In the last GDPR guidance note we discussed the key terms set out in GDPR.
In this guidance note we’ll look at the 6 key principles of GDPR that apply when processing personal data. The principles are broadly equivalent to the 8 key principles that exist under the Data Protection Act 1998.
The GDPR key principles are:
1. Processing should be lawful, fair and transparent
Data subjects should have a clear understanding of what personal data is being processed about them, and why it is being processed. Any communication with the data subject about their personal data should be easily accessible, easy to understand and written in plain and clear language. This is particularly important when the personal data relates to a child, who should be able to understand what an organisation is doing with their information.
GDPR requires organisations to provide certain information to the data subject when the personal data is collected either directly from the data subject or from another source. The information may be provided to the data subject as part of a fair processing notice.
2. Personal data shall be collected for specified, explicit and legitimate purposes
Personal data should be collected for a specific purpose, and the data subject should know what that purpose is. If an organisation wishes to use personal data for another purpose, it will need to get separate consent from the data subject for that particular purpose, or determine whether another ground (such as legitimate interest or the processing of special categories of data for the provision of health and social care services) applies.
3. Personal data must be adequate, relevant and limited to what is necessary
Organisations should only process the personal data they need to process to achieve the purpose for which it was collected.
For example, diversity questionnaires are often completed on an anonymous basis so that the information in the questionnaires is not personal data – an organisation is unlikely to need to know a person’s racial or ethnic origin or religious beliefs to be able to employ them or provide them with services.
Organisations, staff and carers should have access to relevant health and medical records only, particularly given the volume of special categories of data contained within those documents.
4. Personal data shall be accurate and kept up to date
Organisations should have processes in place to ensure the personal data they process is accurate and up to date.
For example, if a person’s contact information changes, it should be updated as soon as possible and the previous, now inaccurate contact information deleted or removed. The same principle applies to personal data contained within care records – it should be regularly reviewed and updated.
5. Personal data shall be kept for no longer than is necessary
GDPR requires personal data to be deleted or destroyed when it is no longer needed by the organisation. Alternatively, the personal data could be anonymised or otherwise modified so that it no longer relates to an individual.
There may be statutory or sector specific reasons why personal data should be retained beyond the period for which the organisation needs it.
For example, organisations are required to keep right to work documentation for 2 years beyond termination of a person’s employment. Contracts should be kept for 6 years and deeds for 12 years in case a claim arises.
Different organisations are likely to adopt different retention periods for the same type of personal data. This variation is fine as long as all decisions are logical and sensible, that no personal data is retained “just in case” and that all decisions around data retention are recorded together with an explanation of why that decision was reached.
The Information Governance Alliance (“IGA”) produced the Records Management Code of Practice for Health and Social Care Sector in 2016. It includes a retention schedule which should be reviewed and adhered to (where relevant) unless there are specific circumstances that require an alternative retention period (in which case, the reasons for choosing such alternative period should be recorded). The document can be found on the NHS Digital website – https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016.
6. There must be appropriate security in place in respect of the personal data
Each organisation should put in place security measures (whether technical, organisational or manual) to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
This may include, for example, ensuring documents stored online or on a computer are password protected or encrypted and that hard copy documents are stored in locked drawers or cabinets with restricted access. The use of portable media devices, such as USB sticks, should also be reviewed – can they be avoided or at least encrypted?
Organisations should develop policies and procedures to circulate to staff so that staff know the steps they need to take to protect personal data they process. This may include introducing requirements around the length and complexity of passwords, limiting access to documents and implementing a “working from home” policy so that all staff know how to protect personal data that is removed from the office environment and what to do if something goes wrong.
Special attention should be paid to special categories of data, which require a greater level of protection due to their sensitive nature.
Further Reading
For those wishing to read the principles in detail, they can be found in Chapter II, Article 5 of GDPR. The final text of GDPR is available at https://gdpr-info.eu/.
The Information Governance Alliance has confirmed that it will provide GDPR guidance over the next few months, but that the provision of such guidance has been delayed. The current guidance is available here https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance, and should be regularly monitored for updates.
A number of bodies are required to complete Data Security Protection Toolkit assessments if they process personal data of individuals accessing health and adult social care services. More information about the Data Security Protection Toolkit can be found at https://www.dsptoolkit.nhs.uk/. Please note that the Data Security Protection Toolkit replaces the IG Toolkit with effect from April 2018. Further information on the new framework can be found here https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/675420/17-18_statement_of_requirements_Branded_template_final_22_11_18-1.pdf.
