Key Legislation and Guidance. The following legislation and guidance is provided to support and facilitate information sharing between agreed partner organisations, and is not to be used a barrier. General Data Protection Regulation (GDPR) The EU GDPR (General Data Protection Regulation) is a pan-European data protection law, which superseded the EU’s 1995 Data Protection Directive 5th May 2018. The EU GDPR extends the data rights of individuals (data subjects) and places a range of new obligations on organisations that process EU residents’ personal data. The UK DPA (Data Protection Act) 2018 modifies the EU GDPR by filling in the sections of the Regulation that were left to individual member states to interpret and implement. It also applies a “broadly equivalent regime” – known as “the applied GDPR” – to certain types of processing that are outside the EU GDPR’s scope, including processing by public authorities, and sets out data processing regimes for law enforcement processing and intelligence processes. The EU GDPR and DPA 2018 should therefore be read together. UK Data Protection Act (DPA) 2018 The UK Data Protection Act (DPA) 2018 is a comprehensive, modern data protection law for the UK, which came into force on 25th May 2018 – the same day as the EU GDPR (General Data Protection Regulation). The DPA 2018 enacts the GDPR into UK law. The following principles must be applied to all processing of personal data:
Key Legislation and Guidance. 3.1.1 Since 1 March 2000, the key legislation governing the protection and use of identifiable Service User information (Personal Data) has been the Data Protection Xxx 0000 (referred to as “DPA 1998” in the rest of this Protocol). Any information sharing by the Parties requires to be both ‘intra xxxxx’ i.e. within their legal powers and compliant with the DPA 1998. If a Party acts outwith its legal powers, even compliance with the DPA 1998 cannot render that act lawful. There is no general statutory power to share information. Express powers to share information are relatively rare and are usually restricted to specific activities. However, the Parties, as public authorities, have various general powers which allow them to carry out their functions, from which power to share information can often be implied. In general, unless there is a specific prohibition or restriction on a particular information sharing exercise, the key consideration will be whether the information can be shared in accordance with the DPA 1998.
Key Legislation and Guidance. 3.1.1 This protocol does not attempt to restate the statutory framework with which the Project Sponsors must operate. It does however recognise that in sharing information the organisations will seek to comply with all relevant legislation and guidance.
Key Legislation and Guidance. 1.10 The Partner Organisations are subject to a variety of legal obligations, and statutory and other guidance in relation to the sharing and disclosure of information, including (without limitation): Data Protection Xxx 0000 Human Rights Xxx 0000 Common Law Duty of Confidence Caldicott Principles ICO Data Sharing Code of Practice Confidentiality: NHS Code of Practice HSCIC: A guide to confidentiality in health and social care NHS England Information Governance and Risk Stratification: Advice and Options for CCGs and GPs Department of Health: Information Security: NHS Code of Practice
Key Legislation and Guidance. The Data Protection Act 1998 The Data Protection Act is the main statute governing the protection and use of personal information. The 1998 Act tightens up and extends the regulations covering the whole process of acquiring and keeping personal information about living individuals. It also provides individuals with rights of access to their records and rights to take action to rectify factual inaccuracies. Under the terms of the Act some information stored on paper, which includes health and personal records, will need to adhere to the same strict rules that has applied to information stored on computers. The regulations also cover issues such as how information is obtained, how it is stored, how it is protected by appropriate security measures and how long it is kept. There are eight data protection principles, which require that personal data shall be: Processed fairly and lawfully ( processed means obtained, recorded, stored, disclosed and used in any way) Obtained only for one or more specified and lawful purposes and shall not be further processed in a manner incompatible with the specified purpose or purposes Adequate, relevant and not excessive for the specified purpose(s) Accurate, and where necessary, kept up to date Kept no longer than is necessary for the specified purpose(s) for which it was obtained Processed in accordance with the data subject's rights Kept secure from unauthorised or unlawful processing, accidental loss, destruction or damage Not transferred to countries outside the European Economic Area unless the country ensures that there are adequate levels of protection for the rights and freedoms of data subjects in relation to processing personal data For further information on the Act's practical implication contact the Trust's or the Council's Data Protection Officer. Caldicott Committee Report The Caldicott Committee Report made a series of recommendations regarding the way the NHS handles and protects person identifiable information. The recommendations are underpinned by six general principles: Justify the purpose for using confidential information Every proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed Only use it when absolutely necessary Patient identifiable information should only be used where there is no alternative Use the minimum that is necessary Where the use of patient identifiable information i...
