Dr D L Boone – Avon Vasectomy Service DATA PROTECTION POLICY

Dr D L Boone – Avon Vasectomy Service


24 March 2018


Caldicott Guardian: Dr Doron Boone


This policy contains sections:

1. Data manager responsibilities 

2. Staff responsibilities 

3. Staff awareness 

4. Protecting data 

5. Principles of the Data Protection Act 

6. General principles of the Caldicott committee on the review of Patient 
Identifiable data  

1. The Data Manager is responsible for:

  • Registering the service with the Data Protection Officer
  • Updating any changes to the Data Protection Act (1998)
  • Ensuring data accuracy as specified by the Data Protection Act 
  • Ensuring all staff sign a confidentiality agreement
  • Loading and removing programmes ( generally through designated software supplier or CSU 
support function)
  • Ensuring the routine back up and verifying of data.

2. All staff are responsible for:

  • Adherence to the Data Protection Act 
  • Ensuring that use of personal data for which they are responsible is covered by the registrations


3. All staff will be aware of:

  • The eight principles of the Data Protection Act (see section 5)
  • The general principles of the Caldicott Committee on the review of Patient Identifiable Information 
(see section 6)
  • All personal data stored needs to be registered under the Data Protection Act 
  • Do not disclose information to unknown applicants
  • You are not permitted to use the Practice’s computers for personal use unless you have been given 
express permission)
  • You should only use your computer for the purpose of your job and should not use the computer 
system or information for any other purpose)
  • You are responsible for maintaining your computer equipment and software and where you have 
access to confidential information you must ensure that it remains secure)
  • You are not permitted to make copies of any software where this will amount to a breach of copyright or in any way make or distribute copies of software

4. Protecting service data:

  • It is in your own interests to know the rules. It is a contractual part of your job toensure 
confidentiality and data security. If you do not and either deliberately or negligently divulge 
information, you will be subject to disciplinary action
  • Supervise visitors
  • Always ask the data manager if you are not sure what to tell people
  • Password protect documents on disk if confidential
  • Use screen savers or log out to protect on-screen data from being viewed by unauthorised people
  • Safeguard your computer from heat and water. Keep food and drinks away from all computer 
  • Ensure the room is kept locked when staff are not on site
  • Save and backup your data at regular intervals
  • Confidential paper waste must be placed in confidential waste sacks or shredded

5. The Eight Principles of the Data Protection Act:

Anyone processing personal information must comply with the eight enforceable principles of good information handling practice. These say that the data must be:

1)                           fairly and lawfully processed 

2)                           processed for limited purpose 

3)                           adequate, relevant and not excessive 

4)                           accurate and up to date 

5)                           not kept longer than necessary 

6)                           processed in accordance with the individuals rights 

7)                           secure 

8)                           not transferable to countries outside the European Economic area unless the country has adequate protection for the individual 

6. The General Principles of the Caldicott Committee on the review of Patient Identifiable Information 

Principle 1 - Justify the purpose(s)

Principle 2 - Every proposed use of transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian.

Principle 3 - Don’t use patient-identifiable information unless it is absolutely necessary

Principle 4 - Patient-identifiable information items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s)

Principle 5 - Use the minimum necessary patient-identifiable information

Principle 6 - Where the use of patient-identifiable information is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.


Access to patient-identifiable information should be on a strict need-to-know basis
Only those individuals who need to access patient-identifiable information should have access to it, and they should only have access to the information items they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.

Everyone with access to patient-identifiable information should be aware of their responsibilities
Action should be taken to ensure that those handling patient-identifiable information – both clinical and non clinical staff – are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Understand and comply with the law

Every use of patient-identifiable information must be lawful. Someone in each organisation handling patient information should be responsible for ensuring that the organisation complies with legal requirements.