skip to main content

Easy Read Information

Data Protection is how we keep people's information safe and confidential.

The Data Protection Act is the law about how to look after people's information.

This page explains more about Data Protection and the law and rules which we have to follow.



What we do

The Data Protection Office was created to address Data Protection issues within the Trust and the implementation of Information Security. Our team is responsible for training all clerical staff within the Trust on aspects of the Data Protection Act, Trust related policies and Information Security.

The data protection principles

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions from schedule two is met, and in the case of sensitive data, at least one of the conditions in schedule three is met - see below.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose of purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to processing of personal data.

What is a Schedule 2 and Schedule 3 condition?

These are conditions that must be satisfied for processing of data to comply with the First Principle, which go in addition to the general requirement that data must always be processed fairly and lawfully.

Schedule 2 refers to the processing of personal data, and includes such conditions as whether the person in question has given consent to the processing of that information, or whether it is necessary for legal compliance. Schedule 3 refers to the processing of sensitive personal data, and features a more stringent set of parameters, including those above.

For more information on the specific details of each condition please refer to the full text of the Data Protection Act 1998, which can be located here.

The Caldicott Principles

In addition, there are six Caldicott Principles that help compliment the Data Protection Act, and help this Trust and others when it comes to safeguarding the information that we hold about you.

These principles were initially highlighted in the Government's 1997 "Caldicott report", which can be read here. In summary, the principles are;

  1. Justify the purpose of holding information - Every proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinised, with continued usages of the same information being reviewed regularly by a suitable guardian.
  2. Do not use patient identifiable information unless absolutely necessary - Patient identifiable information should not be included unless it is essential for the specified purpose it is being obtained for. The need for patients to be identified should be considered at each stage of trying to satisfy this purpose.
  3. Use the minimum amount of patient identifiable information necessary - When the use of such information is considered to be essential, the inclusion of each individual item of information should be considered and justified, so the minimum amount of information as is necessary is used for the given function to be carried out.
  4. Access to patient identifiable information should be on a strict need to know basis - Only those individuals who need access to the information should have it, and they should only have access to the parts of the information they need to see. This may mean introducing access controls or splitting up the information used if it is used for multiple purposes.
  5. Everyone with access to patient identifiable information should be aware of their responsibilities - Action should be taken to ensure that any member of staff holding such information are made fully aware of their responsibilities and obligations to respect patient information.
  6. Everyone using the information must understand and comply with the law - Every use of patient identifiable information must be lawful. Someone in each organisation handling patient information should be responsible for ensuring that the organisation complies with legal requirements. This person is titled the Caldicott Guardian.

Contact us

Royal Liverpool University Hospital,
1st Floor,
Derwent House

0151 706 2944

Typetalk 18001 0151 706 2944

You can email Equality and Diversity here