NHS SOUTH WEST
INFORMATION AND LIBRARY SERVICES DEVELOPMENT
BRIEFING FOR NHS LIBRARIES ON THE DATA PROTECTION ACT 1998
1]
Disclaimer
These notes have been produced as a guide to the changes in Data Protection
legislation as they may affect NHS libraries. ILSD accepts no liability for any loss or
damage resulting from their use. Further guidance notes can be found on the
Information Commissioner’s Website at: www.dataprotection.gov.uk
2]
What’s new
The Data Protection Act 1998 is based on an EC directive and came into force in March
2000. The Act is founded on eight principles and compliance is more about adhering to
the principles rather than keeping to specific systems. There are several new concepts
such as that of the Data Controller, i.e. the person, people or organisation responsible
for setting out why and how personal data is processed. “Data processors” are defined
as people who process the data other than the Data Controller or their employees. A
new role of “Information Commissioner” also replaces that of the former Data Protection
Registrar. The old registration process has been scrapped in favour of a simplified
“notification” system and most manual records are now subject to the Act.
3]
What data is covered?
The Act is broader in scope than the 1984 Act and covers not only personal data held in
digitised records, but also manual records (including written records of telephone
transactions) where information relating to individuals is “held in a relevant filing system”.
CCTV is also covered. From 24th October 2001 the only exemptions that apply are to
records that existed before 24th October 1998 and manual data “not held in a relevant
filing system”. There is a transition period until 23 October 2007 for data held in a
“relevant filing system” on 24th October 1998 allowing certain exceptions, but most of the
provisions of the legislation already apply to it.
What is “a relevant filing system”? This is open to interpretation and advice from the
Information Commissioner’s Office is that although this is a “grey area”, manual issue
and inter-library loan systems which file forms under author or journal title, could be
considered included, especially if there are relatively small numbers of records in them.
Under the spirit of the Act and its underlying principles, libraries are advised to treat such
records as covered by the Act.
With the new Act, holding a person’s name and some other piece of information which
could identify them, means that the data is subject to the Act.
4]
Rights of individuals
Individuals have powerful rights which include being entitled to apply to gain access to
any data held about them. They may also be entitled to claim substantial compensation.
Data controllers can be fined not only if the content of records does not comply with the
Act, but also if adequate systems are not in place for compiling and accessing records.
1
People should be informed what data is held about them, how and why it is held and
who can access it. If the use for the personal data a library requests is obvious (e.g. a
requester’s name and address for an inter-library loan) then it is not thought essential to
put a data protection statement on every form. As long as data subjects are informed
about what they legally need to know, the means of informing them is less important.
Ticher (3) has some examples of how this may be done and these include notices,
prominent notices about the use of CCTV, and putting relevant information in a
“welcome letter”.
5]
Responsibilities of data controllers
Data controllers have to decide what data is held, how and why it is held and who can
access it. They are responsible for notifying this to the Information Commissioner and for
describing how a database will be kept secure. NHS organisations normally have a Data
Protection Compliance Officer who is responsible for this “notification” on behalf of their
organisation, and librarians should check with them that data held by the library service
is adequately covered by the parent organisation’s registration. Manual processing of
data is exempt from notification.
Data controllers can only hold personal data if certain conditions are met, one of which
focuses on obtaining consent. It is good practice to seek consent to hold personal data
but it is not required in every case as there are conditions laid down which define “fair”
processing. It is probably not essential for libraries to obtain written permission to
process personal data where a person requests a service which necessarily involves the
library requiring their name and contact details, e.g. an inter-library loan request. By
supplying it for that purpose they are effectively giving permission. Permission would be
needed if the use for the data was not obvious. Also if library users are internal to the
library’s parent organisation they have probably given adequate permission upon joining
the organisation. However, libraries can probably best ensure compliance with the law
by a] registering users who require those services where records containing personal
data are kept, and b] obtaining permission to store and process personal data at the time
of registration. Information which must be given to the “data subject” can then be
supplied at the same time.
6]
What data can and cannot be used
Data controllers are only permitted to process data for the purposes notified. “Sensitive”
data (such as information about personal health, race, religion, political views, criminal
offences, trade union membership etc.) can only be held under strict conditions. This will
probably not significantly affect libraries but it is something about which librarians should
be aware, particularly with respect to written records of staff appraisals.
Data obtained from outside the EC is covered by the Act, the law in the country where it
is processed applies. (Data should only be transferred outside the EC if the destination
country has adequate legislation.)
6]
How might the new Act affect NHS libraries specifically?
a]
It is wise to ensure that consent is obtained from, and adequate information given
to people whose personal data the library will be processing. (See paragraph 5 above.)
2
b]
One of the Data Protection Principles is that measures need to be taken to
ensure against unauthorised processing, loss, destruction of, or damage to personal
data. Check:
 That any records, loan slips, request forms, registration cards etc. are inaccessible to
library users;
 That data screens at library reception cannot be read by library users;
 Security of boxes where requests, forms etc. are posted (could they be stolen or
opened?);
 Security of files of registration forms, requests, loans etc. (could they be stolen or
opened?);
 That names of previous borrowers on loan slips which are retained inside library
books are rendered unreadable, as it is possible that systems which file
requests/loan records by author or title constitute a “relevant filing system”;
 That any files containing staff data are secure and offices/work areas where personal
data are stored are not left unattended unless the data is locked away;
 That any paper records containing personal data (other than data not stored in a
“relevant filing system”) are treated as confidential waste and burnt or shredded;
 That staff have been properly trained and continue to be aware of what they can and
cannot do and of their responsibilities with respect to data security generally;
 That data security procedures are regularly reviewed;
 Whether e-mails containing personal data could be encrypted to improve security.
c]
Under the Data Protection Principles, staff should only be given access to as
much data as they need to do their jobs. Library managers will need to consider ways to
achieve this. (For example, do library assistants need to have access to people’s home
addresses?)
d]
Data must be “accurate”. Transactions recorded by library staff (e.g. requests
taken down over the phone) have therefore to be accurate because failure to record
transactions properly could breach the Act.
e]
Data must also be “adequate, relevant and not excessive”. It must be
demonstrated that it is necessary to hold any personal data and the practice of keeping
“nice to have” but non-essential data should be discontinued. For example, do home
addresses for all library users need to be obtained?
f]
Data should be “kept up to date” where necessary and “not held longer than
necessary”. Library managers will need to ask if personal information will be needed
again, and if it would matter if it wasn’t available. If the answer to both questions is “yes”
then it will probably be deemed legal to retain it. If records are to be kept can they be
anonymised? (e.g. Keep a survey report but destroy the original forms. Can the library
system anonymise loan data after so long?) Remember too that destruction of records
is regarded as “processing” under the act so that too has to be “fair” and secure. Library
managers will need to decide how long it is reasonable to retain data, e.g. overdue and
fines details. If a user relies on you to retain, for example, search requests, and you
destroy them, that could be regarded as unfair. However, the biggest issue, especially
for those without automated systems, is finding adequate means to ensure that user
registers are kept up to date. This will need to cover how and how often to verify existing
3
records; how to ensure changes which have been notified by users are included and
how to regularly weed out records for people who have left.
g]
Data can only be processed for the purposes specified and for which consent
has been obtained. There are restrictions on “direct marketing” which although rather
unclear and largely applying to commercial organisations, could be construed as
applying to activities such as inviting independent sector subscribers to renew their
library membership or inviting registered users to free events. It is therefore advisable to
ask people’s permission to use their data for such purposes at initial registration. They
should however be offered the facility to “opt out” and means will need to be provided to
ensure that this request is honoured.
h]
People have a right to see data held about themselves, and that includes all
performance review and personnel records. It is therefore advisable to follow your
Personnel Department’s instructions about holding any files, and it is good practice to
ensure that staff are advised about any complaint made against them before it is
recorded on their personal file.
i]
Fair processing means that covert monitoring of staff should be avoided. People
therefore should be informed if CCTV is in operation. This could be done for example, by
posting a notice and/or putting a note in the library guide etc. Monitoring and processing
of monitoring data is also subject to the data protection principles so adequate
procedures will need to be established and documented about how, for example, CCTV
tapes are viewed.
7]
What should library managers do? – A checklist for action.
1. Examine all manual and electronic records, including those held in branch libraries
and records of telephone transactions, to decide if they contain any personal data.
(See section 2 for exceptions.)
2. Prepare for “notification” by writing down:
 Description of the data held.
 The purpose for holding it.
 Who has access.
 How long it will be held for.
3. Establish adequate measures (policies and procedures) to ensure the security of
those systems or databases containing personal data (these too have to be
described in the “notification”).
4. Ensure that all these are included in, or covered by your parent organisations formal
notification to the Information Commissioner.
5. Establish adequate means for obtaining “data subject’s” consent to hold and use
personal data. (Personnel records for your staff should have been covered by your
parent organisation)
6. Train your staff:
 About the Act.
4




About any new procedures.
About how any new procedures affect their working practices.
About data security.
About everyone’s personal liability under the Act.
7. Review when anything changes (e.g. introduction of new systems, services etc.).
Val Trinder, January 2002
References
1]
Data protection act 1998. HMSO, 1998. Also available from
www.hmso.gov.uk/acts.htm
2]
www.dataprotection.gov.uk last viewed on 12th December 2001.
3]
Ticher, P. Data protection for library and information services. London: Aslib-IMI,
2001. ISBN 0 85142 467 8.
4]
Simplified guide to the data protection act 1998: to assist businesses holding
personal information on customers, suppliers, directors, shareholders or others.
Nottingham: Experian Information Services Division, n.d.
www.uk.experian.com/motor/samples/databk.pdf last viewed on 9th January 2002
5]
The data protection act 1998. JISC Senior management briefing paper 9. JISC
ASSIST, 1999.
5