We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Human Tissue (Authorisation) (Scotland) Bill: DPIA

Published
11 June 2018
Directorate
Population Health Directorate
ISBN
9781788519397

The Data Protection Impact Assessment (DPIA) for the Human Tissue (Authorisation) (Scotland) Bill explores how the Bill impacts on personal data and privacy.

View supporting documents Supporting documents

6. The Data Protection Act (DPA) and General Data Protection Regulation (GDPR) Principles

Principle Compliant – Yes/No Description of how you have complied
6.1 DPA Principle 1 and GDPR Principle 1 – fair and lawful, and meeting the conditions for processing YES NHSBT Privacy notice www.nhsbt.nhs.uk/privacy/
Principle Compliant – Yes/No Description of how you have complied
6.2 DPA Principle 2 and GDPR Principle 2 – purpose limitation YES Information only used for the purposes of including data on ODR
Principle Compliant – Yes/No Description of how you have complied
6.3 DPA Principle 3 and GDPR Principle 3 – adequacy, relevance and data minimisation YES Role based access to data on ODR, unique reference number used in place of identifiable data wherever possible
Principle Compliant – Yes/No Description of how you have complied
6.4 DPA Principle 4 and GDPR Principle 4 – accurate, kept up to date, deletion YES Data integrity audits
Principle Compliant – Yes/No Description of how you have complied
6.5 DPA Principle 5 and GDPR Principle 5 – kept for no longer than necessary, anonymization YES NHS minimum retention periods
Principle Compliant – Yes/No Description of how you have complied
6.6 DPA Principle 6 and GDPR Articles 12-22 – data subject rights YES Compliant with all including the right to be forgotten on ODR
Principle Compliant – Yes/No Description of how you have complied
6.7 DPA Principle 7 and GDPR Principle 6 - security YES Role based access, regular audits and contracts and/or information sharing agreements in place with all third parties
Principle Compliant – Yes/No Description of how you have complied
6.8 DPA Principle 8 and GDPR Article 24 - Personal data shall not be transferred to a country or territory outside the European Economic Area. N/A Data from ODR not processed outside the UK

Contact

Back to top