Further Information: Data is secure and the legal aspect understood category

What data needs to be secure?

The Data Protection Act 1998 (DPA) is mandatory. All organisations that hold or process personal data must comply. It applies to all personal data, whether held in a manual or electronic filing system. Individuals have a wide range of rights under the Data Protection Act, including access, compensation and the prevention of processing.

The act came into force in 1999 and covers how information about living identifiable persons is used. It is much broader in scope than the earlier 1984 act. It covers eight Data Protection Principles which state that information should be:

  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate
  • not kept for longer than is necessary
  • processed in line with subjects' rights
  • secure
  • not transferred to countries without adequate protection

Principle 7: Data Security requires that appropriate security measures are in place to safeguard against unauthorised or unlawful access or processing of personal data.

How do you ensure you meet the requirements of the Data Protection Act?

How do you measure your compliance with the Data Protection Action?

How do you ensure data is secure?

The Information Security Management: NHS Code of Practice is a guide to the methods and required standards of practice in the management of information security.

The NHS handles information about patients and employees through an Information Governance Framework. This includes personal and sensitive information. The framework provides a means of ensuring that personal information is dealt with legally, securely, efficiently and effectively. It applies to individuals and NHS and partner organisations.

Each organisation should have an Information Governance Manager and an Information Governance Framework.

Who is the Information Governance Manager for your organisation?
Does your organisation have an Information Governance Framework?

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.

Who is the Caldicott Guardian for your organisation?

ISO/IEC 27002 provides guidance on best practices in information security management to ensure compliance with the current information security regulations.

Related Resources