Transcript Processing personal health data: the regulator’s perspective

Processing personal health data:
the regulator’s perspective
Ken Macdonald
Assistant Commissioner
Information Commissioner’s Office
Content
The Data Protection Act – key concepts
Sensitive Personal Data
Individual Rights
Exemptions
Freedom of Information
Penalties
The Data Protection Act – key concepts
Personal data relates to a living individual who can be
identified from those data, or from those data and other
information which is in the possession of, or is likely to
come into the possession of, the data controller.
Data is
• information which is being processed or is intended to be
processed automatically
• information recorded as part of a relevant filing system
• information which forms part of an accessible record
• other information held by a public authority
The Data Protection Act – key concepts
Fairness
considers the method by which the data is obtained, including in
particular whether any person from whom they are obtained is
deceived or misled as to the purpose or purposes for which they are
to be processed.
May also require consideration of the common law of confidence
Lawfulness
Processing has to be for a lawful purpose and meet conditions for
processing
The Data Protection Act – key concepts
Data Protection Principles
Personal data shall be processed fairly and lawfully
Personal data shall be obtained only for one or more specified
and lawful purposes,
Personal data shall be adequate, relevant and not excessive
Personal data shall be accurate and, where necessary, kept up
to date.
The Data Protection Act – key concepts
Data Protection Principles
Personal data processed for any purpose or purposes shall not
be kept for longer than is necessary for that purpose or those
purposes.
Personal data shall be processed in accordance with the rights
of data subjects under this Act.
Appropriate measures shall be taken against unauthorised,
insecure and unlawful processing of personal data
Personal data shall not be transferred to a country or territory
outside the EEA unless it has adequate protection for
processing of personal data
Sensitive Personal Data
Includes
• racial and ethnic origin
• physical or mental health or condition
• sexual life
• commission or alleged commission of any offence
Sensitive Personal Data
“Schedule two” conditions:
•
•
•
•
Consent
Vital Interests
Functions of a public nature
Legitimate interests not prejudicial to the individual
Sensitive Personal Data
“Schedule three” conditions:
•
•
•
•
•
•
Explicit consent
Vital interests
Legal proceedings
By a health professional for medical purposes
Ethnic monitoring
Research in the substantial public interest
Individual Rights
Right of access
Right of correction
Right to stop processing causing distress
Exemptions
Disclosure for the prevention or detection of crime (including
the apprehension or prosecution of offenders) s29
Regulatory activity s31
Research (where the outcome is not to support decisions with
respect to particular individuals) s33
Disclosures required by law or in connection s35
Freedom of Information
Freedom of Information Act 2000
Freedom of Information (Scotland) Act 2002
Exemptions for release of personal data
Potential Anonymisation
Penalties
Undertakings
Enforcement
Civil Monetary Penalties (where the contravention could have
been foreseen and was likely to cause substantial damage or
substantial distress)
Keep in touch
Contact us on 0131 301 5071 or at
[email protected]
Subscribe to our e-newsletter at www.ico.gov.uk
www.twitter.com/iconews