Principles of data protection

First principle

Personal data shall be processed fairly and lawfully. Patients must be informed how personal data are to be used and that confidentiality will be maintained. No unfair pressure must be applied in obtaining data. Patients must give their consent to data processing and/or processing must be 'necessary'. Processing for medical purposes, including medical research, is considered necessary.

Second principle

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. For patients in trials, the purpose is for research and statistical analysis. This principle is not breached by providing data to other collaborators involved in the clinical research programme (but see the eighth principle).

Third principle

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. This is a valuable principle to bear in mind when designing trial protocols and forms. Information should not be collected on the basis that it might possibly be useful in the future without a view of how it will be used.

Fourth principle

Personal data shall be accurate and, where necessary, kept up to date. This is a crucial principle of good data management. If and when inaccuracies are discovered, they should be corrected without delay.

Fifth principle

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. This principle is not breached by keeping data indefinitely, providing the purposes for doing so are clear.

Sixth principle

Personal data shall be processed in accordance with the rights of data subjects under this Act. This principle establishes the right of a person to have access to personal data and, where appropriate, to have such data corrected or deleted.

Seventh principle

Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Efficient procedures must be instituted to ensure that this principle is observed. There should be documented security procedures and contingency plans for avoiding and/or dealing with emergencies such as theft, vandalism, fire and flooding, and all members of staff should be familiar with them. Backup procedures should permit rapid recovery of essential data and re-establishing office functions as soon as possible following an emergency.

Eighth principle

Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The European Economic Area consists of the fifteen EU member states together with Iceland, Liechtenstein and Norway. This principle is complied with if data subjects give their consent to the transfer.

0 0

Post a comment