Notification under the Data Protection Act 1998
Under the Data Protection Act 1998 (“DPA”) people who process personal data are, subject to certain exemptions, required to notify the Information Commissioner’s Office.
“Personal data” is data which relates to a living individual who can be identified from those data or other information which is in the possession of or is likely to come into the possession of the data controller.
“Processing” includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data. It includes organising, adapting and amending the data, retrieval, consultation and use of the data, disclosing and erasure or destruction of the data. (The Information Commissioner’s Office notes that “it is difficult to envisage any activity involving data which does not amount to processing”.)
If none of the processing is carried out on computer there is no requirement to notify. The term computer includes any type of computer (e.g. desk top, lap top, palm top) and other types of equipment which although not normally described as computers, nevertheless have some ability to process automatically, e.g. automatic retrieval systems for images, audio and CCTV systems.
Unless they are subject to any exemptions, it is the data controller who is required to notify the Information Commissioner’s Office under the Act. “Data controller” means a person who (either alone or jointly or in common with other persons) determines the purpose for which any personal data are, or are to be, processed.
Data controllers who are processing personal data for non-exempt purposes are required to notify the Commission. Non-exempt purposes include health administration and the provision of health services. Optometrists and dispensing opticians are therefore among the data controllers who are unlikely to be exempt from the notification requirements.
There are exemptions from notification of core business services. These include staff administration and advertising, marketing and publications activities. These are quite self-explanatory.
However, a further exemption for “accounts and records” requires a little more detail in relation to the work of optometrists and dispensing opticians. This exemption covers the administration of customer and supplier records. It relates to processing for the purposes of keeping accounts relating to any business or other activity carried on by the data controller, keeping records of purchases, sales or other transactions for the purposes of ensuring that the requisite payments or deliveries are made or services provided by or to the business in respect of those transactions.
The Information Commissioner’s Office have advised that it was originally envisaged the accounts and records exemption would cover simple records of work done and accounts kept in respect of the provision of goods and services, e.g. non-sensitive records such as a plumber or similar tradesman might maintain. However, the exemption does not state in terms that if any sensitive personal data are recorded, such as medical data, the exemption cannot apply. Further, there is an associated exemption for staff administration and again there is no exclusion in respect of sensitive data. Given the nature of the records routinely held for employment purposes this exemption would be of limited value if it could not apply to sensitive data such as trade union membership, medical conditions, etc.
On the other hand, in respect of general practitioners’ records, the Information Commissioner’s Office is of the view that the accounts and records exemption would be unlikely to cover the holding of detailed medical records on patients. This is because the primary purpose for which such records are held is healthcare, that is seeking to ensure appropriate treatment and care of the individuals concerned, and records are passed onto the patient's next GP so that their medical history can inform further care and treatment. In addition, the level of detail held could not be held to be necessary for accounts/payments purposes (even though GPs are required to maintain records of any treatment given).
The Information Commissioner’s Office then went on to offer their view on specific matters we had raised regarding records kept by optometrists. They said that reference to a condition such as glaucoma would constitute “sensitive personal data” (i.e. information as to the data subject’s physical health or condition) under Section 2 of the DPA. Less categorically they have said that arguably the results of an eye test would constitute personal data relating to an individual's physical condition and thus be sensitive personal data. However, as indicated above, it is not clear that simply because sensitive data are held the accounts and records exemption cannot apply. If practitioners only hold such sensitive data for the purpose of supplying corrective devices, rather than for treatment/healthcare, then, the Commission says it is hard to argue that they cannot take advantage of the accounts and records exemption.
The Information Commissioner’s Office summarised the position thus: the key question is not whether optometrists hold any sensitive medical data but rather whether the data they hold is held merely as a record of goods/services provided, and payments due in respect of these, rather than treatment? Ultimately, therefore, the crucial consideration may be whether an optometrist provides care and treatment, even perhaps if co-operatively by referring on some individuals for treatment as appropriate.
The answer to this question must be that optometrists and dispensing opticians do hold personal data, including sensitive personal data, for the purposes of treatment rather than merely as a record of good/services provided and payments due in respect of them.
Optometrists and dispensing opticians are therefore subject to duties under the DPA as outlined below:
(1) Notify the Information Commissioner’s Office where personal data is processed on computer or automatically, e.g. using a field screener which stores the results electronically, and is used for the purpose of treatment, rather than as a record of goods/services provided. Notification is similarly required if you have equipment which is capable of processing data automatically, but you do not use it to do so – see example 3, below.
Example 1: Where full patient records are stored on computer, with the information either typed in or scanned in from records held on paper, the data controller must notify the Information Commissioner’s Office.
Example 2: Where equipment such as digital cameras or field screeners are used and the personal data they gather is stored electronically, you must notify the Information Commissioner’s Office.
Example 3: You have a field screener which is capable of storing information electronically but you print out the results and do not store them electronically. You must notify the Information Commissioner’s Office.
(2) No requirement to notify the Information Commissioner’s Office where personal data is not processed on computer or automatically – see above.
(3) No requirement to notify if you process personal data on computer or automatically simply for the purposes of (a) staff administration, (b) advertising, marketing and public relations, or (c) accounts and records.
Example 1. You store patients’ names and addresses on computer to write to them regarding your services or to recall them for appointments, (b) and (c) above.
Example 2. You keep your appointments’ diary on computer.
It is unclear whether you will need to notify the Information Commissioner’s Office if you keep on computer a brief indication of a patient’s condition, e.g. “glaucoma” or a coded reference “g”. If the information is being stored for the purpose of treatment then you will have to notify the Commission, if it is there merely as a record of services provided, then you will not have to notify.
(4) Compliance with the DPA.
Data Controllers must comply with the provisions of the 1998 Act even if they are exempt from notification.
There are eight Data Protection Principles.
In summary they require that data shall be:
1. fairly and lawfully processed;
2. processed for limited purposes;
3. adequate, relevant and not excessive;
4. accurate;
5. not kept longer than necessary;
6. processed in accordance with the data subjects’ rights;
7. secure;
8. not transferred to countries outside the EEA without adequate protection.
Further information about compliance with the Data Protection Act 1998 can be obtained from the Information Commissioner’s Office as follows:
Website: www.dataprotection.gov.uk
Information telephone line: 01625 545745
Post:
Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Notification Department:
Telephone helpline: 01625 545740
e-mail: data@notification.demon.co.uk
Fax: 01625 545748
