Data processing

Personal data is information which relates to a living individual who can be identified from the information itself or by linking it with other information – for example a person’s name, address or email address, an online profile or an employee’s human resources record, sickness absence or appraisal record. There is also ‘special category’ information which relates to sensitive personal data such as medical information, ethnic origin etc.  All information that is obtained in the course of caring for patients is confidential.

Processing is the name given to anything that is done with personal data – for example entering patient information into IT systems or having a patient record in a filing cabinet.

A data controller determines the purposes and means of processing personal data. A data processor is responsible for processing personal data on behalf of a data controller. Under the Data Protection Act 2018 (DPA 2018) [1] and General Data Protection Regulations (UK GDPR) [2], data controllers must demonstrate compliance and ensure that their data processors comply with specific legal obligations; for example, data processors are required to maintain records of personal data and processing activities. Both data controllers and data processors have legal liabilities in the event of a data breach.