Confidentiality and data protection

The Data Protection Act 2018 is a law that empowers and protects the rights of individuals when it comes to the processing of their personal data.

The new Act was implemented alongside the General Data Protection Regulation 2016 (GDPR) with both coming into force in 2018.

It had been updated to expand the definition of personal data to include biometric data and revise the special category data (sensitive personal data).

An accountability principle has also been added which is designed to ensure that all Data Controllers (the Royal Devon) have further accountability when it comes to ensuring that the data subject's information is processed in accordance with the principles.

There are six further principles that, if broken, can lead to prosecution not only for the Royal Devon but of the individual employee. These state that data must be:

  • Lawfulness, fairness and transparency 
  • Purpose limitation
  • Data minimisation
  • Accuracy 
  • Storage limitation
  • Integrity and confidentiality (security) 

The Incident reporting framework has also been updated with all organisations now having a 72 hour reporting deadline. The fee for a monetary penalty has also risen from £500,000 to 20 million Euros or 4% of the gross annual turnover of the organisation. There will be a tiered approach depending on the size of the business and the level of data that has been breached.

It also changes the rules on consent and extends individuals rights to include:

  • Right to be informed
  • Right to erasure
  • Right to rectification
  • Further information can be found on the ICO website

The Data Protection Officer can be contacted at the below email address:

For further details, please see:

Last updated: October 06, 2023.


Our site uses cookies to help give you a better experience. By continuing to use it you consent to the use of cookies as set out in our privacy policy.