Overview
The Data Protection Act 1998 established a framework of rights and duties to safeguard personal information and balance the legitimate needs of organisations to collect and use personal information again the right of individuals to have the privacy of their personal details respected.
Much has changed since 1998. We now give a lot of information about ourselves to a lot of organisations, usually willingly but frequently unknowingly. Quite often we don’t know what happens to this information, how it is used and how decisions about us are made. The General Data Protection Regulation 2018 (GDPR) makes organisations more accountable in the way that they collect, use, store and dispose of personal information and gives individuals more control over information about them that they pass onto others.
Many of the general data protection requirements are unchanged and the need to comply continues. However, now if you hold personal information, you must be able to explain what information you have, why you have it, what you do with it and who you share it with, in addition to the general need to protect it by
- Only collecting information that you need for a specific purpose
- Keeping it secure
- Ensuring that it is relevant and up to date
- Only holding as much as you need and only for as long as you need it, and
- Allowing the subject of the information to see it on request.
This advice sheet includes:
- An overview of data protection principles
- guidance on demonstrating compliance, including impact assessments and data breaches
- employing staff, including recruitment and selection, employment records and employee monitoring
- patient information, including sharing information and patient records
- IT security, including cloud storage, 'phishing' and emails
- video and audio recordings, including CCTV use
- releasing information, including police enquiries, CCTV recordings and tax enquiries