 - Accurate and kept up-to-date

    The Trust must take care inputting information to ensure accuracy.  How do we know the information we have on our systems about you is up to date?  This is why each time a patient attends a clinic, they are asked to confirm their details are correct. This is undertaken by asking their name, their address and their postcode.  If a patient provides this information  rather than answering a quesiotn with a 'yes' or 'no' reply, it ensures we can check the demographic details correctly and any unusual spellings or changes to details.  This avoids duplicate records being created on the system.

  • Principle 5 - Not kept for longer than necessary

    The Trust follows the records retention periods for health records and non-health records as stated in the Records Management: NHS Code of Practice.  Everyone must ensure regular housekeeping / spring cleaning of information held takes place.  Information is disposed of using confidential waste processes.

  • Principle 6 - Processed in accordance with the rights of the public

    Subject Access - people do have the right to request access to their records.  More information can be found in this section of the intranet.
    Prevention of processing
    Prevent processing for direct marketing - an end to junk mail and faxes!
    Automated decision taking
    Rectification / blocking / erasure

  • Principle 7 - Protected by appropriate security

    Ensuring security of confidential faxes by using safe haven / secure faxes
    Keeping confidential papers locked away
    Ensuring confidential conversations cannot be overheard
    Keeping your passwords secret
    Ensuring information is transported securely
    Ensuring Information Governance training is completed for everyone
    Ensuring all staff have a confidentiality clause in the employment contract
    Confidentiality contracts with third parties - e.g. archiving, cleaners, temporary staff, outside contractors

  • Principle 8 - Not transferred outside the European Economic Area (EEA) without adequate protection

    If sending personal information outside the EEA ensure consent is obtained and is
    Checking where your information is going e.g. where are our suppliers based?

    To sum up remember information that the Trust holds must be:

    Held securely and confidentially
    Obtained fairly and efficiently
    Recorded accurately and reliably
    Used effectively and ethically
    Shared appropriately and lawfully

  • Enforcement

    Enforcement of the Data Protection Act 1998 is the responsibility of the Information Commissioner.  They are also responsible for providing advice and assistance to both data controllers and the public.