Summary of relevant legislation and guidance

The legislation relevant to data protection and privacy.

Human Rights Act 1998

This Act binds public authorities including Health Authorities, Trusts and Primary Care Groups to respect and protect an individual’s human rights. This will include an individual’s right to privacy (under Article 8) and a service user’s right to expect confidentiality of their information at all times.

Article 8 of the Act provides that “everyone has the right to respect for his private and family life, his home and his correspondence”. However, this article also states “there shall be no interference by a public authority with the exercise of this right except as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention or disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

Each organisation must act in a way consistent with these requirements. It must take an individual’s rights into account when sharing personal information about them.

Freedom of Information Act 2000

This Act gives individuals rights of access to information held by public authorities.

Regulation of Investigatory Powers Act 2000

This Act combines rules relating to access to protected electronic information as well as revising the “Interception of Communications Act 1985”. The aim of the Act was to modernise the legal regulation of interception of communications, in the light of the Human Rights laws and rapidly changing technology.

Crime and Disorder Act 1998

This Act introduces measures to reduce crime and disorder, including the introduction of local crime partnerships around local authority boundaries to formulate and implement strategies for reducing crime and disorder in that local area.

The Act allows disclosure of person-identifiable information to the Police, Local Authorities, Probation Service or the Health Service but only if the purposes are defined within the Crime and Disorder Act. The Act does not impose a legal requirement to disclose personidentifiable information and responsibility for disclosure rests with the organisation holding the information.

The Computer Misuse Act 1990

This Act makes it a criminal offence to access any part of a computer system, programs and/or data that a user is not entitled to access. NHSCFA issues each employee with an individual user id and password which will only be known to the individual and must not be divulged to other staff. This is to protect the employee from the likelihood of their inadvertently contravening this Act.

NHSCFA will adhere to the requirements of the Computer Misuse Act 1990, by ensuring that its staff are aware of their responsibilities regarding the misuse of computers for fraudulent activities or other personal gain. Any member of staff found to have contravened this Act will be considered to have committed a disciplinary offence and be dealt with accordingly.

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

This Act allows employers to intercept and record communications in certain prescribed circumstances for legitimate monitoring, without obtaining the consent of the parties to the communication.

Information Security Management: NHS Code of Practice

The guidelines provide a framework for consistent and effective information security management that is both risk and standards-based and is fully integrated with other key NHS Information Governance areas. Without effective security, NHS information assets may become unreliable and untrustworthy, may not be accessible where or when needed, or may be compromised by unauthorised third parties.

Confidentiality: NHS Code of Practice

Gives NHS bodies guidance concerning the required practice for those who work within or under contract to NHS organisations concerning confidentiality and patients’ consent to the use of their personal data.

The Caldicott Guardian Manual 2017

Provides guidelines relating to sharing of person-identifiable information and advocates the appointment of senior organisational members to the role, to ensure adherence to the principles.

Records Management: NHS Code of Practice

The code acts as a guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. It is based on current legal requirements and professional best practice.

Information Commissioner’s Guidance - Use and Disclosure of Health Data

This guidance is concerned with the application of the Act with regards to the processing of information contained within ‘health records’.

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!