Data Protection Policy

1. Data Protection Policy

The processing of Personal Data in connection with the medinfo2001 congress will comply with the UK Data Protection Act 1998, which implements within the UK the requirements of the EC Data Protection Directive [EC/95/46]. The basic requirement is that the processing, both automated and manual, should comply with the following Data Protection Principles which require that Personal Data shall:

• be processed fairly and lawfully
• be obtained only for specified and lawful purposes, and not be
• processed in any incompatible manner
• be adequate, relevant and not excessive
• be accurate and, where necessary, kept up to date
• not be kept for longer than is necessary
• shall be processed in accordance with the rights of Data Subjects
• be protected by appropriate security measures
• not be transferred outside the EEA unless adequate level of data protection exist.
  

2. Data Controller

Although the medinfo2001 Congress is being organised by the Health Informatics section of the British Computer Society, it being is organised on behalf of the International Medical Informatics Association [IMIA] by the UK member of that Association. For practical purposes all communications, queries and Subject Access Requests which relate to Data Protection issues should be addressed to Barry Barber for action or response on behalf of the medinfo2001 Organising Committee. Since IMIA is established in Switzerland the actual Data Controller will be the British Computer Society and the BCS registration will be adjusted to cover these requirements.

3. Purposes of Data Processing

The object of the data processing is to facilitate and enhance the organisation of the medinfo2001 congress, which comprises scientific meetings, social events and commercial exhibitions and events. The core purposes of the processing are to:

• market and register participants, visitors and exhibitors
• administer the event for VIPs, "very important persons", chairpersons, speakers, presenters, delegates, exhibitors and exhibition visitors
• handle administration of bursaries, prizes and special needs of participants

Additional non-core purposes are as follows:

• provide participant information and marketing collateral material for various future initiatives of IMIA, its regional and national member bodies, the organisers of MEDINFO2004 and subsequent IMIA congresses
• to provide/sell lists of exhibition visitors and congress participants for the purposes of direct marketing within the context of Health Informatics
  

The Personal Data are obtained from:

• information supplied by interested individuals through multi-media on medinfo2001 enquiry cards and registration forms, both paper-based and web-enabled
• lists of delegates from previous conferences and exhibitions of IMIA and its regional and national member bodies
• lists of members of Health and Medical Informatics Societies
• Suggestions by interested persons about colleagues likely to be interested in the congress

Every effort is made to ensure that the information is accurate and up-to-date initially and all communications with individuals provide easy means of validating, correcting errors and up-dating information.

All data collection from registration and web enquiries are accompanied with integral Data Protection notification and an offer of detailed information on the medinfo2001 Data Protection Policy and the opportunity to opt in to non-core uses of Personal Data. Where data have not been obtained directly from the individual, the first communication offers the opportunity for the full exercise of Data Protection Rights.

5. Data Processing

All processing of Personal Data is by consent for the purposes listed above and under the control of the medinfo2001 Organising Committee. Individuals have the right to:-

• copies of their data
• correct their data
• prevent processing for direct marketing
• withdraw consent to processing with its consequential effects
• prevent non-core purpose disclosures and
• prevent trans-border disclosures outside the European Economic Area where there are inadequate Data Protection arrangements
  

6. Data Security

The security of the Personal Data processed by the medinfo2001 Organising Committee will be at the level of BS7799 although the organisation will not be certified to BS7799. As much of the communication as possible will be handled via e-mail and the medinfo2001 web site the concomitant risks of disclosure that such services imply where strong encryption is not warranted is accepted.

7. Trans-border Data Flows

Apart from the unintentional, and largely uncontrolled, data flows mentioned above Personal Data will only be transferred outside the EEA and any other countries with adequate Data Protection arrangements by consent or where required to action the requests of the individual concerned.

8. Information for Individuals about the medinfo2001 Data Protection Policy

The medinfo2001 web site will provide a basic Data Protection statement together with the opt-in arrangements and with easy access to the full Data Protection Policy. The paper applications forms will carry the same information. The medinfo2001 enquiry cards will be over-stamped to say that the information supplied will be subject to the Data Protection Act 1998. E-mails and other communications will carry a simplified Data Protection statement appropriate to the communication.

9. Data Protection Opt-in Arrangements

The words to be used for opt-in arrangements are:

I consent to my data being used for:

1. The core purposes of running medinfo2001, including any necessary trans-border disclosures.
2. Various British Computer Society's national and international initiatives in Health Informatics, including trans-border disclosures.
3. Direct marketing in Health Informatics whether disclosed or sold and including trans-border disclosures.

Last Checked On 31st January 2001