The National Treasury Management Agency (Amendment) Act 2000 (the Act) assigns claims and risk management functions for Delegated State Authorities (DSAs) to the State Claims Agency (SCA). In furtherance of this role, Section 11 of the Act requires DSAs to report adverse incidents giving rise to personal injury or property damage to the SCA. These incidents are inputted and managed via a secure web-based management system, the National Incident Management System, NIMS. The collection of this data gives rise to Data Protection Act considerations.
The purpose of the Data Protection Acts is to safeguard the privacy rights of individuals in relation to the processing of their personal information. While a person has in the ordinary course a right to object to the use of his/her personal data, this right does not apply in certain circumstances, including where he/she has given consent to the use of data, where the use is necessary for an agreed contractual obligation, or the use is required by law.
Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
Incident reporting will by its nature include reference to personal data such as names addresses, contact details. Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
DSAs constitute data controllers, as defined by the Data Protection Acts, being a party who, either alone or with others, controls the contents and use of personal data. They must therefore be cognisant of their obligations as defined by the Data Protection Acts when complying with their statutory reporting obligations.
DSAs constitute data controllers as defined by the Data Protection Acts
In relation to personal data, the Data Protection Acts mean that data controllers are obliged to:
- Obtain and process personal information fairly;
- Keep information only for one or more specified, explicit and lawful purposes;
- Use and disclose it only in ways compatible with these purposes;
- Keep it safe and secure;
- Keep it accurate, complete and up to date;
- Ensure that it is adequate, relevant and not excessive;
- Retain it no longer than is necessary for the purpose or purposes;
- Give the data subject a copy of their personal data in intelligible form on request.
Importantly, data controllers are also required to take appropriate security measures against unauthorised access, disclosure or destruction of the data, in particular where the processing involves a transmission of data over a network. With regard to NIMS, therefore, DSAs should give consideration to issues such as access and ensure use of NIMS by staff is limited to what is required to fulfil their reporting obligations while keeping the data secure from unauthorised access and disclosure.
Article by: Pamela Potterton,
Litigation Solicitor, SCA