7.—(1) Where a person is in possession of confidential patient information under these Regulations, he shall not process that information more than is necessary to achieve the purposes for which he is permitted to process that information under these Regulations and, in particular, he shall—
(a)so far as it is practical to do so, remove from the information any particulars which identify the person to whom it relates which are not required for the purposes for which it is, or is to be, processed;
(b)not allow any person access to that information other than a person who, by virtue of his contract of employment or otherwise, is involved in processing the information for one or more of those purposes and is aware of the purpose or purposes for which the information may be processed;
(c)ensure that appropriate technical and organisational measures are taken to prevent unauthorised processing of that information;
(d)review at intervals not exceeding 12 months the need to process confidential patient information and the extent to which it is practicable to reduce the confidential patient information which is being processed;
(e)on request by any person or body, make available information on the steps taken to comply with these Regulations.
(2) No person shall process confidential patient information under these Regulations unless he is a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
(3) For the purposes of paragraph (2) “health professional” has the same meaning as in section 69(1) of the Data Protection Act 1998(1).