1. Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office

2. Content The Data Protection Act – key concepts Sensitive Personal Data Individual Rights Exemptions Freedom of Information Penalties

3. The Data Protection Act – key concepts Personal data relates to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. Data is information which is being processed or is intended to be processed automatically information recorded as part of a relevant filing system information which forms part of an accessible record other information held by a public authority

4. The Data Protection Act – key concepts Fairness considers the method by which the data is obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed. May also require consideration of the common law of confidence Lawfulness Processing has to be for a lawful purpose and meet conditions for processing

5. The Data Protection Act – key concepts Data Protection Principles Personal data shall be processed fairly and lawfully Personal data shall be obtained only for one or more specified and lawful purposes, Personal data shall be adequate, relevant and not excessive Personal data shall be accurate and, where necessary, kept up to date.

6. The Data Protection Act – key concepts Data Protection Principles Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Personal data shall be processed in accordance with the rights of data subjects under this Act. Appropriate measures shall be taken against unauthorised, insecure and unlawful processing of personal data Personal data shall not be transferred to a country or territory outside the EEA unless it has adequate protection for processing of personal data

7. Sensitive Personal Data Includes racial and ethnic origin physical or mental health or condition sexual life commission or alleged commission of any offence

8. Sensitive Personal Data “Schedule two” conditions: Consent Vital Interests Functions of a public nature Legitimate interests not prejudicial to the individual

9. Sensitive Personal Data “Schedule three” conditions: Explicit consent Vital interests Legal proceedings By a health professional for medical purposes Ethnic monitoring Research in the substantial public interest

10. Individual Rights Right of access Right of correction Right to stop processing causing distress

11. Exemptions Disclosure for the prevention or detection of crime (including the apprehension or prosecution of offenders) s29 Regulatory activity s31 Research (where the outcome is not to support decisions with respect to particular individuals) s33 Disclosures required by law or in connection s35

12. Freedom of Information Freedom of Information Act 2000 Freedom of Information (Scotland) Act 2002 Exemptions for release of personal data Potential Anonymisation

13. Penalties Undertakings Enforcement Civil Monetary Penalties (where the contravention could have been foreseen and was likely to cause substantial damage or substantial distress)

14. www.twitter.com/iconews Keep in touch Subscribe to our e-newsletter at www.ico.gov.uk Contact us on 0131 301 5071 or at scotland@ico.gsi.gov.uk