Supporting Caldicott Guardians across the UK


The Data Protection Act 2018 and the GDPR

The Data Protection Act (DPA) 2018 received Royal Assent on 23rd May 2018 and came into law on 24th, one day before the European Union General Data Protection Regulation (GDPR) came into force in EU member states. The new DPA supersedes the 1998 Act, and incorporates the GDPR into UK law with a few discretionary changes (derogations) which allow member states to customise certain aspects.

The Act applies to information about identifiable, living individuals. It protects and enhances individuals’ rights, and places legal obligations on organisations. It is the primary legislation underpinning the Caldicott Guardian’s activities. It relates to personal data, that is data that relates to a living individual from which that individual could be identified — either from that data alone, or from that data in conjunction with other information in the possession of the data controller, or information which would be reasonably accessible to anyone else.

The major changes that the GDPR brings to the Act are a requirement for greater transparency regarding how organisations use personal data, including being able to demonstrate compliance and the legal bases on which data is being processed, enhanced rights for data subjects, and increased financial penalties.

The GDPR Article5 provides six principles that apply to all use and disclosure of personal information, and data controllers must be able to demonstrate compliance with these ('accountability'). The principles concord well with the Caldicott principles, and Caldicott Guardians should be familiar with and work to both. In addition to satisfying these six principles, organisations must be able to provide a legal basis from Article 6 of the GDPR and, if appropriate, from Article 9. Where personal information is held in confidence (e.g. health records or case file information), common law obligations additionally require the consent of the information subject before it is disclosed to a third party, unless there is another legal justification -- including where exceptional circumstances apply, for example the prevention and detection of crime.

Guidance on the implementation of the GDPR

This page last updated 17th December, 2018