Data Protection Act (DPA)

The Data Protection Act (DPA) provides a framework which governs the processing of information that identifies living individuals.

Processing includes holding, obtaining, recording, using and disclosing of information and the Act applies to all forms of media, including paper and images.

It applies to confidential patient information but is far wider in its scope, e.g. it also covers personnel records.

The DPA provides a legal pathway and timetable for the disclosure of personal information to the data subject (e.g. Health record to a patient, personal file to an employee).

Whilst the DPA applies to both patient and employee information, the Confidentiality Code of Practice (COP) applies only to the patient information.

The COP incorporates the requirements of the DPA and other relevant legislation together with the recommendations of the Caldicott report and medical ethical considerations, in some cases extending statutory requirements and provides detailed specific guidance.