Data Protection

Guidance on the Data Protection Act 1998

Wessex Deanery GP School Policy on Personal Data, Information and all communication concerning GP Trainee’s held or processed by the GP School and all GP Educators.

The GP School and all “commissioned” educators who provide or support GP Trainee’s in training are required to comply with the Data Protection Act 1998, The Freedom of Information Act 2000 and related National or Deanery regulations and policies.  This applies to all information recorded about individual Trainee’s that is relevant and in relation to their performance and training with the Wessex Deanery.  The GP Trainee should understand that the information he/she provides may be used by GP Educational Supervisors (Trainers) within the Wessex Deanery to assist with the assessment process.  The GP Trainee should understand that the data will be recorded and processed on e-portfolio, where appropriate however separate records may be kept by the GP Educational Supervisor for future information and assessment.  This will be kept in a secure manner, within their workplace and only assessed by authorised staff.  This is in accordance with the Data Protection Act 1998.

The GP Trainee may request their personal data from the Wessex Deanery in accordance with the Data Protection Act 1998.  GP Educational Supervisors (Trainers) should be aware that the GP Trainee may access their personal data at anytime.  This can be from both the e-portfolio system and the records kept by the supervisor.

Any records, emails or notes kept should be factual and evidence based, it should were appropriate also be signed and dated.

“Commissioned” Educators; This includes all direct employee’s of the SHA, Hospital Trusts, Patch GP Educational Teams and GP Training Practices (and includes all GP Trainers, partners and employed staff with in the practice).

The full SHA/NESC policy, previously available from the NESC website, is available from the deanery website; below is a summary of the import key points.

Summary Guidance on the Data Protection Act 1998

Ratified by Strategic Health Authority Executive Team:

  • Review:         January 2009
  • Author:          Jacky Jones, Head of Corporate Services
  • Sponsor:      Olga Senior, Director of Communications and Corporate Affairs
  • Summary:      Dr Richard Weaver Head of School GP

The full SHA Document is available at

“Guidance on Data Protection” 


The Data Protection Act 1998 came into force in March 2000 and aims to give protection to all information that relates to individuals.

The new Act differs from the 1984 Act as it covers information which relates to living individuals; not only processed by computer but held and stored manually in hard-copy e.g. as part of a ‘relevant’ filing system or ‘accessible records.’

A ‘relevant’ filing system is any organised way of storing information that is indexed alphabetically or by reference to criteria relating to individuals in such a way that is readily accessible.

Personal Data is Data that relates to a living individual that can identify the individual from this data or other information in the possession of a data controller.

Relevant Filing System is a structured set of information that can reference individuals either directly or indirectly.

Right of Subject Access refers to ‘Data Subjects’ have the right to access and be given details of any information held about them.

Principle 1 – Fair & Lawful

Personal data shall be processed fairly and lawfully and subject to conditions.

Data is categorised into two types, non-sensitive and sensitive. Certain conditions have to be met before processing is allowed; these are detailed in schedules 2 & 3 of the Act. (see main document).

Principle 2 – Purpose

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Principle 3 – Adequacy

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Principle 4 – Accuracy

Personal data shall be accurate and where necessary, kept up to date.

Principle 5 – Retention Period

Personal data shall not be kept for longer than necessary for the purpose.

Principle 6 – Subject Rights

Personal data shall be processed in accordance with the rights of the data subjects, under this Act. They include:

  • the right to be informed that processing is being undertaken;
  • the right to inspect personal data;
  • the right to prevent processing in certain circumstances; and
  • the right to rectify, block or erase data.
Principle 7 – Security

Appropriate security measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to the data.

Freedom of Information Act 2000

The Freedom of Information (FOI) Act 2000 and the Codes of Practice, issued by the Secretary of State, outline the duties and responsibilities that Public Authorities must undertake in providing additional information to the public.

The FOI Act further extends the Data Protection Act to cover all personal information held by public authorities which would be considered unstructured and not form part of a ‘relevant filing system.’ Any request for information about the applicant will be handled as a request under the Data Protection Act.

There is a duty to comply with any FOI requests within 20 working days subject to an appropriate fee, if applicable. 

Data Subject Access Requests

Individuals have a right (subject to a fee, if applicable) of:

  • being informed whether personal data is processed by, or on the behalf of the data controller,
  • the description of that data, the purpose of its processing and who the recipients may be,
  • a copy of any personal information (subject to a few exceptions),
  • information as to the source of the data.
Human Rights Act 1998

The Human Rights Act 1998, incorporating the European Court of Human Rights (ECHR) into UK law, came into force in October 2000. It does not confer any new rights. The main difference is that individuals will be able to enforce the Convention in the UK courts, if they think a public authority has breached or is likely to breach a Convention right or freedom affecting them. This may result in more challenges, well founded or otherwise.

Sharing Information with Others

Where information is shared between organisations on a regular basis, then formal agreements should exist to outline the protocols necessaryto control that information.

Where another organisation is processing data on our behalf then we have a clear duty to ensure that the information is kept in accordance with the principles of the Act.

This data disclosure process is not intended to be a substitute for correct procedural agreements between such organisations.

Disclosure – Other than to the Data Subject

To Third Parties:

Information may be requested from third parties, e.g., solicitors or insurers, on behalf of the Data Subject.

Where this is accompanied by authorisation from the Data Subject then this request can be processed.  Where necessary the third party should be contacted for additional details to enable an effective search for the information required for their purpose.

Anonymous Information

An important Court ruling (Dec 1999, R-v-DOH ex parte Source Informatics Ltd) has deemed that information that has been rendered anonymous, prior to disclosure, is not covered by the common law duty of confidentiality.

Therefore this information may be shared without restriction.

Summary RDW Jan 2009

Back to the top.