The Data Protection Act 1998 (DPA) was passed in order to implement the European Data Protection Directive and applies to all personal data which are held either electronically or in a manual filing system.
The British Acupuncture Council (BAcC) is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
The BAcC holds personal information about individuals such as employees, members, applicants, subcontractors, suppliers and others, defined as 'data subjects' in the Act. Such data must only be processed in accordance with this policy. Any breach of the policy may result in the BAcC, as the registered 'data controller', being liable in law for the consequences of the breach. This liability may extend to the individual processing the data, and to his/her line manager under certain circumstances.
All data users must comply with the eight data protection principles. The principles define how data can be legally processed. 'Processing' includes obtaining, recording, holding or storing information and carrying out any operations on the data, including adaptation, alteration, use, disclosure, transfer, erasure, and destruction.
The DPA defines both 'personal data' and 'sensitive personal data'. Data users must ensure that the necessary conditions are satisfied for the processing of personal data and in addition that the extra, more stringent, conditions are satisfied for the processing of sensitive personal data.
Personal data has a broad ranging definition and can include not only items such as home and work address, age, telephone number and schools attended but also photographs and other images. Sensitive personal data consists of racial/ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life and criminal record.
All members of BAcC staff, Board members, committee members and subcontractors have a responsibility to ensure compliance with the Act and this policy, and to develop and encourage good information handling practices, within their areas of responsibility. All users of personal data within the BAcC have a responsibility to ensure that they process the data in accordance with the eight data protection principles and the other conditions set down in the DPA.
The BAcC will perform periodic audits to ensure compliance with this policy and the Act and to ensure that the notification is kept up to date.
The BAcC's HR and facilities manager is responsible for ensuring compliance with the Data Protection Act and implementation of this policy on behalf of the BAcC. She can be contacted at:
British Acupuncture Council63 Jeddo RoadLondon W12 9HQ
The Act gives data subjects a right to access personal data held about them by the BAcC, and allows the BAcC to charge a fee for such access (up to a prescribed maximum). The BAcC will seek to take an approach which facilitates access to their personal data by individuals without them having to make formal subject access requests under the Act, whilst acting within the data protection principles. A record must be kept of all requests for access to personal data.
All formal subject access requests must be responded to within the terms laid down by the Act, and must be notified to the chief executive and HR and facilities manager as soon as they are received.
The BAcC aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 40 days of receipt of a request unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request. The BAcC will normally charge the prescribed maximum fee (currently £10) for subject access requests.
The need to process data for normal purposes will have been communicated to all data subjects. In some cases, if the data is sensitive, for example information about health, race or gender, express consent to process the data must be obtained. Processing may be necessary to operate BAcC policies, such as health and safety and equal opportunities.
Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. Some forms of data need to be retained longer than others to comply with legal and other requirements. This applies to both electronic and non-electronic personal data.
All BAcC users of personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorised third party in any form either accidentally or otherwise.
If you have any questions about acupuncture, browse our archive or ask an expert.
Research based factsheets have been prepared for over 60 conditions especially for this website
Catch up with the latest news on acupuncture in the national media
Keep up to date with our news or join the #acupuncture conversation
Thinking about trying acupuncture?
Have a look at our Frequently asked questions, browse our video testimonials or the Ask an expert area
63 Jeddo RoadLondon W12 9HQPhone: 020 8735 0400
Fax: 020 8735 0404