The National Blood Service - do something amazing donate Blood

Terms of Use
Privacy Policy
Data Protection Act 1998
Freedom of Information
Disability Equality Scheme

The Data Protection Act 1998

NHS Blood and Transplant (NHSBT) is a Special Health Authority within the NHS, responsible for managing the National Blood Service, UK Transplant and Bio Products Laboratory.

The Act came into force on 1 March 2000. It lays down extremely wide-ranging rules, backed up by criminal sanctions, for the processing of personal information. It also gives individuals certain rights in relation to personal data held about them by others.

The Act is regulated by the Information Commission (previously known as the Data Protection Commission).

Scope of the Act
There are several key definitions in the Act, which help towards determining its scope and applicability. The Act only applies to “personal data”, and this can be broken down into two definitions as follows:

(1) “Data”, which is information either processed by automatically operating equipment or recorded manually as part of a “relevant filing system”.

A “relevant filing system” is a set of information relating to individuals which is structured by reference to those individuals, or by criteria relating to them, so as to allow specific information about any particular individual to be readily accessible. Thus a filing system structured by name, address or subjects pertaining to particular individuals would be a “relevant filing system”.

“Processing” has a very wide definition, including obtaining, recording, holding, organising, adapting, altering, retrieving, using, disclosing or erasing.

The definition of “data” also includes certain classes of public, educational and health records.

(2) “Personal data” is data (as defined above) which relates to a living individual, who can be identified from it (whether alone or together with other information at the disposal of the person processing the data (known as the ‘data controller’)). The definition encompasses data which is in the possession, or likely to come into the possession, of the data controller. In this context, “possession” is not merely limited to physical possession but also extends to control.

As well as including obviously personal data such as names and addresses (including e-mail addresses), the definition expressly includes “any expression of opinion about the individual and any indication of the intentions of the data controller … in respect of the individual”. The definition is therefore very broad, and might conceivably cover information as diverse as an individual’s beliefs, personal hobbies, or business activities, for example.

Personal data is divided into non-sensitive data and sensitive data, which each carry certain conditions for processing relating to the necessity of the processing and the consent of the person who is the subject of the data (known as the “data subject”). Non-sensitive data covers basic information such as name, address and telephone number; whereas sensitive data includes any information relating to an individual’s ethnic origins, religious or political beliefs or physical or mental health or condition. Consent is required for both types of personal data, but it must be explicitly given in the case of sensitive data.

Key provisions of the Act

· All data controllers must process personal data in accordance with the data protection principles (set out below).

· Any individual who is (or may be) the subject of personal data (known as a “data subject”) has the right (subject to restrictions and exemptions) to be provided by any data controller with details of such personal data, and the information which constitutes that data.

· All data controllers are required to register on the Data Protection Register, which is a publicly available document, giving details of the purposes for which personal data is to be processed.

Enforcement and Information Notices

The Commissioner may:
· if requested by an individual who believes the data controller is not processing his or her personal data in accordance with the principles, the Commissioner may serve an information notice on the controller requiring certain information; the Commissioner may also serve an information notice of his own volition; or
· if he is satisfied that the data controller has contravened or is contravening a data protection principle, the Commissioner may serve an enforcement notice requiring that controller to remedy the breach or take certain steps (including erasing etc. data).

The data controller has certain rights of appeal to the Data Protection Tribunal against an enforcement notice or an information notice.

Offences and enforcement

The criminal offences under the Act include:
· processing personal data without having registered;
· not keeping personal data up to date;
· procuring or selling personal data, or accessing/disclosing it without proper authorisation;
· failure to respond to an information notice; or
· breach of an enforcement notice.

Prosecution of these offences can result in fines up to the statutory maximum (or a higher fine for obstructing the execution of a warrant of entry and inspection). Officers of body corporates (or where they manage the body, the members) may be personally liable as well as the body corporate itself, where it is shown the offence was committed “with [their] consent or connivance or…neglect”.

The Commissioner has certain powers of entry, inspection and seizure. He must obtain a warrant from a circuit judge however, and the warrant must be used within 7 days. The judge cannot grant the warrant unless satisfied that the Commissioner has already requested from the occupier of the premises in question access (with at least 7 days’ notice), and (broadly speaking) that access has been refused by that occupier.

The Data Protection Principles

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions relating to non-sensitive data, and (if it is sensitive) one extra condition relating to sensitive data, is met.

2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any matter incompatible with that purpose or those purposes.

3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4 Personal data shall be accurate and, where necessary, kept up to date.

5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6 Personal data shall be processed in accordance with the rights of data subjects under the Act.

7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. (This principle has implications where personal data is being transmitted to certain countries which do not have similar data protection laws.)

CLOSE WINDOW

RETURN TO TOP OF PAGE