Where your application involves personal data (identifiable data in the context of DARS On-line), then it is a legal requirement under the Data Protection Act (first principle) that personal data must be processed fairly and lawfully.
The Data Protection Act 1998 (DPA) does not define fair processing but stipulates that, in order for the processing of such data to be fair, the data controller (that is, the organisation that determines the purposes and manner in which any personal data are to be processed and therefore in control of processing the data), has a legal obligation to make certain information available to the data subjects, most commonly, by providing a privacy notice (PN). The ICO (Information Commissioner's Office) code of practice uses the term 'privacy notice' to describe all the information that an organisation makes available or provides to individuals when it collects information about them. Typically this information may be provided through a website, a regular newsletter, ad hoc communication or direct contact (such as face-to-face meetings).
When NHS Digital considers fair processing as part of an application, we look to see how the Data Controller is keeping individuals informed about how their personal data is used.
If your application involves the flow of identifiable data and thus requires evidence of fair processing, your Privacy Notice must meet the following criteria before your data sharing agreement can be approved.
It must be:
- visible to any member of the public when visiting the organisation's website
- clear and truthful - it must not include statements that may lead the public to believe that they can exercise choice over the collection and use of their personal information when they really cannot, for example the use of misleading or contradictory statements
- clear who the Data Controller (DC) is and how to contact them
- clear what level of data is collected - whether the individual is directly identified, or could be indirectly identified if combined with other data, or whether the individual cannot be identified
- clear where data is collected from - for example, GP records, hospital records
- clear for what purpose or purposes the data is processed
- clear who the data is shared with
- clear what the opt-out method is
The following criteria is preferable but not currently mandatory.
It should be:
- written in simple plain English and avoid technical and legalistic language
It should specify:
- who collects the data - an organisation(s) different to the data controller?
- the type of identifiers collected and used
- whether sensitive information is collected and used
- details about linkage with other datasets
- the specific tasks and activities for which the data is processed
- which organisations have access to the data
- what organisations share the data, in what manner and for what purpose
- who the data processors are
- how long the data is stored for
- how the information is kept safe
- how the information is kept confidential
Please note that this page will be updated in accordance with the GDPR and Data Protection Act changes that will take effect during 2018.