Data Protection Act (2018)
What is the Data Protection Act 2018?
The new Act on data protection will replace previous legislation and has been set out to take account of the fact that life now involves much more ‘digital’ activity than before and is a challenging environment for protecting personal information.
Based on the EU Directive General Data Protection Regulation (GDPR) the Act applies to ‘controllers’ and ‘processors’ of data.
A ‘controller’ sets out the reasons for processing personal data and how processing will be done – within EEAST, the Trust Board is ultimately responsible for this, but we also have a Data Protection Officer whose job it is to ensure this is done correctly and who can challenge the Board regarding the processing of data, if they feel it appropriate to do so.
The processing of data includes collecting, storing, using, disclosing (and destroying) personal information such as staff records, patient records - including CAD information and PTS journeys - recruitment information, etc. Basically, anything that contains something as simple as a person’s name is classed as containing personal information.
What does this mean for staff?
A data ‘processor’ is anyone who handles information on behalf of the Trust. We all have a responsibility to make sure that we treat any information we collect or handle with care, and that in line with the regulation; there is a ‘legal basis’ (valid reason) to collect and hold this information. In our case, most of the information we collect and hold is relating to patient care which would be the ‘legal basis’ for this.
We also need to make sure that the ‘legal basis’ is explained to our patients.
Information held by other departments, eg: HR, Scheduling and Training is also classed as personal information and needs to be treated in the same way. The ‘legal basis’ for these could be different for each department eg, sharing data with payroll is necessary for the performance of your employment contract.
Should there be a breach of confidentiality, the data controller (the Trust) must notify the Information Commissioner’s Office (ICO) without delay and, if possible, within 72 hours of becoming aware. We also have a duty to inform the individual if a breach has occurred. New regulations allow for higher penalties for data breaches, so it is really important for staff to report an incident as soon as they are aware of it.
What does this mean for patients?
The regulation gives patients more rights with respect to their personal data. As with the previous legislation, a patient has the right to be provided with copies of the information held, however the period we have to comply with such a request is reduced to one month.
Information must also be provided without charge unless the request is unreasonable or excessive. If the decision is made to refuse the request, the reason for this must be provided and the patient informed that they can raise the matter with the Information Commissioner’s Office (ICO).
Patients also have greater rights in respect of rectifying and erasing records, and also with objecting to and restricting processing (the way we use the information).
What is the Trust doing to comply?
Our Information Governance Manager has been given the responsibility of being the Named Data Protection Officer and is working with the IG team and all departments to ensure processes and systems are in place or scheduled to take effect to ensure compliance with the new Regulation.
We are also undertaking a huge project Trust wide to understand what information we hold, in what format and what we do with the information, both internally and externally. This is being stored within our Information Asset Register.
Other points completed, or in progress, include;
review of all policies and procedures to ensure they meet new legislation
review of staff IG training requirements
publication of new privacy notices
contacting all third party providers we deal with eg Payroll, GRS, Cleric, Datix etc to request assurance regarding compliance with the Data Protection Act (2018)
Data Protection Impact Assessments
A copy of the Trust’s Data Protection Impact Assessments are available upon request.
Please email firstname.lastname@example.org to request copies.”