Data protection policy


1 This document is the data protection policy for the Nursing and Midwifery Council (NMC).
2 The Data Protection Act 1998 (DPA) governs the processing of personal data including the release of personal data, in the UK. It requires that personal data and sensitive personal data must be processed by data controllers in accordance with the eight data protection principles. The DPA implements the EU Data Protection Directive 95/46/EC.
3 The NMC is a data controller under the DPA.
4 All processing of personal data by or on behalf of the NMC must comply with the DPA.

Aims of the policy

5 The aims of the data protection policy are:
5.1 to state the NMC’s commitment to compliance with the DPA and the eight data protection principles
5.2 to outline how the NMC will achieve compliance with the DPA
5.3 to state the responsibility of all those working for or on behalf of the NMC to comply with the DPA.


6 This policy applies to all personal information as defined by the DPA, in both electronic and paper form, held by the NMC, transferred to or exchanged with third parties, or held by third parties on behalf of the NMC.
7 This policy is related the Information security policy and the ICT user policy, and informs other policies such as HR policies and data sharing policies.
Roles and responsibilities
8 The ultimate responsibility for the NMC’s compliance with the DPA lies with the Chief Executive and Registrar who is the Data Protection Coordinator for the NMC.
9 Day to day responsibilities for data protection matters may be delegated to the other roles within NMC.
10 Managers within every business area are responsible for implementing data protection policies and procedures in their areas including with the third parties that they manage.
11 All those working for and on behalf of the NMC must comply with this policy.
12 The Directors are responsible for maintaining this policy and may delegate responsibility for approving changes to the policy to the Information Governance and Security Group (IGSG).

Policy review

13 This policy will be reviewed annually, or more frequently in the event of any legislative or regulatory changes.


14 Awareness of this policy will be included in induction training for all those new to working for and on behalf of the NMC, and will be included as appropriate on refresher training courses. In addition, all those working for and on behalf of the NMC will receive mandatory regular data protection training
15 Full copies of this and other policies and guidelines are available in the NMC's document management system and corporate intranet.
16 All those working for or on behalf of the NMC are required to comply with this policy.
17 Any alleged breach of this policy may result in an investigation which may result in action being taken by the NMC up to and including dismissal; removal from office; or, termination of a contract for services. The NMC will cooperate with law enforcement authorities if a criminal violation is suspected, and it reserves the right to claim compensation from the individual(s) through normal lawful processes in the event that the NMC suffers damage.
18 Section 55(1) of the Data Protection Act 1998 states that:
“It is an offence for a person, knowingly or recklessly, without the consent of the data controller to:

  • obtain or disclose personal data or the information contained in personal data, or
  • procure the disclosure to another person of the information contained in personal data.”

Definitions of personal data and sensitive personal data used within the Data Protection Act 1998

Personal data

19 Personal data is information which relates to a living individual who can be identified:
19.1 from that data
19.2 from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and
19.3 includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data

20 Sensitive personal data is personal data which consists of data related to the data subject’s racial or ethic origin political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, the commission of offences or criminal proceedings.

Policy statements

The data protection principles

21 All those working for and on behalf of the NMC must comply with the data protection principles enshrined in the act which state that personal data must be:
21.1 processed fairly and lawfully
21.2 only obtained for specified and lawful purposes and not processed in a manner incompatible with those purposes
21.3 adequate, relevant and not excessive in relation to the purposes for which it is held
21.4 accurate and, where necessary, kept up to date
21.5 kept for only as long as is necessary
21.6 processed in accordance with the rights of data subjects under the act, including the data subjects’ right of access and right to object to the processing of their data in certain circumstances
21.7 protected from unauthorised and unlawful processing; accidental loss, destruction or damage by having appropriate technical and organisational measures in place
21.8 only transferred outside the European Economic Area (EEA) where an adequate level of protection for the data can be ensured.

Processing and use of personal data

22 The NMC processes personal data about registrants, those working for and on behalf of the NMC, stakeholders, and other individuals, in order to fulfil its purpose and meet its legal obligations. Personal data will only be processed lawfully and fairly in order to fulfil NMC’s purpose and meet its legal obligations.
23 All those working for an on behalf of the NMC must follow NMC procedures relating to the processing and use of personal information.
24 The NMC will inform data subjects of the uses of their data in accordance with the requirements of the DPA.

Use of monitoring and surveillance technology

25 Any deployment of audio recording, video recording, CCTV or other monitoring and surveillance technologies will be in compliance with the DPA.

Right to access information and subject access requests

26 Anyone has the right to access personal data that is being held about them by the NMC.
27 Anyone wishing to exercise this right should make the request in writing to the Records Manager, Records and Archives department or complete and submit the online form on the NMC website.
28 Requests for personal information will be handled in accordance with the Data Protection Act 1998.

Complaints procedure

29 Anyone who considers that this policy has not been followed may make a complaint following NMC’s complaints procedure.

Data security

30 All users of personal information held by the NMC must comply with the ICT User policy and are responsible for ensuring that any personal information that they process is kept securely and is not disclosed in any form to any unauthorised third party.
31 Where personal information is protectively marked, the processing of that information must be in accordance with any NMC policy and procedures for the processing of protectively marked information.
32 NMC will seek to ensure that all data that has been authorised to be sent off site is encrypted.

Data sharing

33 Any sharing of personal data with external third parties must comply with any NMC data sharing policy and procedures.

Incident reporting

34 All those working for and on behalf of the NMC must report any information security incident which involves the loss or potential loss or the unauthorised disclosure of personal information by following the appropriate incident reporting procedures.


Information about an individual which:

  • is being processed by means of equipment operating automatically in response to instructions given for that purpose
  • is recorded with the intention that it should be processed by means of such equipment
  • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.

Data controller

Data controller A person who either alone or jointly or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed. The term comprises not only individuals but also organisations such as companies and other corporate bodies of persons
Data processor Any person, other than an employee of the data controller, who processes the data on behalf of the data controller
Data protection coordinator The senior person in an organisation who has responsibility for data protection
Data subject Any living individual who is the subject of personal data
Processing Any operation or set of operations performed upon personal data, whether or not by automatic means. These include collecting, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
Relevant filing system Any set of manual information relating to individuals, which is structured, either by reference to individuals or by reference to criteria relating to individuals, (that is their name or identifying code number) in such a way that specific information relating to a particular individual is readily accessible

Updated October 2011


Created date :
Modified date :