As Racial Ethnic Origin data is defined as a sensitive data catagory in part
1 Section 2 of the Act then principle 1 requires processing conditions to be
met. In addition to both lawful and fair processing.

Sensitive data processing requires both a schedule 2 and schedule 3
condition to be fufilled.

I would be interested in which conditions one from schedule 2 and one from
schedule 3 are to be argued where a patient does not give or withdraws
consent to the 'processing' of any Racial or Ethnic origin data. Clearly one
way individuals tend to protect themselves from potential misuse of data is
not to supply such data or supply incorrect data.

Schedule 3 has a variety of conditions which may apply to such data but the
tests are reasonably strict and have to be set in the context of the persons
processing and appropriate statutes .

a) Schedule 3  Section 2 links the processing as necessary for employment
law

b) Schedule 3  Section 3 links to life threatening circumstances where
consent cannot be obtained

c) Schedule 3  Section 8 links to medical purposes by a health professional
or equivalent and required for medical research if this is the argued use.
Note that  medical research was not referenced in the directive (See Article
8 Sub Section 3) and appears to be an addition by the UK government in
transposing the Act (some say unlawfully).  This I believe leaves any
processing justified by this activity open to challenge by individuals by
reference to the underlying directive.

d) Schedule 3  Section 9 Necessary for equality to be maintained but must be
processed with appropriate safeguards. Secretary of state can define the
limits of appropriate safeguards by Order.

e) Schedule 3 Section 10 processing where defined in a seperate order.

In the DOH example
Which processing condition in schedule 2 and 3 are to be argued?
Will all NHS offices without central guidance argue these consistently?
Is the data retained after passing to the DOH? If so what is its registered
purpose and the justification that it is being retained no longer than is
necesary for its purpose?

If the only reason for any processing is because a body is obliged by
statute to collect on behalf a person who is authorised by statute to hold
such data, and they have no reason of their own to collect, then are they
only a processor. (A person only becomes a controller under the DPA 98 if
they control both the purpose and the manner of processing).

To work these thing out an understanding of the legal status of persons in
the processing chain is required and their relationship to each other. No
easy task for either the persons collecting or the data subject who may feel
a breach is occuring in processing without consent.

Id be interested in any views posted?

Dave Wyatt

----- Original Message -----
From: <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, February 08, 2000 9:09 AM
Subject: Re: Ethnic Origin Collection


> Comments received are as  I expected.  However, I only asked the
> question since I have been passed some documentation which are comments
> derived from the NHS Management Executive letter (dated 25 Oct 93),
> which states this:
> Breaching the Data Protection Principles
> The Unit would need to ensure that the following data protection
> principles are not breached;
> First principle: Information should be obtained fairly i.e. patients
> should be given notice of the uses and disclosures of their personal
> data (A small section in the patients handbook informs the patient of
> access to that information but not on it uses and disclosures)
> Fourth principle: Information held on that patient should be sufficient
> and not more than sufficient for the purpose for which the data is
> held.  Holding information in relation to ethnic origin as part of the
> CMDS (or CDS) must be justified in terms of the use the Unit will or
> intends to make of it.  The Unit will be breaking the Data Protection
> Act by collecting ethnic origin solely because it forms part of the CMDS
> (CDS).
> I have no problems in collecting the data, I do not want to be awkward.
> However,  I do not want to find that the Trust has to stand alone if
> there is a complaint.
>
> Su Clarke
> Glenfield Hospitals
> Leicester
>
>
>



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%