Why is GDPR Important to Care Homes?
The Data Protection Act is being replaced by the General Data Protection Regulation and is EU legislation which will come into force on 25th May 2018. Compliance with GDPR will ensure further protection of a residents’ and employees’ sensitive and personal data that is held within their care plans and of staff that are employed in the care home. GDPR also introduces strong penalties for data breaches and will cause reputational damage.
Making sure their policies comply with General Data Protection Regulation and registering with the Information Commissioners Office (ICO) ought to be a priority for all care establishments.
What are the GDPR Principles?
Personal Data should be:
- Processed lawfully, fairly and in a transparent manner.
Lawfully – processing must be done in line with the requirements within the legislation, and any regulatory or contractual requirements, and any duty of confidentiality.
Fairly – there must be a legitimate reason for collecting and using the data, be transparent about how the data is to be used, handle the data in a way that would be reasonably expected and not use in ways which would have an adverse effect on the individual.
- Collected for specific, explicit and legitimate purposes.
This is to ensure that the reasons for obtaining personal data are obvious and that what is done with the information is in line with the reasonable expectations of the individuals concerned. If an organisation intends to use the data they hold for other purposes than for what it was collected, they should inform the individuals concerned.
- Adequate, relevant and limited to what is necessary.
Adequate – having enough information to fulfil the purpose(s) for which it was obtained.
Relevant – justification is on a case by case basis.
Not excessive – data minimisation – consideration should be given to the type of data collected, how much is held, and how long it should be retained.
- Accurate and, where necessary, kept up to date.
Accurate – data will be inaccurate if it is incorrect or misleading as to any ‘matter of fact’.
Data must be kept up to date – however may become inaccurate over time. There is some expectation on individuals to inform the organisation when information held has changed.
Opinions about individuals are personal data. However, generally, opinions cannot be challenged under the 4th principle. Opinions should be recorded as such and put in context where appropriate.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which those data are processed.
There are statutory requirements to retain some information and those guidelines should be followed. The 5th principle is there to prevent retention of personal data without good reason. Any deletion of personal information must be done securely.
- Processed in a manner that ensures appropriate security of the personal data.
Personal data must be processed in line with the data subject’s rights:
- The right to know who will see and use their personal data
- The right to know why their data is being collected and what it will be used for
- The right to have copies of ALL their personal data that is being processed or held
- The right to have any codes or jargon within provided copies of their personal data explained to them
- Personal Information must be secure.
There ought to be appropriate and organisational measures in place to protect the personal data that is handled.
Rights for Individuals Under GDPR
- Subject access
- To have inaccuracies corrected
- To have information erased
- To prevent direct marketing
- To prevent automated decision-making and profiling
- Data portability
How can Care Homes Comply with GDPR?
Data Protection Impact Assessments (DPIAs) can help to identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy.
The risk of harm arising through use or misuse of personal information. Some of the ways this risk can arise is through personal information being:
- Inaccurate, insufficient, or out of date
- Excessive or irrelevant
- Kept for too long
- Disclosed to individuals without consent from, or knowledge of, the data subject
- Used in ways that are unacceptable to, or unexpected by, the data subject
- Not kept securely
The outcome of a DPIA should be a minimisation of privacy risk.
The DPIA includes the following steps:
- Identification for the need to have a DPIA
- Describes how information flows
- Identifies the privacy and related risks
- Identifies and evaluates the privacy solutions
- Records the DPIA outcomes
- Integrates the outcomes into a project plan
- Has consulted with internal and external stakeholders as needed throughout the process
Where is your data, how is it managed and how is it protected?
It is wise to appoint a responsible person for data protection who does some research and training. Make sure all staff receive training in GDPR and fully understand the need for confidentiality at all times.
What Happens When Things go Wrong?
Sometimes things do go wrong and breaches of security occur i.e. the destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
In such instances notification within 72 hours must be made to the supervisory authority. The notification will contain information as to whether there is likely to be significant detrimental effect on individuals.
CareDocs and GDPR
Here at CareDocs, the protection of data is one of our prime concerns. Our care management system has been carefully designed to comply with the principles set by the EU regarding GDPR and to ensure that all information and records are safely secured.
Consent is obtained to retain personal data: CareDocs’ care plan assessments include specific questions that establish consent to keep personal data for the purposes of supporting an individual’s health and social care needs.
Access to personal data is restricted: CareDocs restricts access through an in-built security interface, and audit logs validate when care files have been accessed, added to or amended.
Data is secured through its entire lifecycle: All data for CareDocs in stored in encrypted format, ensuring that the data is secure from time of entry to eventual deletion/archiving.
Personal data that is no longer necessary or relevant, is deleted: CareDocs has the facility to remove data concerning individuals after a specified period and also to delete an individual’s personal data should consent be withdrawn.
Data collection is minimised: CareDocs only keeps personal information that is relevant to an individual’s health and social care needs, in their own best interests and for legal compliance.
For more information regarding how CareDocs can help your care establishment’s drive to ensure data protection compliance, please get in touch with a member of the CareDocs team today. One of our friendly members of staff will be more than happy to explain our innovative software and how it can help your care home’s drive to ensure you comply with the principles set out in the GDPR.