Jump to main content

Data Protection

Home » Your right to know » Access to information » Data Protection

The Data Protection Act is changing.

On 25 May 2018, the Data Protection Act will be replaced by the General Data Protection Regulation, which is designed to give you better control of what happens with your personal data, in the UK, the EU and globally.

Like the Data Protect Act, the Regulation will provide living individuals with the right to access their personal information held and used by the Service. The Regulation governs how the Service can use this personal information; including how we acquire, store, share or dispose of it. It also allows you to ask the Service to check the accuracy of your data, to alter any inaccuracies or delete data held on file.

As a Data Controllers, the Service will still have to register with the Information Commissioners Office on an annual basis and the Data Protection Public Register can be viewed on the ICO's website. This includes the name and address of all registered organisations and describes the kind of data processing they do.

Personal information held by the Service can only be accessed by:

  • Service staff who have a legitimate reason to do so, for example Human Resources personnel reviewing employment records.
  • You (the Data Subject)
  • Someone acting on your behalf with your written permission or
  • Where there is a valid reason to see or share your data, for example passing a welfare concern onto the NHS.

There are currently eight Data Protection Principles but from May 2018, there will be six:

Lawfulness, fairness and transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.


Personal data shall be accurate and, where necessary, kept up to date.

Storage limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.