The DPA 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles.’ They must make sure the information is:
- Used fairly, lawfully and transparently
- Used for specified, explicit purposes
- Used in a way that is adequate, relevant and limited to only what is necessary
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information, such as:
- Ethnic background
- Political opinions
- Religious beliefs
- Trade union membership
- Biometrics (where used for identification)
- Sex life or orientation
LOCSU has written guidance and templates on GDPR for LOCs to help them understand the changes and actions that they need to take.
- General Data Protection Regulation (GDPR) guidance Part 1 (Mar 2018)
- General Data Protection Regulation (GDPR) guidance Part 2 (Apr 2018)
- GDPR Data Audit template (Apr 2018)
Practices should refer to the guidance from the Optical Confederation issued in July 2018.
Registration with the Information Commissioner’s Office (ICO)
The Information Commissioner’s Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with data protection legislation in the UK. Under the 2018 Regulations, organisations that determine the purpose for which personal data is processed (data controllers) must pay the ICO a data protection fee unless they are exempt.
LOCSU’s guidance is that LOCs should register as Data Controllers with the ICO. This is due to them not being not-for-profit organisation and, as such, not being exempt. In addition, personal data is shared between two data controllers, for instance, with the GOC when running CET courses.