The recent undertakings given by Brent Teaching Primary Care Trust and Abertawe Bro Morgannwg University NHS Trust to the Information Commissioner’s Office and to be given by Tees Esk and Wear Valleys NHS Foundation Trust, highlight the current data protection hot topic of data encryption.
The Information Commissioner’s Office has legal powers to ensure compliance with the requirements of the Data Protection Act 1998 (the DPA). Both Brent and Abertawe gave undertakings to the Information Commissioner’s Office to implement appropriate security measures following the theft of unencrypted laptops containing patients’ personal data. Tees Esk and Wear Valleys was also required to sign a formal undertaking after the “loss of an unencrypted data stick by a contractor with various patient and staff personal data on it”, although the data stick was found and later returned to the Trust.
Recap on some of the relevant DPA requirements
Under the DPA there are various requirements that have to be complied with by “data controllers”. A data controller is a person who determines the purposes for which and manner in which any “personal data” are to be processed. An example is an NHS Trust in relation to its patients’ personal data: the Trust will decide how and for what purposes that patient information would be “processed”.
Processing is given a very wide meaning by the DPA. It covers probably everything one can imagine relating to dealing with the relevant information including obtaining, recording, holding, altering, retrieving, using, disclosing and erasing or destroying the information.
It is important to remember that the DPA only protects “personal data”.
Continue reading "Protecting personal information: the Data Protection Act 1998" »
