Tier Three – The law explained
Data Protection principles
There are six core Principles to data protection legislation:
- personal data must be processed lawfully, fairly and transparently
- personal data must be collected for specific, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes
- personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- personal data must be accurate and up to date
- personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- personal data is processed in a manner that ensures security, integrity and confidentiality including protection against unauthorised or unlawful processing, and accidental loss, destruction or damage, using appropriate technical or organisational measures.
Lawful basis
DCHFT processes personal data for primary purposes under the following legal basis:
General Data Protection Regulations 2016/679 Article 6(1)(e):
"processing is necessary for the performance of a task carried out in the public interests or in the exercise of official authority vested in the controller"
For the processing of personal data for secondary purposes DCHFT may rely on one of the following legal basis depending on the circumstances:
General Data Protection Regulations 2016/679 Article 6(1)(c):
"processing is necessary for compliance with a legal obligation to which the controller is subject"
There are some National Audits and patient registers which require the Trust to process your information under Article 6(1)(c) in accordance with UK legislations such as the National Health Service Act 2006 and Health and Social Care (Safety and Quality) Act 2015.
There are also obligations within the Crime and Disorder Act 1998, Children's Act(s) 1989 and 2004, Mental Health Act 1983 and 2007 to share information with the Police or Social Services.
DCHFT processes special categories of data for primary purposes under the following legal basis:
General Data Protection Regulations 2016/679 Article 9(2)(h):
"Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services on the basis of Union or Member State law or pursuant to contact with a health professional and subject to the conditions and safeguards referred to in paragraph 3"
Paragraph 3 "Personal data referred to in paragraph 1 [special categories of data] may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of a professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union of Member State law or rules established by national competent bodies"
General Data Protection Regulations 2016/679 Article 9(2)(b):
"Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and interests of the data subject"
DCHFT processes special categories of data for secondary purposes under the following legal basis:
General Data Protection Regulations 2016/679 Article 9(2)(j):
"Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects"
General Data Protection Regulations 2016/679 Article 9(2)(i):
"Processing is necessary for reasons of public interest in the areas of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy."
Where data has been anonymised it is not considered to be personal data and the General Data Protection Regulations 2016/679 and Data Protection Act 2018 will not apply. The Trust will use anonymous data for audit and population health management.
Occasionally, the Trust may rely on Consent:
General Data Protection Regulations 2016/679 Article 6(1)(a):
"the data subject has given consent to the processing of his or her personal data for one or more specific circumstances"
Where you consent and validate your email address through the DCH email consent portal to receive appointment letters and general information by email you can withdraw this consent at any time at a reception desk, or by contacting the Appointments Office (see portal terms and conditions for details). Also, you will be contacted by Information Governance every 2 years to invite you to review the continuation of your consent.
General Data Protection Regulations 2016/679 Article 9(2)(a):
"the data subject has given explicit consent to the processing of those personal data for one of more specified purposes"
However, these circumstances will be few and the Trust will not rely on consent where there is another lawful basis upon which we should rely.
General Data Protection Regulations 2016/679 Recital 43 specifies that for consent to be freely given it "should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation."
DCHFT upholds transparency and fairness through the use of this privacy notice.
The Trust practices data minimisation techniques like pseudonymisation and anonymisation where possible to protect data and ensure that the purpose of processing is relevant and adequate.
DCHFT holds data security in the highest importance; our systems have access on a Role Based design and clinical systems are auditable to ensure transparency in the use of systems by staff. Devices are encrypted and staff undertake annual mandatory data security training. The Trust has an ISO27001 Accreditation; an internationally recognised Information Security Management System.