Protecting Personal Information

Last Updated: Tuesday, 9 March 2021

The Commission uses the European Convention on Human Rights (ECHR) and other international human rights standards as a basis for examining any legislative or policy proposal. It also takes account of relevant domestic legislation, including the Human Rights Act 1998 (which gave effect at national level to the ECHR) and, in the context of this consultation, the Data Protection Act 1998 (DPA). The Commission always promotes best practice in relation to human rights issues, rather than minimal compliance, and so it takes account also of policy documents such as the Department’s guidance on Protection and Use of Patient and Client Information.

In general terms the Commission believes that personal information held by health and personal social services (HPSS) agencies should be managed in accordance with the principles of confidentiality, security, accountability and transparency. The Data Protection Principles set out in the DPA should be complied with. This means, for example, that data should be only collected for proper purposes; it should be used for those purposes; patients and clients should be made aware of who will have access to it, and for what purposes; and patients and clients should have access to all the data other than in certain exceptional circumstances. In most circumstances informed consent to the collection, retention and use of data should be sought.