L4 Data Protection and GDPR Flashcards
personal data
any information relatinf to an identified or indentifiable natural person, including names, identification number, location data, online identifiers, or oe or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity
data processing
any operation or set of operations performed on personal data whether automated or not
data processor
any organisatoin responsible for processing data on behalf of data controller
rights in relation to data
- General Data Protection Regulation (GDPR) 2018
- Data Protection Acts 1988 to 2018 (before GDPR)
- Freedom of Information Act 2014
responsibilities in relation to data - compliance with law
- Data Protection Acts 1988 to 2018
- Freedom of Information Act 2014
responsibilities in relation to data - compliance with national guidelines for health professionals
- Data protection and Freedom of information legislation: Guidance for health service staff
- CORU Code of Ethics and Professional Conduct
- National Consent Policy 2013, 2016
- Record Retentions Periods, 2013
- HSE Data Protection Policy, 2019
8 rights of GDPR
- the right to be informed
- the right to access information
- the right to rectification
- right to erasure
- right to data protability
- right to object to processing of personal data
- right to restriction
- right in relation to automated descision making, including profiling
Data protection commission
The national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected
what is the DPC’s role
- Investigate complaints made by the general public
- Carry out investigations proactively.
Responsibilities of Organisations
- Collect no more data than is necessary from an individual for the purpose for which it will be used
- Obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose
- Retain the data for no longer than is necessary for that specified purpose
- Keep data safe and secure
- Provide an individual with a copy of his or her personal data if they request it.
8 rules of Data Protections
- obtain and process information fairly
- keep information for only one or more specified, explicit and lawful purposes
- use nad disclose only in ways compatible with these purposes
- keep it safe and secure
- keep it accurate, complete and up-to-date
- ensure that it is aequate, relevant and not excessive
- retain it for no longer than is necssary for the purpose or purposes
- Give a copy of their personal data to that individual, on request
HSE retention policy for children and young people
- Retain until the patient’s 25th birthday or 26th if young person was 17 at the conclusion of treatment, or 8 years after death.
- If the illness or death could have potential relevance to adult conditions or have genetic implications, the advice of clinicians should be sought as to whether to retain the records for a longer period.
HSE retention policy for adults
8 years after conclusion of treatment or death
Freedom of Information ACt 2014
- Every individual has the right to apply for access to records (personal or non personal) held by a public body and to have inaccurate or misleading personal information amended, corrected, or deleted
- (subject to specific exemptions, having regard to the public interest and the right to privacy)
- Covers personal information (education, medical, psychiatric, psychological history, financial history), and records (paper records: books, files, letters, loose papers, diaries, post-it notes, and computer printouts; disks, servers, databases)
how to make an application under FOI
- Must be in writing to head of public body using specific form
- Must specify the records required and the manner in which access is sought e.g. inspect the originals, obtain photocopies etc
- Must state that the request is being made under the FOI Act 2014
