top of page

Data Protection Act 1998

In this series of articles, medical students from across the country will discuss a range of topics from medical ethics to the NHS to public health to medical conditions to clinical governance.

These articles give you an overview of the principles; understanding the overlap between topics will allow you to develop a more detailed insight into medicine.


The Data Protection Act 1998 is a piece of UK legislation which focuses on people's’ personal data and the protection of it. As a company, if you use or store personal information which relates to the identification of someone, then you are named within the legislation, quite simply, as the ‘data controller’.

The definitions of personal information and personal data differ slightly, despite the terms being referred to fairly interchangeably. To clarify, personal information may be defined as all information held on people, whether they are living or dead. As an example of this, personal information encapsulates medical records, whether they are handwritten or held on a computer system, and anything depicted within them.

Personal data on the other hand has a more tightly defined meaning and relates to the information held about living people, which in isolation or when combined with other data that is available, could result in the identification of the patient in question.

💽 Eight Principles

There are eight key principles outlined in the Data Protection Act 1998 for the ‘data controllers’ to adhere to, in that:

Personal data needs to be processed fairly and lawfully

  • Personal data needs to be processed fairly and lawfully

  • Personal data needs to be processed for lawful purposes

  • The data collected must be adequate, relevant and not excessive

  • The data collected must be accurate and up to date

  • The data must not be kept for longer than necessary

  • The processed personal data must have been done in accordance to the rights of the individual

  • The collected data must be kept secure

  • There should not be a transferal of the data collected outside the EEA (European Economic Area).

The adherence to these rules is monitored by the Information Commissioner.

In relation to applying the Data Protection Act to a healthcare setting, some of the more stringent requirements do not apply to particular types of healthcare research. To put this into context, an example would be, anonymised linked data in epidemiological research. This is possible due to an ‘exemption’ clause within the Data Protection Act. However, in addition to abiding by the Data Protection Act, despite its ‘exemption’ clauses, research work has to be aware of the Caldicott Principles.

📖Caldicott Principles

To summarise, any research work that makes use of pre-existing data sets, as well as stored samples needs to have permission from the Caldicott Guardian. The Caldicott Principles need the researcher, who is requesting use of the data, to justify the purpose of using the data, to not use patient-identifiable information unless absolutely necessary, to use the minimum information required, and to use the data on the basis that access to the data is on a strictly need to know basis. The Caldicott Principles were instated in 1997 and apply in addition to, rather than instead of, the eight key principles of the Data Protection Act 1998.

Additionally, the Research Governance Framework for Health and Social Care incorporates the principles of the Data Protection Act, and requires that in a research setting, the correct and appropriate use and protection of the patients’ personal data is the highest priority.

The levels of care which are taken when handling personal information are high and reflected in the laws put into place including the rules that ‘data controller’s’ must follow. The process highlights how all those involved in research must be aware of legal and ethical duties when it comes to handling sensitive data. The sheer number of legalities that are in place to ensure safe data collection, storage and use again greatly implies the importance of themes such as consent (to use of personal data) and confidentiality of such data within healthcare.

📜 Further Reading


bottom of page