What is data protection legislation?

Data protection legislation sets out the duties and responsibilities which organisations, and all their staff, must follow when they collect, use, store and share information about people.

In the UK, the law about data protection is contained in the Data Protection Act 2018 and the UK General Data Protection Regulation (also known as the UK GDPR). Together these control how organisations – like local authorities, the NHS or care providers – can collect, use, store and share information. This includes information about:

• adults and families who are currently receiving services, including their children;
• adults and families who have received services from the organisation in the past;
• current and past staff members; and
• suppliers.

Data protection laws apply both to information which is held in paper files and digitally on computers and electronic recording systems.

Why do we have data protection legislation?

Data protection legislation helps keep people’s data safe. It does this by giving a framework to make sure that when organisations collect, use, store and share people’s information, they do it in a way that is safe and clear.

Data protection legislation also gives people rights in relation to the information organisations hold about them, including:

• the right to know what information is being collected and processed in relation to them, and – in most cases – they must clearly be asked for their consent for this;
• the right to see information held in their records;
• the right to have anything corrected in their records which is not accurate; and
• the right for data to be ‘forgotten’ when it is no longer required.

When does data protection legislation apply?

Data protection laws apply whenever personal data is being handled or processed by organisations, including being collected, stored, used, and shared.

Personal data is information about a person who is alive and who can be identified by a name, an ID number, location information or email addresses. Different rules apply to someone who has died.

The law is even stricter when processing or handling what is known as ‘sensitive personal data’. This applies to information on:

• racial or ethic origin;
• political opinions;
• religious or other beliefs;
• trade union membership;
• physical or mental health conditions;
• sexual life or sexual orientation; and
• criminal convictions and proceedings.

What does best practice look like?

To conform to the Data Protection Act and UK GDPR, the following principles should be followed whenever personal data is being processed.

• Processing or handling data should be lawful, fair and in a way which is transparent. This means people should be told what information will be collected about them and how it will be used.
• When information is collected for one purpose – for example to provide someone with a service – it must not then be used for another reason – for example to send them marketing information about another service.
• Organisations must only collect the least amount of data which is necessary for the service being provided.
• Information which is collected must be accurate and kept up to date.
• It must not be kept for any longer than is necessary.
• It must also be stored securely. This means paper files are kept secure – in a locked cabinet for example – and computers are password protected.

Organisations must make sure that everyone who manages and handles personal information as part of their job understands that they are responsible for adhering to data protection legislation.

If you need advice about data protection and collecting and sharing information, speak to your line manager or the data protection officer in your organisation.