Filtering the facts

How many times have you heard people complain that an organisation has refused to give them information because to do so would contravene the Data Protection Act 1998?

Let’s suppose that a daughter is phoning the care home where her mother lives to find out information on behalf of or about her mother and is told she cannot have it.

This may be frustrating at the time but with a little reflection the daughter must realise that her mother’s privacy is being protected.

The way round this impasse is for the mother to write to the care home’s management giving consent for the information to be released to the daughter. The daughter can even write the letter and the mother merely sign it. So after a little forethought and a slight delay, the information will be released.

The existence of the letter is vital to protect the care home in question from being sued by the mother for unlawful disclosure of personal data and from being pursued by the information commissioner for breach of the first data protection principle. The letter is even more vital for the individual employee who actually speaks to the daughter on the phone and discloses the information, since unlawful disclosure of personal data done knowingly or recklessly without the express instructions of the employer is a criminal offence for which the employee is personally liable.

Not many people realise that the organisation cannot commit the criminal offence – only the employee can – although the organisation can be sued for damages; such claims under the
act can amount to considerable sums of money. Most claims are settled before the case goes to court and are usually subject to confidentiality so that the level of damages is not widely known.

The kind of information held and requested in the health care or care home setting is likely to be what the act calls “sensitive personal data” –  that is, information about an individual’s physical or mental health or condition.

Special rules apply to the collection, use, holding, storage and disclosure of sensitive personal data but the starting place is ordinary personal data such as name, address, and telephone number.

Before the care home can start collecting personal data it must find a lawful justification for collecting it from a list of six grounds set out in the act. A care home will have several lawful grounds for processing data. First, it will need to collect personal data to carry out the contract to provide care to the mother. Second, it could obtain the consent of the mother. Or, third, it could use general ground that states that organisations can collect and use personal data for their businesses so long as the rights and freedoms of an individual are not jeopardised.

If the information is sensitive a further ground has to be found from a second list set out in the act. This contains nine potential grounds but, in the health care or care home setting, only two of these are commonly used. The first is that, for example, the mother has given her explicit consent to the use of her personal data. The second is that the information is necessary for medical purposes and is being used by a health professional (there is a defined list of health professionals set out in the act) or by somebody else who owes an equivalent duty of confidentiality as a health professional. 

Clearly this covers the care home itself which will give assurances of confidentiality in its contracts with its patients and all the employees in a care home (who are not doctors, nurses or therapists who already come under the definition of “health professional”) and whose contracts of employment impose strict duties of confidentiality on them.

Next, the care home has to notify the information commissioner, who ensures compliance with the act, that it is holding personal data. Notification can be done easily online (go to and then click on “notify” under “quick links”) and costs £35 a year.

Although there are exemptions from notification for small businesses, these exemptions will not apply in the care home setting because of the prevalence of sensitive personal data.
The act contains eight data protection principles with which the care home has to comply (see And the Rules Are). The most important is the first which states that personal data has to be processed fairly and lawfully. Finding lawful justifications for processing takes care of this requirement. The fairness requirement is satisfied by giving all the people on whom the care home holds personal data a data protection notice which tells them all the information they need to know to understand fully what is going to happen to their personal data. This notice has to be given at the same time as the information is collected. 

The easiest way for the care home to give the notice to, say, the mother is to include it as part of the contract which she signs before entering the home. The care home also has to give this kind of notice to its own employees and this can also be done in the contract of employment.

In any case, data protection notices have to contain certain information which has become fairly standard. The care home has to give its full legal name as the organisation which is making the decisions about collecting and using the personal data. It has to say what information it is collecting and what its purposes are for collecting it. The list of purposes is important because, if one is left out, the care home will be unable to use the information for that purpose until it has recollected it under a new notice listing the extra purpose. Recollection exercises are expensive and time-consuming.

The notice also has to describe the kind of organisations to whom it intends to disclose the personal data and their possible purposes for using it. Finally, it has to give any other information necessary in the particular circumstances to make the processing fair.

If these simple rules are followed the care home will have fully complied with the act; its residents and employees will trust the care home because they will know what is happening to their information; and friends and relatives, like the daughter in the example above, will appreciate that the privacy of their elderly relatives is being respected by a well-run and professional organisation.

And the rules are…
The eight principles put in place by the Data Protection Act 1998 to ensure that information is handled properly state that data must be:

Fairly and lawfully processed.
Processed for limited purposes.
Adequate, relevant and not excessive.
Not kept for longer than is necessary.
Processed in line with your rights.
Not transferred to countries without adequate protection.

Shelagh Gaskill is a partner at law firm Pinsent Masons specialising in information law relating to the commercial exploitation of data, including acquisition, sale and exchange. She also specialises in the legal aspects of databases, worldwide and company data-flows and data protection and privacy laws throughout Europe.

Training and learning
The author has provided questions about this article to guide discussion in teams. These can be viewed at and individuals’ learning from the discussion can be registered on a free, password-protected training log held on the site. This is a service from Community Care for all GSCC-registered professionals.

This article looks at the principles of the Data Protection Act 1998 with which all care homes in the UK have to comply. It gives advice to managers of care homes on how to comply with these principles and outlines the requirements when dealing with personal data.

Contact the author

More from Community Care

Comments are closed.