Personal data is information which relates to a living individual who can be identified from the information itself or by linking it with other information – for example a person’s name, address or email address, an online profile or an employee’s human resources record, sickness absence or appraisal record. There is also ‘special category’ information which relates to sensitive personal data such as medical information, ethnic origin etc. All information that is obtained in the course of caring for patients is confidential.
Processing is the name given to anything that is done with personal data – for example entering patient information into IT systems or simply having a patient record sitting in a filing cabinet.
Data Controllers and Data Processors
A data controller determines the purposes and means of processing personal data. A data processor is responsible for processing personal data on behalf of a data controller. Under the General Data Protections Regulations (GDPR), data controllers must demonstrate compliance and ensure that their data processors comply with specific legal obligations; for example, data processors are required to maintain records of personal data and processing activities. Data processors have legal liability if they are responsible for a data breach.
This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website and via the EU GDPR learning resource. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.
Sources of Information
- The data protection fee. A guide for controllers https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221. (PDF)
- Data Protection Self Assessment https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/