PART 4Inspections and supplementary matters

Information management20

1

The records maintained by a designated body in respect of inspections, complaints, untoward incidents and other concerns, and the response to them, may be kept in paper or electronic format, and the accountable officer (CDAO) of that body must ensure that the information in those records is only accessible to—

a

the CDAO; and

b

persons who the CDAO is satisfied—

i

should have access to the information on a need-to-know basis, and

ii

fully understand the confidential nature of the information and the purposes for which they are being permitted access to it.

2

Where by virtue of Part 3 a responsible body (RB1) receives information from another responsible body, that information must only be processed by RB1 in so far as is necessary for the purposes of—

a

the identification of cases in which action may need to be taken in respect of matters arising in relation to the management or use of controlled drugs;

b

the consideration of issues relating to the taking of action in respect of such matters; and

c

the taking of action in respect of such matters,

and RB1 must ensure that appropriate measures are taken by it to prevent unauthorised processing of the information.

3

Those measures must include limiting access to the information to persons—

a

on a need-to-know basis; and

b

who fully understand the confidential nature of the information and the purposes for which they are being permitted access to it.

F14

Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.

5

Nothing in these Regulations requires, or is to be treated as requiring, any disclosure which—

a

is prohibited by or under any enactment F2or theF3UK GDPR (taking into account the effect of paragraph (4));

b

would prejudice or would be likely to prejudice—

i

any investigation being conducted by any responsible body under any enactment F2or theF3UK GDPR,

ii

a regular or reserve force's arrangements for service discipline, or

iii

any civil or criminal proceedings; or

c

would involve disproportionate cost.

6

Civil proceedings do not lie against a person in respect of loss, damage or injury of any kind suffered by another person as a result of disclosure of information under these Regulations if it is done in good faith and there are reasonable grounds for doing it.

F47

In this regulation, “personal data” and “the UK GDPR” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (10) and (14) of that Act).