All staff are expected to apply the policy and to seek advice when required.

We fully endorse three fundamental information principles:

1. Information lies at the heart of our business.
2. Second to our staff, information is our most important asset.
3. Our reputation will be based on how we handle information and are seen to do so by others.

The NHS IC needs to collect and use certain types of information about people we deal with in order to operate. These include current, past and prospective employees, stakeholder organisations, members of the public, suppliers and others.

The NHS IC is also required by law to collect and process personal information in order to meet its public task as the single authoritative source of health and social care information. This personal information is handled with the utmost care and attention – whether on paper, electronically, or other means – safeguards are in place to ensure the Data Protection Act 1998 is adhered to.

The NHS IC regards the fair and lawful processing of personal information as essential in order to successfully achieve its objectives and ensure the support and confidence of the general public and stakeholders.

The Principles of The Data Protection Act 1998, as set out below are fully endorsed by the NHS IC. The eight principles require that personal information:

1. Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose of those purposes.
3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
4. Shall be accurate and, where necessary, kept up to date
5. Shall not be kept for longer that is necessary for the specified purpose(s)
6. Shall be processed in accordance with the rights of data subjects under the Act
7. Should be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data, or the accidental loss, destruction, or damage to personal data
8. Shall not be transferred to a country or territory outside the European economic area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.